From Vulnerability to Resilience: Safeguarding MSMEs from Cyberattacks
Anthea Mulakala, Brian Cute, and Adrien Ogee

October is Cybersecurity Awareness Month. It’s the perfect time to spotlight the critical role of MSMEs (micro, small, and medium enterprises) in the economy of the Asia-Pacific (APAC), and why these businesses urgently need better protection from cyber threats.
From family-owned businesses in Indonesia to Korean chip manufacturers, MSMEs represent more than 90 percent of all businesses in APAC, employing millions and contributing significantly to GDP. In India alone, MSMEs account for nearly 30 percent of the country’s economy. Yet, despite their growing importance, their cybersecurity remains inadequate.
To address this vulnerability, the APAC Cybersecurity Fund (ACF), implemented by The Asia Foundation with support from Google.org, Google’s philanthropic arm, is taking action. Working in partnership with the CyberPeace Institute and the Global Cyber Alliance, the ACF is rolling out a regional cybersecurity curriculum that aims to equip 300,000 MSMEs across APAC to defend themselves from cyber threats.

MSMEs have embraced digitalization to streamline operations and reach more customers, but they’re stepping into a minefield of cyber risks where many lack the resources to protect themselves. A new report from The Asia Foundation and the CyberPeace Institute, From Vulnerability to Resilience: Cybersecurity Challenges for MSMEs in the APAC Region, reveals that 78 percent of MSMEs in the region have experienced at least one cyber incident in the past year, from phishing scams to ransomware attacks.
Cybercriminals prefer to attack smaller businesses, assuming that they lack the defenses of large corporations. The consequences for MSMEs can be severe. Financial losses from ransom payments or fraudulent transactions can cripple cash flow, while stolen customer data can lead to a loss of trust and reputation, driving away clients and partners. Operational disruptions can cause downtime that stalls production, delays deliveries, and disrupts the entire supply chain. For some MSMEs, the cost of recovery—including legal fees, fines, and IT repair costs—is simply too high, leading to layoffs, lost contracts, and even business closure.

Cybersecurity isn’t just an IT issue; it’s an economic issue. MSMEs are the backbone of APAC’s economy. When they aren’t protected, the fallout isn’t limited to the businesses themselves—it reverberates across industries, supply chains, and entire economies. When one MSME is hit, the damage can spread quickly. A ransomware attack on a small manufacturer in Japan, for example, could halt production and disrupt key supply chains, impacting multiple industries. Another issue is underreporting of cyber incidents due to fear of reputational damage, which makes it difficult to grasp the full scale of the problem.
Learning about cybersecurity was crucial for me as a small business owner. It taught me how to protect my business from scams and conduct safe online transactions, giving me the confidence to grow my online sales without fear.
— Cybersecurity trainee Sawitree Srijinda, Thailand
For APAC governments, the policy implications are clear. Supporting MSMEs in their cybersecurity efforts is about protecting the broader economy. Governments recognize MSMEs’ cybersecurity needs and are exploring support strategies like tax incentives and integrating cybersecurity training into broader economic programs. Collaboration between the public and private sectors is essential to tackle region-wide threats. Encouragingly, there is a strong appetite for cybersecurity training among MSMEs.
The Asia Foundation and the Global Cyber Alliance have developed a regional cybersecurity curriculum to meet MSMEs where they are. The curriculum covers risk assessment, cyber hygiene, and basic defenses such as strong passwords, two-factor authentication (2FA), and phishing protection.
The curriculum is customizable to reflect the needs of MSMEs in specific countries. It provides businesses immediate, actionable steps to protect themselves. A key finding of the CyberPeace Institute’s research is that many MSMEs struggle to recognize their own vulnerabilities. The curriculum helps businesses assess their risks, understand the potential impact of a cyberattack, and integrate cybersecurity into their strategies.
The curriculum also covers password management and 2FA—essential practices because weak passwords are a common entry point for hackers. Phishing awareness and protection are also crucial, as phishing is a highly effective method for cyberattacks. With advances in AI, phishing remains one of the easiest ways for hackers to compromise businesses, and MSMEs are particularly vulnerable due to their limited cybersecurity infrastructure and lack of employee training.
One of the most critical topics in the curriculum is data backup and recovery. For many MSMEs, losing business data can be catastrophic. The curriculum helps businesses establish reliable backups, ensuring that they can recover if data is compromised. Secure backups are essential to minimize downtime and thwart ransomware demands.
What makes this curriculum truly effective is its localization. MSMEs in Indonesia, for instance, may face different challenges from those in Korea, and this training reflects those differences. In countries where outdated or pirated software is in common use, the curriculum emphasizes the risks of using unsupported systems and stresses the importance of regular software updates. In regions with low digital literacy, the curriculum starts with the basics, ensuring that no business is left behind.
The curriculum also includes local case studies, which help business owners understand their own risks. Learning how a nearby business was hit by ransomware or a phishing scam makes the threat more tangible and encourages action. During Cybersecurity Awareness Month, these examples encourage MSMEs to take proactive steps to safeguard their operations.
Beyond raising awareness, we aim to give MSMEs the tools and knowledge they need to protect themselves and their customers. MSMEs are a vital part of the APAC economy, and if they remain vulnerable, the consequences will be severe—not just for individual businesses, but for entire sectors and economies. Resilient cybersecurity is not a luxury—it’s a necessity for any business that wants to grow in today’s digital environment.
The road ahead is clear: more training, more support, and more collaboration between businesses, governments, and the private sector. The stakes are too high to ignore. If MSMEs are not protected, the region’s economic stability is at risk. The time to act is now.

Anthea Mulakala is director of The Asia Foundation’s APAC Cybersecurity Fund, supported by Google.org; Brian Cute is chief operating officer and director of the Capacity and Resilience Program of the Global Cyber Alliance; and Adrien Ogee is chief operations officer of the CyberPeace Institute. They can be reached at [email protected], [email protected], and [email protected], respectively. The views and opinions expressed here are those of the authors, not those of The Asia Foundation.
Media Contact
Our development experts and staff in Asia, the Pacific, and the United States are available for media briefings and speaking engagements.
For assistance, please contact Strategic Communications:
Eelynn Sim, Director, Strategy and Programs
[email protected]