CGj reviews a recent Institute seminar offering practical advice on how to build cyber resilience, strengthen incident response strategies and address legal compliance gaps among NGOs and SMEs.

In today’s digital age, cybersecurity is of paramount concern for organisations of all sizes. Recognising the unique challenges faced by non-governmental organisations (NGOs) and small and medium-sized enterprises (SMEs), the Institute hosted a seminar on 21 February 2025 titled Cybersecurity Preparedness for NGOs/SMEs. The session featured experts from the Hong Kong China Network Security Association (HKCNSA), who provided insights into enhancing cybersecurity resilience, safeguarding sensitive data and responding effectively to potential breaches. This review summarises the key takeaways from the seminar, offering practical strategies to help NGOs and SMEs fortify their digital defences and navigate the complex cyberthreat landscape.

Easy targets

Chairing the seminar, Matthew Young FCG HKFCG(PE), Institute Council member, and Head of the Corporate Secretarial Department, The Hong Kong Jockey Club, noted the increasing risks posed by cyber incidents to smaller organisations, which often lack the dedicated inhouse capabilities to defend against sophisticated attacks.

The seminar began with a presentation by Harry Poon, Director of NGO Services, HKCNSA. Drawing on years of experience in advising NGOs, SMEs and large corporations, Mr Poon outlined the critical importance of cybersecurity.

‘Cybersecurity is crucial for six key reasons,’ he said. ‘It protects sensitive data, prevents financial losses, maintains business continuity, protects reputation and builds customer trust, supports compliance and enhances business resilience.’ These are not abstract concerns, he stressed, but real and urgent priorities, especially for resource-constrained organisations.

In terms of cyber readiness, Mr Poon referenced the 2024 Hong Kong Enterprise Cyber Security Readiness Index and AI Security Survey, where SMEs scored 48.4 out of 100, placing them in the ‘basic’ category and well below large corporations. ‘Most SMEs and NGOs are not yet ready to defend against increasingly sophisticated cyberattacks,’ he warned.

He also challenged the misconception that smaller organisations are less likely to be targeted. ‘Attackers don’t go after NGOs and SMEs because they’re big targets, they go after them because they’re easy targets,’ he said.

Mr Poon turned to local examples, highlighting the January 2025 data breach of the Hong Kong Green Building Council, where third-party IT services were suspected as the cause. ‘Incidents like this remind us not to overlook third-party risks,’ he said. ‘Smaller organisations and NGOs often outsource cybersecurity to third-party vendors, however, accountability cannot be outsourced. Conduct proper due diligence, vet vendors and monitor their security.’

He added that while the structure may vary in a smaller organisation, the ultimate accountability for ensuring robust cybersecurity and managing risk remains at the highest level of oversight. ‘There’s a difference between responsibility and accountability,’ Mr Poon explained. ‘Ultimately, it’s the CEO and especially the board of directors who are accountable.’

Action plan to strengthen cybersecurity

Mr Poon identified four major types of cyberattack – namely ransomware, social engineering, data breaches and malware – and noted that financial gain and espionage are the motives behind 93% of attacks, with others being politically driven or reputation-based. ‘It’s not a matter of if a cybersecurity incident will happen, but when it happens – and of how your organisation will respond,’ he stressed.

He offered a comprehensive 15-point action plan for NGOs and SMEs to strengthen their cybersecurity position.

1. Know your data. Organisations must understand what data they collect, why they need it and how it’s stored. Only keep necessary information. For example, if you’re sending birthday gifts to clients, you only need the birth month, not the full date. Data should be stored in compliance with laws such as the EU’s General Data Protection Regulation (GDPR) or the Personal Information Protection Law (PIPL) of the People’s Republic of China, and then deleted according to relevant retention policies.
2. Understand your risk and foster a cybersecurity culture. Risk assessments are key. Leaders must set the tone. Senior management should attend training and follow policies, with no exceptions.
3. Assign roles and accountability. Appointing a Data Protection Officer (DPO) and an Information Security Officer (ISO) is vital. Smaller organisations may outsource these functions or hire virtual DPOs or ISOs.
4. Develop and enforce security policies. With AI usage rising, organisations should also define acceptable AI use policies.
5. Use strong unique passwords. Avoid passwords such as 123 or your company name.
6. Apply timely security updates. Around 70% to 80% of breaches are due to missed essential updates.
7. Use multifactor authentication. This adds a crucial layer of protection.
8. Limit access based on need. Employ role-based access control and the principle of least privilege.
9. Conduct ongoing risk assessments. The security position can change rapidly as new vulnerabilities emerge.
10. Provide continuous training and awareness. Educated staff are a strong line of defence.
11. Leverage cybersecurity tools. Recommended solutions such as next-generation firewalls, endpoint detection and response, and dark web monitoring.
12. Maintain a realistic budget. Financial planning for cybersecurity should balance risk management and sustainability.
13. Have an incident response plan. A thorough plan should include risk classification, internal notification, containment, investigation, communication and review. A comprehensive response plan ensures a quick response and minimises impact.
14. Consider managed service providers. These offer specialised cybersecurity expertise and scalable solutions.
15. Manage third-party risks. Vendors and partners must comply with data protection laws such as the GDPR, the PIPL or Hong Kong’s Personal Data (Privacy) Ordinance. If you engage a data processor, you must ensure they comply by contract or other means.

Responding to a cybersecurity incident

Mr Poon also outlined 11 essential elements of an effective cybersecurity incident response plan, as recommended by the Office of the Privacy Commissioner for Personal Data (PCPD).

1. Incident description and classification. Clearly define what constitutes an incident and classify risk levels accordingly.
2. Internal notification procedure. Alert senior management, the DPO and/or the response team promptly.
3. Roles and responsibilities. Assign specific duties to response team members to ensure coordinated action.
4. Contact methods and calling tree. Maintain a clear contact protocol for rapid communication during incidents.
5. Risk assessment workflow. Evaluate the nature and potential impact of the incident on affected individuals.
6. Containment strategy. Take steps to limit damage and prevent further spread.
7. Communication plan. Develop a plan for notifying data subjects, regulators and stakeholders.
8. Investigation procedure. Conduct a thorough investigation, and preserve evidence and document findings.
9. Record-keeping policies. Maintain logs and ensure a clear chain of custody for evidence.
10. Incident review mechanism. Carry out post-incident evaluation to identify improvements and prevent recurrence.
11. Training and drills. Regularly train staff to ensure familiarity with incident procedures.

Mr Poon also stressed that transparency in data breach handling is crucial. ‘As a data subject, I would be upset if an organisation knew my data was stolen and I wasn’t properly informed.’

Cyberthreats and legal gaps

The panel then kicked off with a discussion of why cybersecurity efforts increasingly focus on NGOs and SMEs. Ronald Mok, NGO Committee member, HKCNSA, explained that although high-profile attacks initially drove large corporations to bolster their cybersecurity, this trend is becoming increasingly prevalent among NGOs and SMEs. He also pointed out that that limited resources and underdeveloped IT infrastructures make these organisations prime targets. ‘Hackers don’t care about how famous or big your company is, it’s about the value of your data,’ he added, highlighting the risk of data being sold on the dark web.

Mr Poon flagged up the reluctance among SMEs and NGOs to conduct risk assessments. He emphasised that cybersecurity is not a one-off investment, but an ongoing process. ‘Even if you have antivirus software or firewalls, if they’re not maintained or updated you will be operating under a false sense of security,’ he warned.

The conversation then shifted to legal implications, with Chandy Ye, Vice Chairman and Director of the Data Privacy Committee, HKCNSA, outlining Hong Kong’s current legal gaps. ‘There’s no compulsory obligation to report personal data leaks under the PCPD – at least not yet,’ she said, though changes are being discussed to strengthen enforcement.

Speakers also addressed the challenges being faced by NGOs and SMEs in enhancing cybersecurity with limited resources and highlighted practical strategies to overcome them.

Mr Poon emphasised the importance of early planning and integrating ‘security by design’ into projects from the outset. ‘It will be 10 or 20 times more expensive when you think about cybersecurity just a day before the technology is being deployed,’ he cautioned, likening it to retrofitting safety features onto a finished building. He encouraged organisations to consider the total cost of ownership, rather than just upfront costs.

On best practices, Mr Poon reiterated the importance of cultivating a strong security culture through continuous staff training, clear written policies and layered defences across people, processes and technology. ‘People are still the most important element,’ he said, noting that even the best tools can become ineffective if they are ignored or become outdated.

In the final part of the discussion, speakers tackled several pressing questions from the audience, focusing on practical concerns around data retention, vendor accountability and cybersecurity preparedness for both large and small organisations.

A key issue raised was whether recruitment firms that retain candidate emails are exposed to data privacy risks. Ms Ye advised firms to first evaluate the purpose of data collection and to ensure safe storage. ‘Once the purpose of your data collection has been achieved, you should delete it,’ she stressed, adding that if firms wish to retain CVs for future opportunities, ‘you should make it clear to the applicant that you will keep it for a certain period of time and for what purpose.’

Mr Mok shared a real-life incident where an HR team downloaded a malicious CV from JobsDB, leading to malware execution on a staff computer. He added that attackers can even simulate a company’s antivirus setup to evade detection, underscoring the need for holistic defence strategies.

On vendor accountability, Ms Ye clarified that while Hong Kong’s current legislation does not assign direct liability to vendors, upcoming codes of practice may introduce sample contract clauses to allocate responsibility more clearly. Mr Poon then urged businesses not to focus solely on price when selecting cybersecurity vendors, advising them instead to choose the best one for the organisation. He also recommended building audit rights into contracts to verify vendor performance.

Finally, when asked whether Hong Kong companies with European operations are obliged to report data breaches under the GDPR, Ms Ye confirmed that EU-based breaches must be reported within 72 hours. Even though Hong Kong law does not currently mandate breach notification, ‘if this is on a big scale, I would advise you to at least make some communication with the commissioner here,’ she advised.