Supply chain cyberattacks are no longer a niche concern reserved for multinationals with sprawling vendor networks. They are becoming a routine business risk, and Southeast Asia is entering that reality while still short of security talent, uneven in basic cyber hygiene and heavily dependent on third-party technology providers.
That is the clearest takeaway from a new Kaspersky-commissioned survey of 1,714 enterprise IT and security decision-makers across 16 countries, including Singapore, Vietnam, India, Indonesia, and China.
Also Read: Digital Growth, fragile defences: Inside Philippines’s cybersecurity gap
The headline finding is stark: one in three organisations globally said they had been hit by a supply chain attack in the past year. Yet many still lack the people, internal discipline, and contractual leverage needed to deal with the problem.
Talent shortages and operational overload are compounding risk
Globally, 42 per cent of respondents said the shortage of qualified IT security workers was a major barrier to reducing supply chain and trusted relationship risks. The same share said organisations are struggling to prioritise among too many security tasks, leaving third-party risk management exposed.
That lands uncomfortably well in Southeast Asia, where businesses have spent the past decade digitising operations, moving workloads into the cloud, integrating payments and logistics systems, and stitching together regional expansion plans with software from dozens of external partners. Every API, contractor platform, cloud dashboard, and outsourced IT function expands the attack surface. And in many companies, especially those scaling quickly, vendor risk management has not kept up.
The Kaspersky data shows just how uneven the region has become. In APAC markets covered by the study, the share of organisations citing a lack of qualified IT security staff ranged from 34 per cent in Singapore to 57 per cent in Vietnam. Those figures suggest the issue is not limited to less mature digital economies. Even Singapore, Southeast Asia’s most developed technology and regulatory hub, is still wrestling with capacity constraints.
The difference is that in places such as Vietnam, the talent gap appears more acute, while in Singapore the problem is increasingly one of overload. Nearly half of respondents in Singapore, or 47 per cent, said they were juggling multiple cybersecurity priorities. In Vietnam, that figure stood at 48 per cent. India was even higher at 54 per cent.
That matters because supply chain security is rarely urgent until something breaks. Security teams tend to focus first on patching internal systems, responding to active incidents, dealing with audits and meeting compliance demands. The slower, messier work of assessing vendors, reviewing contractor access, updating third-party clauses and validating partners’ controls often gets pushed down the list. Attackers count on exactly that.
Weak governance and trust-based relationships create hidden vulnerabilities
This pattern has been visible in major breaches over the past few years. The SolarWinds compromise showed how malicious code inserted upstream can cascade across customer networks. The MOVEit attacks demonstrated how a single exploited third-party tool can expose multiple downstream victims.
Also Read: The founder’s blind spot: The security question you must answer before growth
Southeast Asian firms were not always named as primary targets in those cases, but the region’s businesses are deeply embedded in the same global software and services supply chains. They do not need to be the original target to suffer the fallout.
What makes the current moment especially risky for Southeast Asia is the region’s uneven cyber maturity. Large enterprises and regulated sectors such as banking and telecoms have generally improved their internal controls. But supply chain security depends on the weakest link across a broader ecosystem that includes software vendors, contractors, managed service providers, logistics partners, outsourced development teams and small suppliers.
The survey suggests many of those relationships are still governed too loosely. Across APAC markets, between 30 per cent and 61 per cent of respondents said their contracts did not include IT security obligations for contractors. Between 25 per cent and 38 per cent said non-IT staff did not fully understand supply chain and trusted relationship risks.
Those are not small operational gaps. They point to a deeper governance problem: cybersecurity remains too often confined to technical teams, while procurement, legal, finance and operations continue to sign or manage vendor relationships without strong, enforceable security baselines. In high-growth companies, especially across Southeast Asia’s startup and mid-market segments, that is a familiar weakness. Vendor onboarding is usually optimised for speed, cost and functionality — not for resilience.
Malaysia offers a useful illustration of the structural challenge. The country is trying to strengthen its cyber capability under the Malaysia Cyber Security Strategy 2025-2030, but the labour pipeline remains under pressure. The Ministry of Digital has projected that Malaysia will need 28,068 cybersecurity professionals by 2026, while earlier estimates placed the existing workforce at roughly 16,765. That gap helps explain why many organisations struggle to continuously monitor third-party exposures even when they know the risks are real.
Even basic cybersecurity practices remain inconsistent
The confidence problem is just as telling. Globally, 85 per cent of businesses said they need to improve protection against supply chain and trusted relationship risks. Only 15 per cent considered their current measures effective.
Also Read: Why AI security demands a different playbook in Asia
In APAC, confidence varied sharply. India, Indonesia and Singapore reported low confidence levels of 11 per cent, 14 per cent and 14 per cent respectively. Vietnam came in at 21 per cent, while China stood out at 34 per cent. That spread may reflect real differences in preparedness, but it may also reflect differences in perception. Either way, low confidence in Singapore and Indonesia is significant. These are markets with growing digital economies, dense vendor ecosystems and rising exposure to cloud and software dependencies.
One especially revealing finding concerns two-factor authentication. It was the most common protective measure identified in the survey, yet adoption remained patchy. Singapore stood out for the wrong reason, with an adoption rate of just 28 per cent. Other APAC markets reported rates above 35 per cent, but still below the global average.
For a region that often presents itself as digitally ambitious, weak uptake of such a basic safeguard is hard to ignore. Two-factor authentication is not a silver bullet, but low adoption suggests that even foundational controls are not being applied consistently across partner relationships. That is often where attackers find room to manoeuvre: not through sophisticated zero-day exploits alone, but through ordinary lapses in identity management, access control and vendor oversight.
Sergey Soldatov, Head of Security Operations Centre at Kaspersky, put the problem plainly: “When security teams are overstretched, understaffed and have to prioritise urgent tasks over long-term resilience priorities, organisations are left exposed to threats that can move silently through their provider ecosystem.”
A fast-growing digital economy built on fragile foundations
That assessment lines up with how many security incidents now unfold. Rather than battering down the front door, attackers compromise a supplier, abuse a trusted connection, hijack credentials or exploit neglected third-party software. The result is the same: businesses inherit risk from partners they depend on but do not fully control.
There is one encouraging signal in the survey, though it comes with a catch. Companies that had already experienced supply chain or trusted relationship attacks were more likely to adopt stronger security practices afterwards. Victims of supply chain incidents were more likely to request penetration test results from suppliers, while organisations hit by trusted relationship breaches more often checked for compliance with industry standards and their contractors’ own supply chain policies.
In other words, some firms are learning — but mostly after taking a hit.
That is a costly way to mature, particularly in Southeast Asia, where digital trust is becoming a competitive issue as much as a technical one. Financial services, healthcare, logistics, e-commerce and manufacturing all depend on interconnected systems and outsourced capabilities. A weak vendor risk posture no longer threatens only internal operations; it can disrupt customer experience, trigger regulatory scrutiny and damage expansion plans across borders.
For startups and growth-stage companies, the message is even sharper. Supply chain security is not just a big-enterprise compliance chore. The moment a company plugs into payment gateways, cloud infrastructure, SaaS tools, outsourced developers or regional fulfilment networks, it becomes part of someone else’s attack path.
Also Read: Cybersecurity has a prioritisation problem, and Hackuity wants to fix it
The survey itself should be read with the usual caution attached to vendor-sponsored research. But its core finding is difficult to dismiss. Southeast Asia’s supply chain cyber problem is not simply about technology gaps. It is about a region moving fast on digital transformation while still underinvested in cyber talent, inconsistent in basic controls and too willing to trust third parties without demanding proof.
That combination is exactly what attackers prefer: fast growth, fragmented oversight and plenty of invisible dependencies.
The post Supply chain attacks are becoming SEA’s new normal appeared first on e27.