When a delivery robot wheels into a lift lobby, calls an elevator, clears access control, and rides up to the correct floor without human intervention, most bystanders see a novelty. Alan Ng sees an infrastructure problem that has barely begun to be solved.

Ng is the founder and chief executive of QuikBot Technologies, a Singapore-based robotics and AI company that aims to do for autonomous machines what TCP/IP did for computers: give them a common language to operate safely in a world that was never designed for them.

“Robots are beginning to move through our cities, but our infrastructure was built for humans,” Ng said. “The Ambient Permission Plane allows robots, buildings, and digital systems to interact safely in the real world. It is the trust infrastructure required for the Physical AI era.”

That framing — trust infrastructure — sits at the centre of everything QuikBot Technologies builds. The company’s flagship orchestration system, QuikSync, allows autonomous machines to coordinate in real time with elevators, access control systems, and building management platforms.

The result is what the company calls the Autonomous Final-Mile Delivery Platform-as-a-Service, or AFMDPaaS: a managed layer that enables robots to perform secure, floor-to-floor deliveries across smart buildings and urban districts without requiring bespoke integration at every site.

Also Read: The new growth metric: AI Share of Voice

The practical applications are already in motion. QuikBot Technologies is operating commercially in Singapore and has expanded internationally, with deployments in Dubai supporting autonomous delivery services alongside FedEx, DHL Express, UPS, and Aramex. For those logistics giants, the value proposition is straightforward: the ability to extend last-mile delivery into the interior of dense, multi-storey buildings without adding headcount.

For QuikBot Technologies, the ambition extends further. The company positions itself not as a robotics hardware maker but as the connective tissue between the physical world and the growing ecosystem of autonomous systems — what the industry is beginning to call Physical AI. As robotics platforms proliferate across offices, hospitals, campuses and logistics hubs, the absence of a shared trust and permissions layer becomes a structural bottleneck. QuikSync is QuikBot’s answer to that gap.

The company’s approach has drawn recognition beyond its immediate commercial traction. Earlier this month, QuikBot Technologies was named Southeast Asia Startup of the Year at the Global Startup Awards, earning a place in the Global Grand Finale scheduled for May 7–8 in Valletta, Malta, alongside the EU-Startups Summit.

Also Read: Half of APAC consumers are tired of poor-quality AI content from brands: Report

The award places QuikBot among the region’s most closely watched deep-tech ventures and marks a signal moment for Singapore’s standing in robotics and smart city innovation.

“This recognition highlights Singapore’s growing leadership in robotics, autonomous delivery, and smart city innovation,” the company said following the announcement.

At the Grand Finale, QuikBot Technologies will compete against regional winners from around the world for the title of Global Startup of the Year. The company is encouraging members of the innovation community to support its bid through a public vote at the Global Startup Awards website.

The timing is not incidental. Singapore’s 2026 national budget has committed more than S$1 billion to AI infrastructure, talent and adoption through to 2030, and a newly established National AI Council is tasked with providing strategic direction for the country’s technological development. QuikBot Technologies sits squarely within that policy context — a homegrown company working on the kind of foundational infrastructure that determines whether Singapore’s smart city ambitions translate into operational reality.

—

Image Credit: QuikBot Technologies

The post QuikBot Technologies, the Singapore startup teaching robots to navigate a world built for humans appeared first on e27.

Singapore’s cybersecurity conversation tends to orbit cloud breaches, phishing links and ransomware gangs. But new figures suggest an older, less glamorous attack route is quietly regaining ground: malware that rides in on USB drives and other removable media.

Kaspersky said it detected and blocked 3,888,967 on-device threats on computers in Singapore in 2025, a 16.2 per cent jump from 2024. The company’s telemetry shows that worms and file viruses accounted for most of the detections: the kind of malware designed to spread quickly from one machine to the next, often without requiring a user to click on anything.

Also Read: Singapore’s cybersecurity paradox: Why we must act now

That matters because “on-device” attacks don’t depend on someone being tricked into opening a dodgy link. Once an infected removable device is plugged in, malicious code can run automatically if the system is misconfigured, unpatched, or simply caught by a strain that security tools fail to stop. In workplaces where files still move around via thumb drives — from small businesses to highly controlled environments that restrict internet access — that’s a straightforward way to bypass perimeter defences.

The numbers also challenge an assumption common in hyper-connected markets like Singapore: that offline malware is fading away in a cloud-first world. Instead, the data points to a persistent and growing exposure surface that is easy to overlook precisely because it feels old-school.

Kaspersky’s Adrian Hia, Managing Director for Asia Pacific, argues that everyday habits are part of the problem, particularly the default trust people place in removable media. “Most users rarely second-guess plugging in an external device despite the fact that such on-device infections remain a very real threat,” Hia said.

Also Read: The AI arms race in cybersecurity: Is your startup ready?

The risk isn’t just nuisance infections. A compromised endpoint can become a staging ground for deeper intrusion, especially if it stores sensitive documents, cached credentials or access tokens. In an enterprise setting, a single infected machine can be enough to seed malware across shared drives, spread laterally within networks, or quietly exfiltrate data.

For startups and SMEs, a major slice of Southeast Asia’s digital economy, the damage can land fast: disrupted operations, incident response bills, and the reputational hit that follows any disclosure.

There is, however, a key caveat: these figures reflect what Kaspersky customers’ devices in Singapore detected and blocked, not a full census of the country’s computers. Vendor telemetry is useful for trendlines, but it is not a neutral, universal measurement — changes in customer base, detection engines, or reporting can influence year-on-year shifts. Even so, nearly 3.9 million blocked threats is a reminder that endpoint security is still doing heavy lifting, and that removable media remains an active delivery channel.

So what should organisations take away from this?

First, treat USB-borne malware as a current threat, not a museum exhibit. “Air-gapped” or restricted networks are not automatically safer if people regularly shuttle files between machines.

Second, basic hygiene still pays: keep systems patched, restrict autorun behaviours, and lock down administrative privileges so a single infection cannot rewrite the whole machine.

Third, have a recovery plan that works under pressure — particularly offline or isolated backups that cannot be tampered with by an infected endpoint.

For individuals, the guidance is even simpler: be sceptical about unknown drives, avoid installing software from untrusted sources, and update devices promptly. The most sophisticated security strategy can still be undone by a single “found” USB plugged in out of curiosity.

Also Read: Hackers using AI to mask identity behind cyber attacks, researchers say

Singapore’s digital economy is moving fast, but the tools people use to move data around often lag behind. The latest spike in on-device detections suggests attackers have noticed — and they’re happy to win the old-fashioned way.

The post Singapore’s malware spike reveals an overlooked cyber risk: USB drives appeared first on e27.

At Echelon Philippines 2025, a panel on impact-driven entrepreneurship brought together Enzo Pinga of Humble Sustainability, Priya Tachadi of Viligro Philippines, Frederic Levy of Lhoopa, and Marc Concio of KITA Agritech, moderated by Carlo Chen Delantar of Gobi Partners.

The discussion centred on balancing social mission with commercial discipline. Panellists were emphatic that purpose alone is insufficient: “Before you are an impact company, you are a company. Not an NGO. So you have to think as a company,” with one noting that “a successful company is one that solves a problem.”

Pricing emerged as a recurring challenge, particularly for startups serving low-income customers who need affordable solutions without compromising business viability.

The post Echelon Philippines 2025 – Purpose in a growth strategy: Why impact-driven startups win in the long run appeared first on e27.

Singapore-based Virdalis has closed a US$700,000 pre-seed round led by Wavemaker Impact, as the biotech startup develops a feed-grade protein ingredient made from Wolffia globosa, a tiny plant better known as duckweed.

The pitch is blunt: most countries are still buying a critical food-system input from a small club of producer nations, and that concentration is a vulnerability.

Also Read: Asia’s biotech boom: Innovation, investment, and a new era of discovery

The company is going after a market it values at more than US$500 billion a year for global animal feed, with protein ingredients alone worth about US$300 billion.

But the bigger claim isn’t market size; it’s sovereignty. Feed protein is shipped across oceans, priced through volatile commodity markets, and exposed to geopolitical shocks. For Southeast Asia, where aquaculture and livestock supply chains are central to food security, that dependence is not theoretical.

Virdalis argues there hasn’t been a realistic way for most countries to produce feed protein domestically at scale without vast farmland and the right climate. Duckweed, it says, changes the constraints.

Why duckweed, why now?

Duckweed is not new to science, but Virdalis is betting it can be industrialised into a repeatable, scalable ingredient. The plant is tiny, grows fast, and can be cultivated without traditional arable land. Virdalis says Wolffia globosa can double biomass within 24-48 hours and reach 40-45 per cent protein by dry weight.

That growth rate matters because feed manufacturers don’t buy novelty; they buy volume, consistency, and cost curves. If a production system can run year-round and avoid the land-and-water footprint of conventional crops, it potentially turns feed protein from an import into something closer to local manufacturing.

Wavemaker Impact is leaning into that geopolitical angle as much as the climate story. Quentin Vaquette, the venture builder’s founding partner, said the appeal is that duckweed could be produced locally in places that currently have no realistic path to domestic feed-protein supply.

“What’s truly transformative is the geopolitical dimension: this is a protein source that any country can produce domestically, turning feed security from a trade dependency into a sovereign capability,” Vaquette said.

He added that duckweed-based systems could produce comparable protein with as little as 10 per cent of the emissions of conventional methods.

“Built by operators” — and aimed at Southeast Asia

Virdalis was founded by James Aujero, previously an executive at Philippine fintech GCash. While headquartered in Singapore, the firm operates in the Philippines, positioning itself close to regional aquaculture and livestock markets where feed costs and supply shocks ripple quickly into consumer prices.

Aujero framed the company’s ambition as reducing dependence on a few exporting countries rather than replacing any single crop.
“Wolffia is the first protein source that frees nations from that dependency — it can be produced anywhere, at speed,” he said.

The startup says it is building proprietary cultivation and processing systems, plus a data-driven operating platform — language that signals an attempt to run biology like an engineered production stack, not a slow academic programme.

What happens next

With pre-seed funding in place, Virdalis says it is scaling pilot production, hiring technical talent, and pursuing initial commercial agreements with feed manufacturers across Southeast Asia.

For Wavemaker Impact, whose debut fund is US$60 million, the deal fits a familiar pattern: back early-stage climate-tech infrastructure plays with large industrial end-markets. For Virdalis, the hard part starts now: proving that duckweed protein can meet feed-industry requirements on unit economics, safety, consistency, and supply reliability, not just biology.

Also Read: ‘Meat’ing the needs of the alternative protein space in Singapore

If it works, the upside isn’t only a new ingredient. It’s a reconfiguration of where feed protein can be produced, and who gets to control it.

The post Virdalis secures US$700K to scale duckweed protein for animal feed appeared first on e27.

Take a look around. The market isn’t just saturated; it’s drowning in sameness. Every industry, from enterprise software to artisanal coffee, is littered with products that are essentially identical twins, separated at birth by a slightly different colour scheme or a few extra lines of code. We are in the age of the incremental tweak, where a “new” idea often means little more than a slightly better user interface bolted onto a century-old business model.

This is the great deception: too many founders believe their competitive edge lies in what, the product’s feature set or the concept’s novelty. They fret over the perfect launch campaign, when their real problem is that their core operation is entirely generic.

Let me be blunt: Your idea isn’t special. And if it is, it won’t be for long. The speed of imitation in the modern economy is frighteningly fast. The true, lasting competitive advantage is never found in the visible, front-end shine. It resides exclusively in the invisible, proprietary architecture you build beneath the surface. It’s in the data, the hidden processes, and the relentless, glorious tedium of your systems.

The database is the new moat

When I examine a business claiming an “edge,” the first thing I disregard is the demo. The second is the financial projection. I go straight to the back end. I ask: What is your proprietary data asset, and what are you collecting?

In a world where algorithms rule, the only true fortress is a data moat. If the insights you use to improve your service can be replicated by a competitor purchasing standard industry reports, you have no advantage whatsoever. You are playing on a borrowed field.

Also Read: Why access to ecosystems is tech’s true equality problem

The companies that win aren’t those with the prettiest dashboard; they are the ones who collect unique, unreplicable behavioral data from their users and feed it back into their product cycle. This creates a virtuous, self-reinforcing loop. Every customer interaction, every tiny click, every point of friction becomes a data point that makes your service microscopically better for the next customer. This aggregated knowledge, this collective history of user behaviour, is the only thing your competitor cannot copy. They can build your app, but they can’t download your years of refined, proprietary user history. That data, that deep, unique fingerprint, is the only sustainable edge you can actually own.

The unromantic discipline of systems

This brings us back to the non-negotiable truth: the edge is built, not conceived. It is forged in the systems and processesthat govern every transaction, every customer support query, and every product iteration.

Most startups are driven by heroic effort. A charismatic founder or an exhausted sales team pulls off miracle after miracle. This is the surest sign of a fatal, underlying flaw: a lack of robust systems. Heroic effort is not scalable; it is a temporary patch on broken processes. It leads to burnout, inconsistency, and chaos the moment the volume spikes.

Also Read: AI is not about automation. It’s about when systems are allowed to learn.

A genuine competitive edge must be built on processes that are so meticulously documented, so consistently executed, and so flawlessly automated that they become invisible. This is the operational fortress. It’s the difference between a competitor who responds to a customer complaint in twelve chaotic, individual steps, and your company, which resolves it in two automated steps and one human verification, logging the feedback into the product roadmap all the while. This efficiency translates directly into lower cost, higher retention, and greater speed.

Your product might get you a meeting, but your systems are what win the war. They allow you to scale without self-destructing. They allow you to maintain quality control when growth hits hyper speed.

So, the next time you are convinced that your company’s salvation lies in a new feature or a marketing gimmick, stop. Take a hard look at the unglamorous underbelly of your business. Are you building a proprietary data engine, or just polishing the chassis?

If your competitive advantage disappeared tomorrow, what essential, internal asset do you own that would still force your competitors to struggle just to keep up?

—

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. You can also share your perspective by submitting an article, video, podcast, or infographic.

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of e27.

Join us on Instagram, Facebook, X, and LinkedIn to stay connected.

The post Your idea is dead on arrival: The hidden systems that determine your fate appeared first on e27.

Funding in a bear market entails a focus shift from hype to the hard facts of business. According to Crunchbase statistics, North American venture investments declined by 37 per cent in 2023.

This can be attributed to wariness in general. During this period, investors remain vigilant around startups. Despite still having money to invest, there is now a push towards resilient businesses with models and growth trajectories.

Similarly, as noted by an investor, Trace Cohen, an economic downturn sees investors “…investors…are on the lookout for resilient companies that can weather economic downturns”.

In essence, investors today prefer startups whose profitability prospects, revenues, and capital plans are compelling for funding, which are companies that will thrive even when economies are stagnant or dropping.

Back to fundamentals: Profit and revenue growth

For instance, whereas in a bull market, investors were mainly seeking growth, and growth only, in a bear market, no matter how good a growth prospect is, it is not enough for profitability, and good business models are the key. Indeed, as one analysis points out, VCs have “put[ a] laser focus on profitability and the sustainability of startup business models when making investments”.

The importance of profitability is further underscored by Erika Knierim, startup attorney, as she says, “In a bear market, investors seek out businesses with robust value propositions and clear paths to profitability”.

In other words, will this startup actually survive or even prosper without its limitless access to investment dollars? Founders should emphasise their actual revenue earned. No more impressing with meaningless metrics like “users” or huge numbers thereof.

Pitch decks now must demonstrate “How do you make money? And why will people pay you for it?” Investors will be looking at current or near-future revenue generation and strong profit margins. In down markets, “cash is king.” Firms with more cash and greater runway demonstrate better financial management.

Capital efficiency and runway

Closely related to this is capital efficiency. Investors these days ask startups to make every dollar count. “Investors favour capital-efficient companies,” says venture advisor Lance Cottrell, because any startup that burns huge amounts of money before reaching market may die if more funding dries up. In a bear market, VCs expect longer runways, often 24 to 36 months of cash, to avoid raising in a down cycle.

This forces founders to either raise more money at the cost of diluted equity or cut expenses and growth plans. Investors reward startups that can do more with less, such as outsourcing production or focusing on minimum viable features.

As Knierim puts it: “Cash is king in a bear market…Investors will appreciate a lean operation that maximises capital efficiency”.

Also Read: Seizing opportunities: Accelerators as a strategic choice in bear markets

Revenue traction and growth metrics

Of course, profitability is important, but there is also growth momentum. So, investors will be interested to know that a startup’s product is gaining traction and users at a good rate.

However, unlike earlier, today there is a need to demonstrate this growth momentum through financial metrics. For example, revenue growth rate, retention, etc., are some of the aspects that VC investors focus on.

Within pitches, it seems that slide decks have become slightly less detailed, particularly when it comes to a now-at-times included mini “why now” market section, as TechCrunch has reported that entrepreneurship has shifted focus to time and traction for attracting investors.

Within industries that are currently favourable, pitches for startups within categories such as AI, fintech, and climate technology can use the support that comes from being within a popular sector. However, within such an industry, investors still expect to see data: “Many seed-stage startups…raise capital by reaching out to fewer than 50 investors.”

Strong team and execution ability

Investors will naturally look at the team; in a bear market, the founding team may be the deciding factor. VCs will take more risk in a bear market, but value experience in the founding team in terms of execution or in the field when the risk is higher in a bear market. The VCs will ask hard questions about the founding team and the way the company has advanced. Cottrell believes founders should welcome those hard questions.

The fact that one has the right calibre of staff and mentors helps reduce uncertainty among investors. Furthermore, being able to demonstrate your startup skills, like being able to pivot or reduce costs while keeping the company alive, helps.

As one expert says, “VCs are looking more and more for companies ‘built to last’ with strong balance sheets and contingency plans. If your team can confidently communicate their milestones, spend, and projections, this helps build trust.”

Market opportunity and differentiation

Even in a market downturn, market opportunity does matter. Investors fund only startups that solve pressing problems or have an advantage over their peers. During periods of scarce funding, competitive differentiation, technology, partnership, or focus on a niche becomes critical.

For instance, focusing on a specialised market segment today can help a pitch stand out in a crowd. Startups with unique IP, regulatory barriers, or locked-in customer contracts could justify valuations even in a bear market.

Also Read: Thriving when markets tank: Strategic lessons from history’s bear cycles

Importantly, investors assess the size of the addressable market differently now: they prefer defensible markets over just big ones. A large but fractured market may be less attractive than a small market that a startup can dominate. As one VC advises, “be very clear on your end-user and why they will pay now”.

Realistic valuations and terms

Overall, valuations are generally lower during a bear market, and terms are tougher. Founders can expect more serious due diligence and a term sheet reflecting the situation at this point in time.

According to Moonfare’s analysis, startups are often facing “down rounds” and more burdensome deal terms in this environment; investors may demand board seats or liquidation preferences and pay-to-play provisions.

While this might be painful for founders, taking a fair valuation now can preserve more equity in the long run. The key is pricing to market reality. As Robin Guo said, “Don’t raise based on ego, raise based on reality“. Set a pre-money valuation that reflects recent deals and your traction. An investor-friendly cap table today can pay dividends later when the markets recover.

Adapting fundraising strategy

Even startups must make some changes in their way of seeking funding. In an economic slowdown, it will take longer to raise the next round of funding. Hence, startups should focus on building relations. To do this, startups should reach out to investors frequently but briefly, attend every possible meeting in person, and reach out to a wider set of investors.

The founders should also consider alternative financing options, which include grants, as well as corporate investment or bootstrapping in extreme cases. As a matter of fact, every founder needs a ‘plan B’ for accessing funds.

As a seasoned entrepreneur states: “During difficult times, I am far more likely to invest in a company that will use my money to grow rather than one that uses it just to survive”. In simpler words, explain how you plan to use the finances for accelerating growth, as opposed to mere survival.

Conclusion

Funding is not easy in a bear market, although some startup opportunities will emerge depending on how well they fit into the new criteria set by investors. While a bear market is characterised as conservative, startups that offer value and cost efficiency, and have shown how returns can be achieved, will impress investors.

We’ve already learned that, for funders, the same basic principles that are important across any given market have now become non-negotiable. By focusing pitches around profitability, traction, and growth, founders signal that they get it. Ultimately, by doing so, they ensure that they will not only make it through this bear market but also come out even stronger when better times return.

—

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic.

Enjoyed this read? Don’t miss out on the next insight. Join our WhatsApp channel for real-time drops.

The post Funding in a bear market: What investors are looking for now appeared first on e27.

The post From hardware to trustware: How cyber passports will prove digital trust appeared first on e27.

Shadow IT used to be easy to picture. Someone signed up for an unapproved SaaS tool, stored sensitive data in it, and security found out later. That pattern still exists, but it is no longer the main story.

The bigger shift is shadow automation. Employees are quietly building automation pipelines across tools the company already uses, plus whatever glue they can access. The result is not a new “app” to discover. It is a new set of data flows and actions that execute inside your environment with limited oversight.

This is why insider risk feels different right now. It is less about a single person doing something bad, and more about ordinary productivity behaviour creating persistent, privileged pathways that no one owns end-to-end.

The new shape of shadow work

Automation has become the default way modern work gets done. People connect forms to spreadsheets, tickets to chat, CRM fields to email sequences, and alerts to on-call rotations. They do it because it saves time and reduces manual errors.

The problem is that the easiest path is rarely the safest path. A “quick workflow” is often built with broad permissions, long-lived tokens, and vague ownership. It runs quietly in the background, sometimes for years, long after the original creator has moved on.

Shadow automation is the same impulse as shadow IT, but with more leverage. It touches multiple systems at once, moves data automatically, and can trigger actions without a human present.

Why automation becomes an insider risk even without malicious intent

Security teams are used to controlling people. Policies, training, approvals, and monitoring are built around human behaviour. Automation bypasses that assumption.

A person can only export so much data in a day. A workflow can export continuously. A person might hesitate before sending sensitive information to an external destination. A script will do exactly what it was told, every time, even if the context changes.

The risk compounds when automation is created by people who are not thinking like engineers. They are not wrong for that. It is simply not their job. But it means basics like least privilege, error handling, logging, and key rotation are often missing.

When something breaks, it usually breaks silently. When something is abused, it often looks like legitimate API activity.

Also Read: Trust by design: Why cybersecurity is the new economic backbone

Where shadow automation hides

Most organisations still look for shadow IT through app inventories and procurement controls. That approach misses the reality of automation because the components look “approved” in isolation.

A workflow tool might be sanctioned. A cloud storage platform might be sanctioned. An internal API might be sanctioned. The risky part is the chain and the permissions that connect it all.

You see shadow automation in personal scripts scheduled on laptops or jump boxes, ad-hoc serverless functions created for a project, webhooks that forward data to external endpoints, and AI agents connected to corporate systems to “help” with tasks.

The common pattern is that automation inherits trust. It uses valid tokens, valid accounts, and valid access routes. That is exactly what makes it hard to see and easy to underestimate.

The blind spot security keeps stepping into

Traditional insider risk programs tend to ask, “Who accessed what?” Shadow automation forces a more uncomfortable question: “What is acting on our behalf, and under whose authority?”

That second question exposes gaps in ownership and lifecycle. Who is responsible when the workflow runs at 2 a.m.? Who gets the alert when it fails and retries? Who reviews its permissions when systems change? Who revokes access when an employee leaves?

If there is no clear answer, you do not have an integration. You have an unmanaged privileged actor.

What “good” looks like without killing momentum

The goal is not to ban automation. If you try, you will create the worst possible outcome: the same automation, but quieter and harder to govern. The goal is to make safe automation easier than unsafe automation.

Start by treating automation as an asset class. That means you maintain an inventory of workflows, scripts, agents, and connectors that can access sensitive systems. You do not need perfection on day one. You need a place where ownership and intent are recorded and can be reviewed.

Next, focus on identity, because automation is identity at scale. Most automation risk is permission risk. Reduce broad scopes. Avoid long-lived keys where possible. Prefer managed identities and short-lived tokens. Make sure every non-human identity has an owner and a reason to exist.

Then address data movement explicitly. In many environments, data is not lost because storage was insecure; it is lost because it was copied into the wrong place as part of a “helpful” workflow. Decide which data types are allowed to flow into which destinations, and enforce it at the connector level where feasible.

Finally, bring change control to the places where it matters. Critical automations should have versioning, basic testing, and a kill switch. Even if the automation is “no-code,” it still needs a lifecycle. The more business-critical the flow, the closer it should look to a software discipline.

The practical first-quarter plan

If you want to reduce risk quickly, do three things in the next quarter.

First, identify your top automation surfaces. Pick the tools and platforms where automations are most likely to exist, and require owners to register anything that touches sensitive data or privileged systems.

Second, implement permission hygiene for automation identities. Review high-privilege tokens and connectors. Remove legacy access that no longer has a clear business justification. Put an expiration expectation on credentials that currently live forever.

Also Read: Cybersecurity: The evolution from digital safeguard to economic governance

Third, improve detection by looking for automation patterns rather than user patterns. Pay attention to unusual frequency, unusual destinations, and unusual chaining across systems. The signal is often not “a weird login,” but “a normal call happening at an abnormal rate.”

The cultural piece everyone avoids

Shadow automation is also a trust issue. Employees automate because they are trying to be effective, and often because official paths are slow or unclear. If security shows up only as a blocker, people will route around it.

A mature approach treats automation builders as partners. Give them safe defaults, clear guardrails, and lightweight ways to get approval for higher-risk workflows. Create a path where someone can say, “I built this,” without fearing punishment.

That is how visibility improves. And visibility is the prerequisite for control.

Closing

Shadow IT was about tools. Shadow automation is about power. It turns everyday access into repeatable execution across systems, often with more privilege and less oversight than anyone intended.

If you want to modernise insider risk, stop focusing only on what employees install. Start focusing on what runs on their behalf. The organisations that do this well will not slow down innovation. They will make automation safer, more observable, and easier to trust.

—

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. You can also share your perspective by submitting an article, video, podcast, or infographic.

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of e27.

Join us on Instagram, Facebook, X, and LinkedIn to stay connected.

The post Shadow automation: The new insider risk appeared first on e27.

AI agents and chat interfaces are no longer limited to answering questions or recommending content. They increasingly act on behalf of users—approving transactions, scheduling actions, filtering information, and making decisions that once required human judgment. This shift is subtle but profound. When systems act for us, cybersecurity is no longer just about protecting data; it becomes about protecting trust.

When automation enters the workflow

In many organisations, AI agents are introduced to improve speed and efficiency. Customer support bots resolve tickets. Financial systems flag or approve transactions. Internal copilots summarise meetings and suggest decisions. At first, these tools feel like assistants. Over time, they become delegates.

The transition often happens quietly. A system that once suggested an action is now executing it. A chatbot that once escalated issues now resolves them autonomously. This is where the security conversation usually lags behind the product decision.

The moment trust becomes a concern

Trust issues tend to surface only after something goes wrong. A transaction is approved that should not have been. An automated message shares sensitive information. A system makes a decision that no one on the team can fully explain.

What makes these incidents different from traditional security failures is diffused responsibility. No single person made the decision. The system did—based on rules, models, and data pipelines built by multiple teams over time.

When users interact with AI through natural language, the system feels human. That perception increases trust, sometimes beyond what the system actually deserves. Users disclose more information. They question decisions less. Attackers understand this dynamic and exploit it.

Also Read: Hunters in the dark: AI agents and the cybersecurity trade-off

Accountability in machine-led decision

AI agents change how accountability works. In human workflows, responsibility is clearer. A person approves a payment. A manager signs off on access. With AI agents, decisions are distributed across models, prompts, APIs, and permissions.

When something goes wrong, teams often ask:

• Was it a data issue?
• A model behaviour?
• A prompt design flaw?
• Or a lack of human oversight?

From a cybersecurity perspective, this ambiguity is a risk. Systems that act autonomously require explicit accountability frameworks, not implicit trust in automation.

New risks introduced by chat interfaces

Conversational interfaces create security risks that traditional systems did not face. Natural language is flexible, ambiguous, and emotionally persuasive. This opens new attack surfaces:

• Prompt manipulation that bypasses safeguards
• Social engineering through AI-generated responses
• Over-permissioned agents that can act across systems
• Users mistaking confident language for correctness

Unlike classic software vulnerabilities, these risks are behavioural. They sit at the intersection of human psychology and system design.

Overconfidence in AI-driven systems

Founders and teams are often overconfident in AI systems because they appear intelligent. A system that explains its reasoning convincingly can mask uncertainty or error. This creates a false sense of security.

Overconfidence shows up when:

• Human review is removed too early
• Audit logs are minimal or absent
• Edge cases are dismissed as rare
• Security is assumed to be “handled by the model”

In reality, AI systems amplify existing risks if governance does not evolve alongside capability.

Also Read: Trust by design: Why cybersecurity is the new economic backbone

Different sectors, different expectations of safety

Expectations of safety vary widely across sectors. In fintech or health, users expect rigorous controls and clear accountability. In media or productivity tools, the tolerance for error is higher until trust is broken.

AI agents blur these boundaries. A general-purpose chatbot used in a low-risk context today may be embedded in a high-risk workflow tomorrow. Security assumptions must travel with the agent, not the use case.

Rethinking responsibility and risk

The key shift is not technical; it is conceptual. Teams must move from asking “Is the system secure?” to “Who is responsible when the system acts?”

This means :

• Designing AI agents with least-privilege access
• Keeping humans in the loop for high-impact decisions
• Logging not just actions, but reasoning paths
• Stress-testing systems for misuse, not just failure
• Training teams to question AI output, not defer to it

Security becomes a shared discipline across product, engineering, and leadership—not a downstream checklist.

One lesson for building teams with AI today

The most important lesson is simple: do not outsource trust to machines.

AI agents can act, decide, and communicate at scale—but accountability remains human. Teams that build secure, trusted AI systems are not those with the most advanced models, but those that design for scepticism, transparency, and responsibility from the start.

As AI agents continue to take action on our behalf, cybersecurity will be defined less by firewalls and more by how well we understand and govern the relationship between humans and machines.

—

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. You can also share your perspective by submitting an article, video, podcast, or infographic.

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of e27.

The post The new cybersecurity battlefield: Protecting trust in the age of AI agents appeared first on e27.

Many SMEs in Southeast Asia only realise their finance setup is no longer working when growth accelerates. Processes that once felt manageable begin to strain as transaction volumes increase, additional stakeholders enter, and reporting requirements tighten. 

In reality, clearer workflows and stronger process visibility enable problems to be identified much earlier, before delays, errors, and cash-flow blind spots become structural.

The issue is not poor execution. More often, finance systems in SMEs are designed for stability rather than growth.

SMEs power Southeast Asia, but finance is still treated as an afterthought

Small and medium enterprises dominate Southeast Asia’s business landscape. Across the region, SMEs account for roughly 97 per cent of businesses and contribute over 40 per cent of GDP.

Despite their scale, many SMEs still rely on manual, disconnected processes for core finance tasks. Research by the Economic Research Institute for ASEAN and East Asia (ERIA) highlights persistent barriers to digital adoption in developing Asian markets. These include limited business knowledge, gaps in ICT skills, and a lack of localised support.

We see the same pattern in mature markets like Australia. Even with great tech available, an October 2025 OFX report found that 80 per cent of Australian SMEs still rely on manual processes to reconcile expenses. In fact, nearly 38 per cent of business owners report that simple manual data-entry errors are their biggest daily headache. 

It’s a classic case of ‘if it isn’t broken, don’t fix it’ until the manual workload finally becomes too heavy to manage.

Finance issues follow predictable patterns as businesses scale

As SMEs grow, financial complexity increases faster than many teams expect. Invoice volumes rise. Transactions multiply. More people touch the process. Customers and suppliers operate across borders. Regulatory and reporting requirements tighten.

When finance processes are not redesigned for higher volumes, familiar issues begin to surface:

• Invoices are sent late or tracked inconsistently
• Approvals are concentrated with one individual
• Reconciliation is rushed at month-end
• Cash flow visibility becomes limited

These challenges are not surprising. They are the natural outcome of processes that were never redesigned as volumes increased. 

Consulting and software surveys repeatedly point to the same outcome. Weak invoicing and reconciliation processes that depend on spreadsheets or email lead to delayed payments, write-offs, and significant time spent chasing basic financial information.

Also Read: Security, trust, and the future of finance in an AI-driven world

Automation is about reducing friction, not adding tools

Automation is often misunderstood as a large-scale system change or a heavy transformation, when in reality it is primarily about reducing operational risk and manual friction.

For most SMEs, progress starts much smaller.

OECD research on SME digitalisation shows that smaller firms adopt digital tools more slowly than larger organisations, even though the efficiency gains are often proportionally greater. The challenge is rarely technology alone. It is deciding where to start and what to simplify.

In practice, effective automation focuses on removing repetitive friction:

• Standardised invoice workflows
• Automated reminders instead of time-consuming follow-ups
• Approval steps that do not depend on one person
• Fewer instances of entering the same data multiple times

The priority is reliability first. Speed and sophistication follow naturally once the basics are stable.

A practical three-step reset for SME finance

For SMEs looking to improve finance operations, a phased approach is often the most effective.

• Step 1: Make the workflows visible

Document how invoicing, payments, expenses, and compliance actually work today. Simple process mapping often reveals duplication, unclear ownership, and hidden bottlenecks.

• Step 2: Fix the biggest point of friction

Focus on one or two problem areas, such as unpaid invoices, approval delays, or reconciliation backlogs. Small, targeted improvements here often deliver immediate operational and cash flow benefits.

• Step 3: Connect workflows over time

Gradually link invoicing, payments, reconciliation, and reporting so information flows with fewer handoffs. This is where finance shifts from record-keeping to decision support. Research by McKinsey has shown that connected finance workflows can significantly shorten close cycles, in some cases from weeks to days.

Also Read: Why perfect carbon audits could cripple climate finance — and what to fix instead

What consistently works across SMEs

Across SMEs in Singapore and the wider region, several patterns are consistent:

• Small, focused improvements outperform large system overhauls
• Early clean-up reduces operational and compliance risk
• Clear records make audits, fundraising, and reporting easier

When finance operations are stable and predictable, less time is spent fixing errors and more time is available for planning and execution.

The payoff of clear finance processes

Finance rarely becomes a problem overnight. It becomes one gradually, as systems fail to keep pace with growth.

Effective finance operations do not need to be complex. They need to provide dependable visibility. Knowing who owes the business money, what needs to be paid, and where cash stands makes day-to-day operations calmer and month-end faster.

As Southeast Asia’s SMEs continue to expand across borders and operate in increasingly regulated environments, financial maturity will become a competitive advantage rather than a compliance requirement. Clear, connected finance processes provide the operational foundation for sustainable growth and long-term competitiveness.

—

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. You can also share your perspective by submitting an article, video, podcast, or infographic.

The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of e27.

Join us on Instagram, Facebook, X, and LinkedIn to stay connected.

The post The SME finance reset: 3 steps to fix what’s breaking your growth appeared first on e27.