← All articles

Blog

Cybersecurity Basics Every Indonesian SME Should Cover

The minimum cybersecurity baseline for Indonesian SMEs in 2026 — what to do, what to avoid, and where the real risks are.

5 min read
  • mid

Most SME cybersecurity advice is either too generic to act on or too enterprise-focused to apply. Here’s a baseline that actually fits an Indonesian SME — what to do, what’s overkill, and where the real risks live.

Where the real threats are for SMEs

It’s not state-sponsored hackers or zero-day exploits. It’s:

  1. Phishing emails that trick employees into wiring money or giving up credentials.
  2. Compromised passwords reused across services, exposed in breaches at other companies.
  3. Unpatched software with known vulnerabilities.
  4. Insider mistakes — accidental data leaks, lost laptops with no encryption, ex-employees who still have access.
  5. Ransomware delivered through phishing or unpatched systems.

These five account for 90%+ of actual SME compromises. A baseline that covers them well makes you a poor target. Sophisticated attackers don’t waste time on hardened SMEs; they go after softer ones.

The baseline that’s actually achievable

1. Turn on multi-factor authentication everywhere

This single step blocks the largest threat category. Email, banking, accounting, payroll, and any cloud service that holds business-critical data should require MFA.

Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator), not SMS where possible. SMS-based MFA is better than nothing but vulnerable to SIM swap attacks that are increasingly common in Indonesia.

Cost: free. Time to roll out: 1–2 weeks of awkward training. Single highest-leverage thing you can do.

2. Centralised password management

Stop sharing passwords via WhatsApp or Google Sheets. Use a password manager (1Password, Bitwarden, LastPass). Each employee gets their own account; shared passwords get stored in the manager and shared via the manager’s sharing feature.

This solves three problems at once: weak passwords (the manager generates strong ones), reused passwords (each service gets a unique one), and offboarding (when an employee leaves, you remove their access in one place).

Cost: Rp 50rb–150rb/employee/month. Setup: 2–4 weeks for full rollout.

3. Email security beyond the default

Set up SPF, DKIM, and DMARC records on your domain. Without these, attackers can spoof emails from your domain (impersonating your CEO is a popular scam). With them, your emails are also less likely to land in spam folders.

For inbound, your email provider (Google Workspace, Microsoft 365) has built-in phishing detection — turn it on, configure aggressive levels, and review the quarantine occasionally.

Cost: a few hours of setup. Free or already included in email subscription.

4. Endpoint protection

Every laptop and phone with access to company data should have:

  • Up-to-date OS (auto-updates enabled)
  • Disk encryption enabled (FileVault on macOS, BitLocker on Windows, screen lock on phones)
  • Antivirus / anti-malware (Windows Defender is fine for most SMEs; macOS built-in is sufficient with care)
  • Auto-lock when idle

The hardest part of this is the policy, not the technology. Make it required and verify periodically.

Cost: Rp 0–500rb/device/year depending on tooling.

5. Regular software updates

Operating systems, browsers, key applications. Updates that patch security vulnerabilities are released constantly; lagging behind is a risk that compounds.

For SMEs without dedicated IT staff, the practical version is: enable auto-updates everywhere, then audit quarterly to make sure they’re actually happening.

6. Data backups, tested

Backups are useless if they don’t restore. Most SMEs that lose data to ransomware have backups in theory. They’ve never tested whether the backups actually work.

The minimum: critical data backed up daily (most cloud-hosted services do this for you), stored in a separate location, restorable. Test the restore at least once a year.

Cost: usually included in the services you already use. If not, Rp 200rb–2 juta/month for backup tooling.

7. Offboarding process

When an employee leaves, you should be able to revoke their access to all systems within an hour. Most SMEs take days or weeks, sometimes never.

Build a written offboarding checklist. Include: every cloud service, password manager access, email forwarding, shared folders, physical access (keycards). Run through it on every departure.

This is mostly process, not technology. Free except for the time to set it up.

8. Phishing awareness training

Annual or twice-annual awareness training for all staff. Not the boring compliance kind — practical examples of what current phishing looks like, with a quiz at the end.

Many off-the-shelf training programs exist; pick a Bahasa Indonesia one if your team is more comfortable in it.

Cost: Rp 100rb–500rb per employee per year.

What’s overkill for most SMEs

Things you don’t need yet:

  • A SOC (Security Operations Center). Genuinely overkill below 200 employees.
  • Penetration testing. Useful occasionally for SMEs with public-facing software, but most SMEs benefit more from doing the basics well.
  • ISO 27001 certification. Only if a customer is asking for it.
  • Dedicated security software stack. Most SMEs are better served by configuring what they already have than by adding another tool.

What this actually costs to maintain

For a typical Indonesian SME doing the baseline well:

  • Initial setup: Rp 30–80 juta if outsourced, less if you DIY.
  • Ongoing: Rp 50–150 juta/year (mostly software subscriptions and occasional consulting).
  • Per-employee cost: roughly Rp 800rb–1.5 juta per year for the security-related tooling.

The baseline doesn’t make you immune. It makes you a poor target. Combined with backup and recovery practices, it removes most of the catastrophic risk.

If you’re trying to assess your current security posture or figure out where to start, an hour of conversation usually clarifies it. We do those at no cost.