SME Free Web Security Health Check Pilot Scheme


SME Free Web Security Health Check Pilot Scheme has already been completed in Nov 2016. You may find the following information useful:


Website is an important tool for businesses to promote service, handle customer relationship management and provide online transaction services. However, some enterprises, especially Small Medium Enterprises (SMEs) do not possess resources to secure the websites. Recently, the website of a Hong Kong company was hacked, resulting in the leakage of over 5 million global customer records. The incident became the headline of international news media. The financial impact and damage of reputation to that company was enormous. Therefore, companies should take a serious look at the security of their websites.


To address this problem, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), operated by Hong Kong Productivity Council organizes the "SME Free Web Security Health Check Pilot Scheme" project to promote good practice in web security.


Objective of the Project

The project promotes the best practice of "Check-Act-Verify" approach for website security health check to the SMEs of Hong Kong.


Project Details

The project is a pilot scheme with selected SMEs to go through the "Check-Act-Verify" approach to improve the security of their websites. The project is held in Jan-Jul, 2016 and the recruitment starts in Jan 2016.
100 SMEs participant (organizations) for the pilot scheme are selected with simple criteria:

  • The staff size of the applicant in Hong Kong is 100 or below.
  • The applicant is willing to follow up the advices given in the report to enhance the security of the website.
  • The makeup of the selected SMEs should be balanced in terms of industries and diversity of website services.

Selected SMEs are guided through a journey to check the health status of their websites and to action to apply improvement measures. The effectiveness of the improvement is then verified. The organizer will conclude the overall result of the pilot scheme and report the effectiveness of the "Check-Act-Verify" approach.


Here is the flow of a website health check:




  1. Each participant is offered ONE free website security health check. It is a security scan based on a well-known critical web application vulnerability list (namely the "OWASP Top 10") which can identify the basic problems in configuration and implementation.
  2. The Organizer provides a Website Security Health Check Report (the Report) after the first security scan. The report provides information on identified security problems and advices from the expert of HKCERT. Each participant is given ONE (maximum one hour) free consultation on how to read the report and to fix the identified problems.
  3. The participant then tries one's best to follow up the advices to enhance the security of the website in two months' time with its own resources.
  4. The Organizer and the participant organize a second scan to verify the outcome of the improvements.



Organizers   webscanflowwebscanflow  
Co-Organizers   webscanflowwebscanflowwebscanflow 
Technology Partners   webscanflowwebscanflow