Last reviewed July 2026 · Reviewed by Ben Fox, Managing Director
PTS provides layered, managed cybersecurity services in Hong Kong — firewalls, endpoint detection and response, email and identity security, phishing simulation, external penetration testing and incident response — as an ISO/IEC 27001 and ISO/IEC 20000-certified IT security company with engineers in Hong Kong, Shanghai and Singapore. Most clients take protection as part of a managed IT service; others start with a standalone IT security audit.
Practical cybersecurity for SMEs in Hong Kong, China and APAC
PTS helps small and mid-sized businesses protect users, data and systems with layered cybersecurity that covers the network perimeter, servers, storage, endpoints and the cloud. We combine firewalls, monitoring, endpoint protection and structured testing so you know what is protected, where your risks are, and what to fix first.
From IT security audits and firewall hardening to phishing simulation and external penetration testing, we deliver cybersecurity services that are proportionate, explainable and built for business owners, not just technical teams. Most clients take ongoing protection delivered as part of our managed IT services; others start with a standalone audit or a Microsoft 365 security review and grow from there.
Information Security
ISO/IEC 27001 certified
Service Management
ISO/IEC 20000 certified
Practical guides: how to protect your business from phishing attacks, the 19 cybersecurity policies every business needs, and AI scams in Hong Kong.
What our cybersecurity services in Hong Kong cover
Network & Perimeter Security
Protect the front door of your business with layered network and perimeter security designed for SMEs that cannot afford downtime or data loss.
- Managed firewalls Next-generation firewalls with proper rules, segmentation and logging, not default configurations that leave gaps.
- Secure remote access VPN and zero-trust access so staff working from home or on the road connect safely to internal systems.
- Web & DNS filtering Block malicious sites, phishing links and known bad domains before they reach users or devices.
- Wi-Fi & guest network hardening Separate staff, guest and device networks with strong authentication and monitoring.
- Firewall rule reviews Regular reviews of firewall rules and access policies to remove stale exposures and reduce your attack surface.
Endpoint, Server & Data Protection
Secure the devices and systems where your business actually runs, with modern endpoint protection, EDR and hardened server and storage configurations.
- Endpoint Detection & Response (EDR) Advanced endpoint protection that detects, isolates and remediates threats on laptops, desktops and servers.
- Server & storage hardening Secure configuration, patching and access controls for on-premise, hybrid and cloud servers and storage.
- Identity & access management Strong passwords, multi-factor authentication and least-privilege access across Microsoft 365 and core systems.
- Backup & ransomware resilience Reliable, tested backups so you can recover from ransomware, accidental deletion or hardware failure.
- Email & cloud security Advanced filtering, anti-phishing and monitoring for Microsoft 365, Google Workspace and business email.
Security Testing, Audits & Awareness
Understand where you really stand. Our IT security audits, phishing testing and external penetration testing give you an honest picture of risk and a clear plan to fix it.
- IT security audit Structured review of your systems, users, policies and configurations against practical SME security benchmarks.
- External penetration testing Authorised testing of your public-facing systems to identify vulnerabilities before attackers do.
- Phishing simulation & awareness Realistic phishing campaigns and training that help staff recognise and report real attacks.
- Risk & compliance support Practical guidance on PDPO, ISO, cyber insurance and client security questionnaires.
- Clear remediation roadmap Every engagement delivers a prioritised list of actions, owners and timelines, not just a report.
Looking for broader lifecycle work such as projects and migrations? See IT projects and infrastructure, or talk strategy with our Virtual CIO / IT advisory team. For regulatory context: PDPO in Hong Kong and China PIPL. Securing Microsoft 365 specifically? See our Microsoft 365 security review.
What is managed cybersecurity?
Managed cybersecurity is an outsourced service in which a provider takes day-to-day responsibility for protecting a business’s systems, data and users — and keeps doing it, continuously, under agreed service levels. In practice that means endpoint detection and response (EDR) on every device, enforced multi-factor authentication and identity controls, email and phishing protection, patching on a defined cycle, monitored and test-restored backups, security awareness training, and engineers who respond when something is detected. It differs from buying security products (tools without anyone watching them), and from point-in-time work such as audits or penetration tests (a snapshot, not protection). For most Hong Kong SMEs, managed cybersecurity replaces the security specialist they cannot realistically hire — at a predictable monthly cost, usually delivered alongside managed IT support.
The distinction that matters most: security tools without operations quietly fail. An EDR licence nobody monitors, MFA that was “rolled out” but never enforced for every account, backups that have not been test-restored since they were configured — these are the gaps that turn an incident into a crisis. Managed security is the discipline of running the controls, not just owning them.
The Hong Kong threat picture
Hong Kong businesses sit in one of the world’s most actively targeted regions, and the pattern is consistent: phishing remains the number-one entry point for breaches in SMEs, increasingly sharpened by AI — voice cloning, deepfaked video calls and flawless corporate Cantonese and English. The city has already seen a finance employee deceived into transferring HK$200 million after a deepfaked video call with what appeared to be senior colleagues. Ransomware crews target SMEs precisely because controls are weaker than at banks, and business email compromise — a supplier “changing bank details” — quietly outearns both. Our guides to phishing protection, AI scams in Hong Kong and the 19 policies every business needs cover the threats — and the defences — in detail.
In-house security vs outsourced managed security
For Hong Kong businesses under a few hundred users, a dedicated in-house security function is rarely realistic — and the reasons are structural, the same ones that apply to IT support generally, only sharper:
The hiring market is thinner. Security specialists are scarcer and command more than general IT managers in Hong Kong, and they are in constant demand from banks and insurers that can outbid an SME. Recruiting one takes months; retaining one is harder.
One person cannot cover the discipline. Real security work spans identity, endpoints, email, network, cloud configuration, testing and incident response. A single hire is strong in one or two of these; a managed security team includes specialists across all of them, and you pay only for the share you use.
Threats don’t keep office hours. Ransomware detonates at weekends by design. A lone security hire is off sick, on leave or asleep when it matters; a managed service is monitoring and responding within SLAs regardless.
Enterprise tooling is priced for scale. EDR platforms, email security, phishing-simulation and awareness platforms are dramatically cheaper per user through a provider’s licensing than bought retail for thirty staff — and worthless without someone operating them (see above).
When in-house security makes sense
Larger organisations, regulated firms with security postures that require direct internal control, or businesses with a genuine security-operations workload all justify internal hires — and there the right model is usually co-managed: your internal lead owns risk decisions and strategy, while the provider runs the operational layer (monitoring, patching, email, identity hygiene) and the periodic testing. PTS works this way with several internal IT and security teams today.
Managed security: what we run day to day
An audit tells you where you stand. Staying protected is daily work — for most clients it is delivered as part of our managed IT services, alongside the helpdesk and on-site engineers who handle everything else. Operational security is included in every managed tier:
- Endpoint monitoring and response Microsoft Defender for Endpoint across laptops, desktops and servers — alerts triaged by engineers, compromised devices isolated quickly.
- Patching on a defined cycle Windows, macOS and server patching plus third-party application updates, with end-of-life software flagged before it becomes an entry point.
- Email protection Microsoft Defender anti-phishing, safe links and attachments, anti-spoofing and DMARC enforcement — plus Proofpoint or Mimecast where deployed.
- Identity and access Multi-factor authentication enforced for everyone, conditional access, least-privilege admin roles and device compliance through Microsoft Intune.
- Firewall and network management Managed Cisco Meraki, Fortinet FortiGate and Palo Alto firewalls with maintained rules, segmentation and logging.
- Awareness training KnowBe4 phishing simulation and security awareness training run as an ongoing programme, because staff behaviour decays faster than software.
- Backup and recovery checks Veeam and Acronis backups monitored and test-restored, so ransomware recovery is a rehearsed procedure rather than a hope.
The deeper, point-in-time work — IT security audits, external penetration testing, Microsoft 365 security reviews and remediation projects — is scoped separately, so you pay for testing when it happens, not as padding in a monthly fee.
Our security assessment process
Whether you have 10 users or a multi-site group, every security engagement follows the same four steps. The aim is not a long report — it is a short list of the right fixes, in the right order.
1. Audit
We review your users, devices, network, firewalls, cloud services, backups and policies against practical SME security benchmarks — and where Microsoft 365 is the core of your business, we baseline the tenant with a Microsoft 365 security review.
2. Prioritised report
You receive risk-rated findings in plain English, written for business owners as well as technical teams — the gaps that matter most at the top, with the reasoning behind each rating.
3. Remediation plan
Every finding gets an action, an owner and a timeline. We can carry out the remediation ourselves, hand it to your internal team, or split the work between us.
4. Retest
Once the fixes land, we verify them — re-running external testing where it is in scope, repeating phishing simulations and re-baselining your posture — so you can evidence the improvement to clients, auditors and insurers.
Concerned about your security posture?
Practical, proportionate, ISO-aligned — start with an audit or a conversation
Suspected breach? The first 24 hours
A ransom note on a server. A supplier saying your “finance team” changed bank details. A sign-in from a country where you have no staff. What you do in the first 24 hours largely decides how expensive the incident becomes. This is the sequence we work through — for managed clients, a suspected breach is a P1 incident, acknowledged within 30 minutes during business hours and worked immediately.
1. Isolate — don’t wipe
Disconnect affected machines from the network (EDR can isolate them remotely), but do not wipe, rebuild or “tidy up”. Rebuilding destroys the evidence you need to understand what happened — and what insurers and regulators may later ask for.
2. Preserve evidence
Keep logs, sign-in histories, mailbox rules, ransom notes and screenshots, and note times and who did what. If the incident turns into an insurance claim or a notification decision, this record is what everything rests on.
3. Cut off the attacker’s access
Reset passwords on affected accounts, revoke active sessions and enforce multi-factor authentication. Then check for the persistence tricks attackers leave behind: mail-forwarding rules, newly created admin accounts, and registered MFA devices that aren’t yours.
4. Establish what is affected
Which systems, which accounts — and crucially, what data. Whether personal data is involved changes your obligations under the PDPO. Confirm your backups are intact and uncompromised before you rely on them for recovery.
5. Notify the right people
At the time of writing the PDPO imposes no general mandatory breach-notification duty, but the Privacy Commissioner (PCPD) encourages reporting breaches involving personal data and notifying affected individuals. SFC-licensed firms must notify the SFC of material incidents under paragraph 12.5 of the Code of Conduct, and most cyber-insurance policies have notification windows. Take legal advice on anything borderline.
6. Recover and harden
Restore from tested backups, close the entry point that let the attacker in, and run a post-incident review — so the same door is not still open next quarter.
For managed clients, PTS handles the technical side of this — isolation, evidence preservation, credential resets and restores — and produces the incident documentation your notification and insurance decisions rely on. The legal judgement on notifying stays with you and your advisers; our job is to make sure it rests on facts rather than guesses.
Cybersecurity compliance in Hong Kong: PDPO, SFC and HKMA
Almost every Hong Kong business holding personal data is governed by the Personal Data (Privacy) Ordinance (PDPO) and its six Data Protection Principles. The one that lands on IT is DPP4: take practical steps to safeguard personal data against unauthorised access, processing and loss. The controls on this page — MFA, EDR, hardened firewalls, tested backups — are how DPP4 is met in practice. If you also operate in Mainland China, PIPL, the Cybersecurity Law and the Data Security Law add a second regime; our guide to data laws in China and Hong Kong covers both in plain English.
Regulated firms carry more. The SFC’s expectations are spread across the Code of Conduct, the Fund Manager Code of Conduct and a series of circulars — multi-factor authentication, patching, record-keeping, business continuity, incident notification and a named Manager-In-Charge for IT. Our guide to SFC cybersecurity requirements for Hong Kong fund managers maps each obligation to its source, and our financial services IT practice builds the controls — and the evidence trail — those obligations assume. Banks and other HKMA-regulated institutions face their own supervisory expectations for technology risk; the controls are similar, the documentation bar higher.
Compliance pressure also arrives from outside the regulators: cyber-insurance proposals and client security questionnaires now ask pointed questions about MFA, EDR, tested backups and awareness training before cover is quoted or contracts signed. We give practical guidance on PDPO, ISO, cyber insurance and client security questionnaires — implementing the controls and supplying the evidence, so your answers are “yes, with proof” rather than hopeful ticks.
Cross-border environments are where this gets hardest, and where our track record is deepest. See how we brought a Western manufacturer’s China operations into line with global IT and security standards — a full multi-site audit, remediation against global compliance policies, then ongoing managed services to keep the sites aligned.
How to choose an IT security company in Hong Kong
Every provider’s website promises comprehensive protection. The differences only show when you know what to test for. Five checks separate the field:
Independent certifications
Ask whether the provider holds ISO/IEC 27001 — the externally audited standard for how they secure their own operation — rather than just vendor badges, which measure how much product they resell. ISO/IEC 20000 alongside it shows the service-management discipline to run security consistently. Ask whether the certifications are current and what their scope covers.
Engineers on the ground
When a device needs isolating or a server needs hands on it, a security team in another country can only watch dashboards. Ask how many engineers are based in Hong Kong, and whether they work in English, Cantonese and Mandarin — incidents escalate in the user’s first language.
Explainability
If you cannot understand the report, you cannot act on it — or judge whether you are being sold the right things. Look for risk explained in business terms, recommendations proportionate to your size, and a provider willing to tell you what not to buy.
Vendor independence
Some providers are effectively the sales arm of a single security vendor, and every assessment concludes you need more of that vendor’s products. A vendor-neutral provider is paid by you, not the vendor. Test it: ask what they would recommend for a specific gap, and watch whether the answer is shaped by your risk or their margin.
Cross-border capability
If you have offices in Mainland China or Singapore, ask where the provider is legally established there and who their local engineers are. Controls that work in Hong Kong do not transplant unchanged into the Mainland — data laws, networks and cloud tenancy all differ.
This is the security-specific version of the five-factor evaluation we publish for choosing an IT support provider — and we invite you to score us against it.
How cybersecurity services are priced
We don’t publish prices, for the same reason as the rest of our services: no two environments carry the same risk. But the models and drivers are simple enough to share.
Two pricing models. Point-in-time work — security audits, penetration testing, Microsoft 365 security reviews, remediation projects — is priced as a fixed-fee statement of work after a short scoping conversation. Ongoing protection — monitoring, patching, email security, identity and awareness training — is part of the monthly fee for a managed service, scoped per user and per site.
What moves the price:
- Users and devices. The biggest variable — most controls scale per endpoint and per identity.
- Sites and countries. Multi-site and cross-border environments add firewalls, networks and jurisdictions.
- Stack complexity. A standard Microsoft 365 + Windows + Meraki environment is more straightforward to secure than hybrid servers, legacy applications and multiple clouds.
- Compliance requirements. PDPO obligations are the baseline; SFC or HKMA expectations add reporting, evidence and documentation overhead, which is priced explicitly.
- Testing scope. The breadth of penetration testing and the cadence of phishing simulation are scoped to your actual risk, not sold by default.
Either way, you receive a written, costed proposal setting out what is included, what is excluded and the fee — no surprise charges. Talk to us and we will tell you honestly which model fits.
Cybersecurity FAQs
What cybersecurity services does PTS provide in Hong Kong?
PTS provides perimeter and firewall security, server, storage and network protection, endpoint protection and EDR, identity and email security, IT security audits, phishing simulation and external penetration testing — tailored for small and mid-sized businesses in Hong Kong.
Are your cybersecurity services suitable for SMEs?
Yes. Our services are designed for small and mid-sized businesses that need practical, layered protection without an in-house security team. We focus on the controls that deliver the biggest reduction in real-world risk for your size and industry.
How are your cybersecurity services priced?
Point-in-time work — audits, penetration testing, remediation projects — is priced as a fixed-fee statement of work; ongoing protection is part of a monthly managed service fee. The drivers are users and devices, sites, stack complexity, compliance requirements and testing scope. We don’t publish prices, but every engagement starts with a written, costed proposal.
Are you ISO 27001 certified?
Yes. PTS is certified to ISO/IEC 27001 for information security management and ISO/IEC 20000 for IT service management — externally audited standards covering how we secure and run our own operation, not vendor badges. We suggest asking any provider you evaluate for the same evidence.
How does an IT security audit work?
We review your users, devices, network, servers, cloud services, backups and policies against proven security benchmarks. You receive a clear report with risk ratings and a prioritised remediation plan so you know exactly what to fix first.
What is EDR and do I need it?
Endpoint Detection & Response (EDR) is a modern replacement for traditional antivirus. It detects suspicious behaviour, isolates compromised devices and supports rapid response. For most SMEs today, EDR is a baseline requirement, not an optional extra.
Do you carry out phishing testing and user awareness training?
Yes. We run realistic phishing simulations and ongoing security awareness training so your team learns to spot and report real attacks. Phishing remains the most common entry point for breaches in SMEs, so regular testing is essential.
Can you perform external penetration testing?
Yes. Our authorised external penetration testing probes your internet-facing systems to confirm what an attacker could actually exploit. You get a technical report, an executive summary and clear remediation guidance for your team.
What is the difference between a security audit and a penetration test?
An IT security audit is a broad review of your users, devices, policies and configurations against security benchmarks — it tells you what should be fixed. An external penetration test is an authorised attempt to exploit your internet-facing systems — it tells you what can actually be broken into. Most SMEs should audit first, then use testing to validate the fixes.
Is cybersecurity included in your managed IT services?
Operational security — endpoint protection, patching, identity and access management, email security and incident response support — is included in every tier of our managed IT services. Deeper point-in-time work such as security audits, penetration testing and ISO 27001 readiness is scoped separately as a project.
What should we do first if we suspect a breach?
Isolate the affected devices without wiping them, preserve logs and evidence, reset credentials and revoke active sessions, then establish which systems and data are affected before making notification decisions. Our first-24-hours guidance above walks through the sequence.
Does Hong Kong’s PDPO require us to report a data breach?
At the time of writing the PDPO contains no general mandatory breach-notification requirement, but the Privacy Commissioner (PCPD) encourages reporting breaches involving personal data and notifying affected individuals — and DPP4 requires you to safeguard personal data in the first place. Regulated firms may have separate duties, such as the SFC’s incident-notification expectations. Take legal advice on any borderline case, and see our guide to Hong Kong and China data laws.
What does the SFC expect from licensed firms on cybersecurity?
Expectations are spread across the Code of Conduct, the Fund Manager Code of Conduct and a series of circulars: multi-factor authentication, patching, least-privilege access, tested backups, business continuity, incident notification and a named Manager-In-Charge for IT. Our SFC cybersecurity guide for fund managers maps each obligation to its source, and our financial services IT practice implements them.
Do you work with SFC-regulated firms?
Yes. PTS supports SFC-licensed fund managers and other regulated firms through our financial services IT practice, implementing the controls the SFC expects — multi-factor authentication, patching, least-privilege access, tested backups and incident-response support — together with the evidence trail supervisors and investor due diligence ask for. The FAQ above outlines where those obligations come from.
Can you help with cyber-insurance and client security questionnaires?
Yes. Insurers and enterprise clients increasingly require MFA, EDR, tested backups and awareness training before quoting cover or signing contracts. We implement the controls, then help you complete cyber-insurance and client security questionnaires with evidence rather than hopeful ticks.
Can you secure our offices in Mainland China and Singapore too?
Yes. PTS has operated in Hong Kong since 2001 and Singapore since 2009, and runs a locally registered entity in Shanghai with engineers on the ground. We apply consistent security controls across all three markets and map them to the local rules — PDPO in Hong Kong, PIPL in the Mainland. See China IT services and IT support in Singapore.
How do we get started?
Most engagements start with a short security review or IT security audit so we understand what you already have in place. From there, we agree a prioritised plan covering firewall rules, endpoints, identity, backups, testing and training that fits your budget and business risk.

