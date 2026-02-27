SMEs THE “WEAKEST LINK”

Singapore’s CII sectors are governed by the Cybersecurity Act, which imposes higher security standards and mandatory incident reporting obligations.

But experts warn that while these companies may be tightly regulated, the ecosystem around them may not be.

CII operators rely on vendors – which include SMEs – for logistics, software development, engineering and professional services.

Yet, many of these smaller firms are not directly regulated under the Act.

In a highly connected digital ecosystem, weaker cybersecurity at smaller vendors can provide threat actors with a foothold that may lead to larger, more strategically important organisations, experts say.

“It is a massive weakness,” said Mr Nicky Choo, vice president and general manager for Asia-Pacific at cybersecurity provider Mimecast.

“Every organisation that does business with every large organisation that's part of the critical infrastructure is a target for attack. So, a lot of cyber attackers now go after the weakest link, which is the easier way in,” he added.

According to the CSA’s Singapore Cyber Landscape 2024/2025 report, ransomware cases rose by 21 per cent in 2024, with 159 incidents recorded.

Manufacturing and professional services were among the most affected, with the majority of the attacks in the professional services industry targeted at SMEs.

Mr Gaurav Keerthi, CEO of cybersecurity firm Strongkeep, said SME incidents may be more common than official numbers suggest.

“It’s a lot of voluntary declaration if there is an incident … But generally, we think there's a massive under-reporting of cases in the SME space.”

He added that attackers are increasingly drawn to smaller firms.

“(They’re) easier to attack. It's gotten more lucrative to get some money out of these smaller companies, and many of them have become more digital in the last few years.”

With over 350,000 SMEs operating in Singapore as of 2024, the sheer volume of smaller firms provides attackers with many potential entry points.

“Unfortunately, the smaller companies, despite being more heavily targeted, continue to be less protected than the rest of the economy,” Mr Keerthi said.