Hong Kong police and local NGOs released on Friday a draft set of rules aimed at strengthening digital defenses in schools, which have long struggled with limited resources and expertise.

The Chinese-language draft of rules, the translated title of which is “The Cybersecurity Guide for Hong Kong Schools”, is being tested in some institutions and will be refined based on feedback before a public rollout.

The guidelines are a joint initiative by the Hong Kong Police Force’s Cyber Security and Technology Crime Bureau (CSTCB), the Hong Kong Internet Registration Corp Ltd (HKIRC), and the Association of IT Leaders in Education (AiTLE).

READ MORE: Call for proactive defense amid rising cyber threats

They provide ready-to-use policy templates, case studies, incident response protocols, and configuration checklists tailored specifically for schools.

Key recommended measures include network segmentation, regular employee training, and clear response protocols, according to a summary of the guide made public on Friday.

Schools store vast amounts of sensitive personal data belonging to students and employees — including names, contact details, ID numbers, and academic records — that experts say are highly valuable to malicious actors who seek to use the data for identity theft, fraud, and other illegal activities.

At a news briefing on Friday, HKIRC CEO Wilson Wong said that phishing and malware attacks have increased on campuses as educators adopt more digital tools for teaching and administration.

He added that the growing use of digital platforms turns schools into potential entry points for broader attacks targeting government, private sector, and community networks.

Police data indicate that such breaches are becoming more costly. In the first half of 2025, the city recorded 16,262 technology crime cases — a 0.5 percent year-on-year increase.

However, collective financial losses from these cases rose by 14.7 percent to over HK$3 billion ($385 million).

Rachel Hui Yee-wai, a senior inspector at CSTCB, reported that between January and July, at least nine school-related cybersecurity incidents were officially reported to the bureau, though the actual number is likely higher because of underreporting.

She recommended a three-pillar strategy to ensure a secure digital environment on campus, focused on governance-first policies, proactive protection, and robust detection and recovery.

Kok Tin-gan, a cybersecurity and privacy partner at DarkLab, a Hong Kong-based security operation center partaking in the guidelines’ compilation, said that schools’ complex user bases — including students, parents, teachers, and alumni — create a large attack surface that is difficult to manage.

This challenge is often compounded by insufficient cybersecurity investment and outdated infrastructure, he said.

AiTLE Chairman Albert Wong Kin-wai added that uneven cybersecurity expertise across institutions has hindered consistent implementation of protective measures.

READ MORE: Explainer: Why does campus data protection matter?

In response to growing threats, all parties pledged to continue collaborating to bolster cybersecurity in schools and ensure that educational innovation takes place within a secure digital ecosystem.

“The Cyber Security and Technology Crime Bureau will work closely with industry and academic stakeholders to help schools strengthen their defenses,” Hui said.

The guideline is part of a broader effort by the city to promote “Cybersec One” platform, which offers free network monitoring, IT risk assessment, and expert support services.

Contact the writer at wanqing@chinadailyhk.com