Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/11

  Enhance Information System Management: Organisations should develop effective patch management procedures to patch security vulnerabilities as early as possible and adopt appropriate technical security measures having regard to the amount and sensitivity of personal data contained in the system, such as enabling multi-factor authentication and login notification (if applicable) when connecting to a virtual private network, to provide additional security to systems and accounts. Moreover, organisations should review log records regularly so as to identify system irregularities at an early date.

Conduct Data Backup Conscientiously: Organisations should formulate data backup policy, conduct regular backup for systems containing important data, and ensure that the recovery mechanism can effectively recover the loss data or inaccessible data due to malicious software/ ransomware. Data should also be segregated according to its sensitivity and importance, and should be kept safely offline to avoid accidental loss.

Monitor Service Providers Properly: When engaging information system service providers to maintain network infrastructure, organisations should first formulate service requirements according to industry best practice or operational guidelines (e.g. to install critical patches for organisations' operation systems and applications). Organisations should also specify in the services agreements that service providers shall comply with such requirements, which may serve as the basis for future supervisions.

Other Comments

Following the Commissioner's investigation report published in November 2022 in relation to a ransomware attack on a database, this report is the second investigation on data breach caused by the Vulnerability. This shows that if organisations fail to identify and handle security 