hongkong-enterprise-cybersecurity-q2-2025.JPG

HKCERT Q2 2025 Report: Website Defacements Surge in Hong Kong

DQS Hong Kong

Founded in 1985 by the German Institute for Standardisation (DIN) and the German Society for Quality (DGQ), DQS is one of the world's most established independent management system certification bodies. DQS is a founding member of the International Certification Network (IQNet) and holds accreditations from the German Accreditation Body (DAkkS) alongside over 100 international accreditations, operating across more than 60 countries and regions.
Sep 01 , 2025

In August 2025, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) released the Q2 2025 Hong Kong Security Watch Report(https://www.hkcert.org/watch-report/hong-kong-security-watch-report-q2-2025). While the total number of cybersecurity incidents declined, website defacement cases surged by 168% quarter-on-quarter, making it the fastest-growing attack type. For Hong Kong enterprises—especially SMEs—this trend highlights critical gaps in vulnerability management, web application security, and governance. This article summarizes the key findings of the Q2 report, analyzes the underlying risks and SME challenges, and outlines governance recommendations based on international standards such as ISO/IEC 27001, SRAA, and PIA. 

Key Findings from the Q2 Report

According to HKCERT’s Q2 2025 report, Hong Kong’s cybersecurity landscape showed the following trends:

  1. Website defacements increased sharply — up 168% QoQ, becoming the most prominent threat.
  2. Phishing incidents declined by 12.2% — suggesting a tactical shift by attackers, though still prevalent.
  3. Botnet activity dropped by 14% — slightly reduced but still a long-term risk.
  4. Overall incidents decreased by 12.5% — fewer total cases, but more concentrated risks.

Main Technical Causes of Website Defacement (Q2 2025):

  1. Unpatched system vulnerabilities (28.4%)
  2. Web application flaws (25.5%)
  3. SQL injection (23.5%)
  4. Server intrusions (13.7%)
  5. Configuration and management errors (3.9%)
  6. File inclusion vulnerabilities (2.9%)

These figures reveal that insufficient vulnerability management and secure coding practices remain critical weaknesses for many Hong Kong enterprises.

 

 

Governance Challenges Facing SMEs

HKCERT emphasized that SMEs are particularly vulnerable to cybersecurity risks, mainly due to:

  1. Lack of transparency — unclear channels for identifying and contacting qualified service providers.
  2. Difficulty assessing providers — challenges in evaluating reliability and compliance.
  3. Knowledge gaps — limited in-house expertise to detect and remediate security issues.

A 2024 joint survey by the PCPD and the Hong Kong Productivity Council (HKPC) found that 71% of large enterprises and 69% of SMEs had experienced cyberattacks within the past 12 months. This demonstrates that cyber threats are universal, but SMEs face greater challenges due to resource constraints and insufficient preparation.

 

 

Governance Pathways for Enterprises

The Q2 report’s surge in website defacements underscores persistent gaps in vulnerability management, compliance governance, and resilience building.

As DQS HK has observed, many enterprises remain reactive—focused on post-incident remediation—rather than building a sustainable defense strategy.

To address this, enterprises should strengthen three governance pillars:

  1. Security Risk Assessment & Audit (SRAA) — Identify exposed assets, prioritize vulnerabilities, and allocate resources to the most critical areas.
  2. Privacy Impact Assessment (PIA) — Ensure compliance with PDPO and the upcoming Critical Infrastructure Ordinance, reducing regulatory and reputational risks.
  3. ISO/IEC 27001 ISMS — Establish a formalized, auditable, and continuously improving security management system, moving from ad-hoc fixes to structured governance.

 

 

Strategic Cybersecurity Actions for Enterprises

For the remainder of 2025, enterprises should focus on three key cybersecurity priorities:

  1. Strengthening website and application security — conduct regular scans and patching for CMS platforms, plugins, and web applications.
  2. Integrating governance and compliance — align SRAA, PIA, and ISO/IEC 27001 into a unified, long-term governance model.
  3. Enhancing talent and awareness — build employee training programs to improve detection of phishing, malware, and social engineering attacks.

 

 

Conclusion

The HKCERT Q2 2025 report delivers a clear message: a decrease in incident volume does not equate to reduced risk. The sharp rise in website defacements demonstrates that even “basic” attacks can seriously disrupt business continuity and damage reputation.

Hong Kong enterprises must move beyond reactive measures and adopt a proactive, compliance-driven security strategy. By implementing SRAA, PIA, and ISO/IEC 27001, and leveraging external expertise where needed, organizations can strengthen resilience, ensure regulatory readiness, and build long-term trust with clients and partners.

Cybersecurity is not an additional cost—it is an essential foundation for competitiveness and compliance in Hong Kong’s digital economy.


 

Associated Services by DQS HK

Author

DQS Hong Kong

DQS Hong Kong specialises in certification auditing and training services across core disciplines including Information Security (ISO 27001), Quality Management (ISO 9001), and the Automotive Industry (IATF 16949). Our auditors bring deep sector-specific expertise, working closely with clients' operational realities to deliver actionable management insights and lasting commercial value — well beyond the boundaries of compliance alone.

You Might Also Enjoy These Reads

Discover more articles that dive deep into related themes and ideas.
Blog

What Commercial Value Does ISO 27001 Certification Bring to Hong Kong Businesses?

Read more
Blog

EU AI Act: what your organisation needs to know in 2026

Read more
Blog

AWS and Azure Are ISO 27001 Certified — But That Doesn't Mean Your Company Is

Read more