In the rush to digitise, small and medium-sized enterprises (SMEs) across Southeast Asia have quietly become prime targets for cybercriminals. While much of the attention goes to high-profile breaches at large organisations, it’s the region’s SMEs, often under-resourced and under-protected, that are facing the bulk of day-to-day cyber threats.

The appeal for attackers is clear. Most SMEs lack dedicated security staff, operate with limited IT budgets, and rely on outdated tools that can’t keep up with today’s threat landscape. Over 80% have no full-time cybersecurity personnel, and nearly 20% don’t have any formal cyber defence plans in place. As businesses expand their digital footprint, embracing cloud communications, AI, and omnichannel platforms, they’re unknowingly widening the attack surface.

Compounding the risk is the fact that many of these companies are embedded in larger supply chains. Breaching a single SME can offer access to sensitive data or systems at the enterprise level. Attackers see them not just as easy targets, but as entry points into bigger prize networks. Over half of corporate data breaches now trace back to third-party vulnerabilities.

At the same time, cybercriminals themselves have evolved. These are no longer isolated hackers. Many operate like businesses, complete with global infrastructure, automated toolkits, and marketplace support. And they’re increasingly focused on the weakest links, communications channels and identity layers, where defences remain inconsistent.

Nima Baiati from Lenovo explains why AI-powered cybersecurity becomes essential Infrastructure in Southeast Asia’s digital economy

But change is happening. For the first time, SMEs have access to tools that offer enterprise-grade protection without the cost or complexity. From monitoring voice and SMS traffic in real time to automating fraud detection and adaptive authentication, these solutions provide live oversight and automated action. Security is no longer just a reactive function; it’s becoming a built-in layer of digital operations.

Still, adoption remains uneven. Many SMEs continue to treat cybersecurity as a checkbox, not an ongoing commitment. Without a scalable strategy, even well-intentioned businesses risk falling behind.

In the next few years, the gap between prepared and exposed SMEs will only grow. Founders, investors, and partners will need to ask tough questions, not just about growth potential, but about resilience in a world where digital risk is constant. One company leading the way in SME protection is 8×8 Inc., and we have Igor Mostovoy, Product Director of CPaaS, share his insights into the region.

Why are smaller businesses such attractive targets for cybercriminals today?

In my experience, cybercriminals find small businesses especially appealing for a few key reasons:

First, SMEs often lack dedicated security teams or enterprise-grade defences, which makes breaching them comparatively easier. Over 80% of SMEs operate without any full-time cybersecurity staff. Attackers see them as “low-hanging fruit” – a smaller effort can yield a surprisingly high payoff.

Second, many SMEs serve as vendors or partners to larger companies. That means a hacker can infiltrate a small firm and use it as a stepping stone into a bigger target’s network. More than 50% of breaches occur through third parties

Third, Southeast Asia’s SMEs are rapidly going digital – from e-commerce to cloud tools to CPaaS communications – and this expanding digital footprint creates more potential entry points for attacks. If security doesn’t keep up, attackers will exploit any gap. 

And attackers today are no longer lone amateurs; they’re organised, well-resourced, and operate globally, including in Southeast Asia. Many operate like businesses, complete with marketplaces for attack tools and support services.

From your perspective, what are the most common blind spots these businesses face in defending against digital fraud?

There are a few recurring themes we see across the region. The first is human risk, which remains the top vulnerability; employees who aren’t trained to spot phishing, impersonation, or social engineering attempts can inadvertently open the door to attackers. Human error contributed to 95% of data breaches in 2024.

Many SMEs overestimate their coverage, thinking antivirus software or basic firewalls are enough – but these tools weren’t built to stop deepfake voice scams or AI-generated fraud. A lack of real-time visibility is a big issue. Many SMEs simply don’t have live insight into what’s happening across their systems, so they often discover fraud only after the damage is done. That ties into the problem of fragmented tools – using multiple, unintegrated security solutions means suspicious patterns can slip through the cracks. 

Lastly, not having an incident response plan is a common pitfall. 19% of SMEs do not have any processes or protection against cyber risks. Even when threats are spotted, many SMEs aren’t prepared to act quickly, allowing a small breach to turn into a much larger problem. More subtly, there’s often a gap between ambition and readiness: businesses want to adopt AI, omnichannel messaging, or CX tools – but haven’t yet secured foundational layers like identity management, authentication, and data access controls.

AI is now central to threat detection, from flagging unusual communication patterns to spotting deepfake voice scams. How do these AI systems work in a CPaaS context, and what does this mean for real-time protection?

AI systems in a CPaaS platform act like intelligent watchdogs, constantly analysing the streams of messages and calls passing through. These AI systems analyse metadata and behavioural patterns: Who’s sending what, when, how often, and from where. For example, if an office normally sends at most 100 SMS messages an hour but suddenly blasts out 1,000+ in 10 minutes, that’s a red flag for potential SMS fraud or a system compromise.

By training machine learning models on what “normal” traffic looks like, we can flag anomalies, like a sudden burst of outbound SMS messages, irregular voice cadence that may indicate deepfakes, or impersonation attempts via spoofed numbers.

Importantly, because this AI is embedded in the CPaaS platform, it operates at scale across voice, SMS, and messaging simultaneously, flagging threats that a human might miss. So when something suspicious arises, the AI can either alert the SME or take automated action, like blocking a message or flagging a call, before the threat becomes a breach. It’s not just smarter protection; it’s faster, more adaptive defence that doesn’t depend on a human watching the screen.

This approach aligns with the growing need in Southeast Asia to make AI work securely and effectively, not just for protection, but to empower digital transformation across sectors like fintech, insurance, and even e-commerce.

Can you walk us through how AI-powered tools from platforms like 8×8 are automating key functions like fraud analysis, policy enforcement, and real-time alerting for SMEs?

AI is helping SMEs secure their communications by doing what manual processes can’t – monitoring traffic in real time, identifying threats instantly, and acting before damage is done. Instead of relying on after-the-fact detection or human oversight, AI systems built into CPaaS platforms like 8×8 automatically analyse behaviour, spot anomalies, and enforce security policies (like blocking messages or calls that violate predefined rules) on the fly.

At 8×8, Omni Shield Self-Service puts this into action. It monitors SMS traffic in real-time using behavioural analytics and phone number intelligence to detect fraud like Artificially Inflated Traffic. When anomalies are spotted, businesses receive real-time alerts or see them on a live dashboard, with the ability to suspend senders or reroute traffic instantly.

Our Verif8 solution adds another layer of protection by automating multichannel OTP delivery and verification across SMS, WhatsApp, and voice. It’s self-service and easy to set up – no developer support needed – making it perfect for SMEs that need fast, secure user verification.

For more advanced needs, our Descope integration offers adaptive MFA and risk-based authentication through no-code workflows, allowing businesses to tailor security dynamically based on user behaviour, all while keeping the experience frictionless. We’re also moving beyond passwords to passkeys and magic links, which support regulatory shifts in markets like the Philippines, where financial institutions are moving away from SMS OTPs to more secure, frictionless login methods.

In short, AI gives SMEs the power of an always-on security team – automating protection at scale, and making enterprise-grade security accessible even for resource-constrained businesses. 

How can SMEs in Southeast Asia approach cybersecurity as a scalable journey rather than a one-off investment? What does a “crawl, walk, run” approach look like in this context?

Cybersecurity isn’t a box to check; it’s a continuous journey that should evolve with the business. I recommend a practical “crawl, walk, run” approach to scaling security.

  • Crawl: Start with the basics – enforce strong passwords, enable MFA (solutions like Verif8 make this simple), regularly patch software, and train employees to recognise common threats like phishing and spoofed links.
  • Walk: Introduce real-time monitoring with tools like Omni Shield to protect high-risk channels such as SMS and voice. Create simple incident response plans and assign roles so your team knows who does what when an alert comes in. This stage is about becoming proactive rather than reactive.
  • Run: As your business grows, invest in more sophisticated controls – AI-based fraud detection, risk-adaptive authentication via Descope, and integrations that bring greater visibility across your systems. At this stage, cybersecurity becomes embedded in your operations, with regular testing, simulations, and continuous improvement.

It’s not about a one-time spend on a product; it’s about steadily upgrading your defenses in a sustainable way. By pacing investments, SMEs can build robust security without overextending themselves and be ready for the new challenges that come with scaling up.

What’s your outlook on how the SME cybersecurity landscape will evolve in the next 2–3 years in Southeast Asia? What trends should founders and investors be watching closely?

The next few years will see significant shifts in how SMEs approach cybersecurity, especially in Southeast Asia’s dynamic digital economy.

First, AI-powered, plug-and-play tools will become more widespread. SMEs will gain access to powerful security technologies, like behaviour-based fraud detection and automated policy enforcement, without the complexity or price tags of enterprise solutions. This democratisation of AI is a game-changer for small businesses.

Second, regulatory pressure will increase. As cyber risks rise and supply chains become more interconnected, we’ll see tighter compliance requirements and growing expectations from business partners and insurers. SMEs that fail to meet minimum security standards may find themselves excluded from contracts or unable to get insured.

Third, threats will get smarter, especially around communications. We’re already seeing deepfake voice scams and AI-generated phishing messages in the region, and those tactics are only going to become more convincing. Attackers know that communication channels are the weakest link, and will exploit them.

To keep up, SMEs will need modular, scalable solutions like Verif8 and Descope that offer instant protection without requiring deep technical expertise. Security-as-a-service models and low-code platforms will help businesses protect themselves without needing to hire large teams.

For founders and investors, the opportunity lies in tools that blend advanced protection with simplicity and scalability. Companies building smart, lightweight security solutions for SMEs – particularly in areas like CPaaS, identity verification, and fraud detection – are likely to lead the next wave of innovation.