In 2025, Hong Kong recorded 15,877 cybersecurity incidents — a record high and a 27% increase from the year before. Phishing alone accounted for 57% of all cases. Ransomware groups like RansomHouse and Cl0p actively targeted Hong Kong's finance and manufacturing sectors. The Privacy Commissioner received 203 data breach notifications in 2024, a 30% jump from 2023.
If you run a small or medium business in Hong Kong, these numbers should concern you. Globally, 70% of data breaches specifically target SMEs, and 75% of businesses that suffer a ransomware attack do not survive the aftermath. Yet nearly 30% of Hong Kong enterprises still lack a single dedicated cybersecurity professional on staff.
This guide is not a theoretical overview of cybersecurity concepts. It is a practical, step-by-step playbook for Hong Kong SMEs — covering what you must do now, what the law requires, how much it costs, and where to start. Every recommendation is grounded in local data and tailored to the realities of running a business in Hong Kong.
The Current Threat Landscape in Hong Kong
Hong Kong's cyber threat environment has evolved dramatically over the past five years. According to HKCERT's annual reports, the total number of security incidents has more than doubled since 2021, driven by the rise of AI-powered phishing, increasingly sophisticated ransomware operations, and the expansion of attack surfaces as businesses digitize.
The breakdown of incidents in 2025 paints a clear picture of where the threats come from:
| Incident Type | 2024 Cases | 2025 Cases | Change |
|---|---|---|---|
| Phishing | 7,811 | 9,050 | +16% |
| Botnet | 2,663 | 3,337 | +25% |
| Malware (incl. ransomware) | 618 | 1,403 | +127% |
| Others (identity theft, data leakage) | 1,444 | 2,087 | +45% |
| Total | 12,536 | 15,877 | +27% |
The most alarming trend is the 127% surge in malware incidents, driven primarily by ransomware. The Oxfam Hong Kong breach in 2024 — where 550,000 individuals' personal data was compromised via ransomware — was a wake-up call for the entire nonprofit and SME sector. Phishing delivery methods have also evolved beyond email: 34% of phishing attacks in 2025 came through WhatsApp and social media, and 18% targeted cryptocurrency platforms.
Why SMEs Are Disproportionately Targeted
It is a common misconception that cybercriminals only go after large corporations. The reality is the opposite: SMEs are the ideal target because they combine valuable data with weak defenses. You handle customer personal data, financial records, trade secrets, and payment information — but you likely do not have the security infrastructure of a bank or insurance company.
HKCERT's enterprise survey data reveals a stark security gap between SMEs and large enterprises in Hong Kong:
SMEs
| Email security adopted | 48% |
| Privileged access management | 29% |
| Remote access security | 31% |
| Increased cyber budget (past year) | 13% |
| Invested in security training | 12% |
Large Enterprises
| Email security adopted | 79% |
| Privileged access management | 60% |
| Remote access security | 67% |
| Increased cyber budget (past year) | 41% |
| Invested in security training | 50% |
The numbers tell a clear story: across every security measure, SMEs lag behind large enterprises by 20 to 40 percentage points. Only 13% of SMEs increased their cybersecurity budget in the past year, compared to 41% of large enterprises. Attackers know this. They actively scan for the weakest links — and SMEs are consistently the weakest link in the chain.
The 8 Cybersecurity Fundamentals Every Hong Kong SME Must Implement
You do not need a six-figure security budget to protect your business. These eight measures cover the fundamentals — and implementing them will put you ahead of the majority of Hong Kong SMEs.
Enable MFA on every system that supports it — email, cloud storage, CRM, accounting software, admin panels. This single step blocks over 99% of credential-based attacks. Use authenticator apps (Google Authenticator, Microsoft Authenticator) rather than SMS-based codes, which are vulnerable to SIM-swapping. For admin and privileged accounts, consider hardware security keys (YubiKey). Cost: free to HK$60/user/year for hardware keys.
Every laptop, desktop, phone, and tablet that connects to your business systems needs endpoint protection — not consumer-grade antivirus, but business endpoint detection and response (EDR). Modern EDR solutions like CrowdStrike Falcon Go, SentinelOne, or Microsoft Defender for Business provide real-time malware detection, anti-ransomware protection, and behaviour-based threat analysis. For budget-conscious SMEs, Microsoft Defender (included with Microsoft 365 Business Premium) is a strong starting point. Cost: HK$40–120/device/month.
With 57% of incidents being phishing, email security is non-negotiable. Configure SPF, DKIM, and DMARC records on your domain to prevent spoofing. Layer on advanced email filtering (Mimecast, Barracuda, or Proofpoint Essentials) for URL rewriting, attachment sandboxing, and impersonation protection. Run quarterly phishing simulations to train your team — services like KnowBe4 or Proofpoint provide pre-built campaigns. Cost: HK$16–50/user/month.
A backup is only as good as your last successful restore. Follow the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite or offline. Daily automated backups are the minimum. Critical: test your restores quarterly. Many Hong Kong SMEs discover their backups failed silently only after a ransomware attack locks their systems. Use encrypted, immutable backups that cannot be altered or deleted — even by an admin account that has been compromised. Cost: HK$80–400/TB/month.
Every employee should have access only to the systems and data they need for their role — nothing more. Review and revoke access immediately when someone changes roles or leaves the company. Use role-based access control (RBAC) in your cloud systems and applications. Disable shared accounts and default admin credentials. Only 29% of Hong Kong SMEs have implemented privileged access management — which means 71% are one compromised admin credential away from a full breach.
Unpatched software is the second most common entry point for attackers after phishing. Enable automatic updates on all operating systems, browsers, and business software. For custom or legacy systems where auto-updates are not possible, establish a monthly patch cycle. Prioritize patching internet-facing systems (web servers, VPN gateways, email servers) within 48 hours of critical vulnerability disclosures. HKCERT and GovCERT.HK regularly publish alerts — subscribe to their mailing lists.
Human error remains the single biggest vulnerability. Yet only 12% of Hong Kong SMEs invested in security training in the past year. At minimum, conduct quarterly training sessions covering: how to identify phishing emails and WhatsApp scams, safe password practices, secure file sharing protocols, and incident reporting procedures. The HKCERT offers free cybersecurity awareness resources and conducts regular seminars specifically for SMEs. Make security training part of employee onboarding — not an annual afterthought.
If you get breached, the speed and quality of your response determines the damage. Write a simple incident response plan that answers: Who do we call first? (HKCERT hotline: 8105 6060.) How do we isolate affected systems? Who communicates with customers? What are our legal obligations under PDPO? How do we preserve evidence? Print this plan and keep physical copies — if ransomware encrypts your systems, you will not be able to access a digital-only plan. Run a tabletop exercise annually to test it.
Your PDPO Obligations: What the Law Actually Requires
The Personal Data (Privacy) Ordinance (PDPO) is not just about privacy policies on your website. It imposes specific security obligations on every business that collects personal data in Hong Kong. Under Data Protection Principle 4 (DPP4), you must take "all practicable steps" to protect personal data against unauthorized or accidental access, processing, erasure, loss, or use.
What does "all practicable steps" mean in practice? The Privacy Commissioner (PCPD) has made clear through enforcement actions and guidance that it includes:
- Implementing technical security controls appropriate to the sensitivity of the data you hold
- Conducting regular security assessments and vulnerability testing
- Maintaining access controls and audit trails for personal data systems
- Ensuring third-party data processors meet equivalent security standards
- Having an incident response plan and notifying the PCPD of significant data breaches
- Training staff on data handling and security practices
- Securely disposing of personal data that is no longer needed
For a deeper dive into how PDPO applies specifically to software development projects — including consent mechanisms, data retention policies, and cross-border transfers — see our upcoming guide: PDPO Compliance for Software Development.
PCICSO 2026: Does Hong Kong's New Cybersecurity Law Affect Your Business?
The Protection of Critical Infrastructures (Computer Systems) Ordinance (PCICSO), enacted in March 2025 and enforced from January 2026, is Hong Kong's first comprehensive cybersecurity law. It requires operators of critical infrastructure (CIOs) to implement security management measures, conduct regular audits, and report cybersecurity incidents to the Commissioner of Critical Infrastructure.
The sectors covered include:
| Sector | Examples | Regulatory Authority |
|---|---|---|
| Banking & Finance | Banks, SVF licensees, securities firms | HKMA / SFC |
| Energy | Power companies, gas utilities | Commissioner |
| Transport | MTR, airport, port operators | Commissioner |
| Healthcare | Hospital Authority, major private hospitals | Commissioner |
| Telecommunications | Major telcos, ISPs | OFCA |
| Information Technology | Major data centres, cloud providers | Commissioner |
If you are a typical SME, PCICSO likely does not directly apply to you. The law targets large-scale critical infrastructure operators. However, if your business is a vendor, supplier, or technology provider to any designated CIO, expect your clients to impose stricter security requirements on you as part of their supply chain risk management. This cascading effect means PCICSO will indirectly raise the security bar for many SMEs.
Budget-Friendly Security Stack: What to Spend at Each Stage
Cybersecurity does not have to break the bank. Here are three tiers of security investment, scaled to your business size and risk profile. All costs are estimated for a team of 10–30 employees.
For startups and early-stage SMEs
- MFA on all accounts (free authenticator apps)
- Microsoft Defender for Business (included in M365 Business Premium)
- SPF/DKIM/DMARC email configuration
- Cloud backup (OneDrive/Google Workspace built-in)
- Password manager (Bitwarden Teams)
- Free HKCERT resources for staff training
For established SMEs handling sensitive data
- Everything in Essentials, plus:
- Dedicated email security (Mimecast or Barracuda)
- EDR solution (CrowdStrike Falcon Go or SentinelOne)
- Managed backup with tested monthly restores
- Quarterly phishing simulations (KnowBe4)
- Annual vulnerability assessment
- Written incident response plan
For regulated industries or high-value targets
- Everything in Professional, plus:
- 24/7 Security Operations Centre (SOC) monitoring
- SIEM/log management and real-time alerting
- Penetration testing (annual)
- Compliance reporting (PDPO, PCICSO if applicable)
- Dedicated incident response retainer
- Supply chain security assessment
Hire vs Outsource: The Practical Decision for Hong Kong SMEs
Hong Kong faces a severe cybersecurity talent shortage. 97% of organisations report skills gaps, and bilingual cybersecurity professionals (English and Cantonese) command premium salaries. For most SMEs, hiring a full-time cybersecurity specialist is neither affordable nor efficient.
| Factor | In-House Hire | Managed Security Provider (MSSP) |
|---|---|---|
| Monthly cost | HK$30,000–60,000 (salary + MPF + benefits) | HK$8,000–25,000 |
| Coverage | Business hours only (1 person cannot provide 24/7) | 24/7 monitoring and incident response |
| Expertise breadth | One person's knowledge (limited specialisation) | Team of specialists (network, cloud, endpoint, compliance) |
| Tools included | Must purchase separately (additional HK$5,000–20,000/month) | Typically bundled with the service |
| Time to deploy | 2–4 months (recruitment in tight market) | 1–2 weeks |
| Best for | Companies with 100+ employees and complex infrastructure | SMEs with 10–100 employees |
The recommendation for most Hong Kong SMEs is clear: start with a managed security provider, supplement with basic in-house responsibility (designate a security-aware team member as your internal point of contact), and consider hiring only when your business exceeds 100 employees or handles regulated data (financial, healthcare, critical infrastructure).
HKCERT launched the "Cybersecurity Service Providers Connect Programme" in October 2025, creating a vetted platform of security service providers across four pillars specifically to help SMEs find reliable cybersecurity partners. This is a good starting point for vendor selection.
Your 30-Day Cybersecurity Action Plan
Do not try to implement everything at once. Follow this phased approach to build security incrementally, starting with the highest-impact actions.
| Week | Actions | Impact |
|---|---|---|
| Week 1 | Enable MFA on all email and cloud accounts. Configure SPF/DKIM/DMARC on your email domain. Audit and remove ex-employee access. | Blocks 99%+ of credential attacks |
| Week 2 | Deploy endpoint protection on all devices. Enable automatic OS and software updates. Set up a password manager for the team. | Closes the most common entry points |
| Week 3 | Verify and test backups. Configure offsite backup if not already in place. Write a one-page incident response plan. | Ensures business survival if breached |
| Week 4 | Conduct a team security awareness session (use free HKCERT resources). Run a baseline phishing simulation. Review access permissions across all systems. | Addresses the human factor |
Frequently Asked Questions
A reasonable starting budget is HK$2,000–8,000 per month for a team of 10–50 employees. This covers endpoint protection, email security, MFA, backup, and basic monitoring. As your business grows or handles sensitive data (financial, healthcare, personal data at scale), expect to invest HK$10,000–25,000/month for managed security services. The Hong Kong cybersecurity market for SMEs is projected to grow from US$331 million in 2026 to US$608 million by 2031 — which means your competitors are investing. Can you afford not to?
Phishing accounts for 57% of all cybersecurity incidents in Hong Kong (HKCERT 2025 data). In 2025, 34% of phishing attacks came through WhatsApp and social media — not just email. Business email compromise (BEC) causes the highest financial losses per incident. Ransomware incidents surged 127% year-on-year. Credential theft via compromised accounts rounds out the top threats. The use of AI-generated phishing content is making attacks harder to detect.
Yes. Under Data Protection Principle 4, every business that collects personal data must implement adequate security measures. The PCPD has increased enforcement — 203 data breach notifications were received in 2024, a 30% increase from 2023. Maximum penalties include fines up to HK$1,000,000 and imprisonment up to 5 years. The PCPD has signalled a shift from education to enforcement in 2026.
Probably not directly. PCICSO targets operators of critical infrastructure in banking, energy, transport, healthcare, telecommunications, and IT. However, if you are a supplier or technology vendor to any designated critical infrastructure operator, you may face stricter security requirements in contracts and procurement processes. The cascading supply-chain effect means many SMEs will be indirectly affected.
For most SMEs under 100 employees, outsourcing to a managed security service provider is more practical and cost-effective. A full-time cybersecurity professional in Hong Kong costs HK$30,000–60,000/month in total compensation. An MSSP provides 24/7 monitoring, a team of specialists, and bundled tools for HK$8,000–25,000/month. HKCERT's Cybersecurity Service Providers Connect Programme, launched in October 2025, can help you find vetted providers.
Need Help Securing Your Business?
Cybersecurity is not a one-time project — it is an ongoing capability that needs to evolve as threats evolve. At Astera Technology, our Cloud & DevOps team helps Hong Kong SMEs implement production-grade security from day one — from infrastructure hardening and access control to monitoring, incident response planning, and PDPO compliance.
As your CTO-as-a-Service partner, we take responsibility for your technical security posture the same way an in-house CTO would — but at a fraction of the cost. Book a free security assessment to identify your most critical vulnerabilities and get a prioritized remediation plan.