By Adrian Hia

Running a small business today means operating with very little room for slack.

Owners are not just managing growth but making constant trade-offs, between hiring and automation, expansion and cost control and what feels urgent versus what is simply important.

Staying lean is not a strategy – it’s just reality. Expenses are stretched and every investment is expected to deliver returns quickly. What keeps the business moving takes priority; what feels less immediate is pushed down the list – not ignored, just not today’s problem. Some risks naturally fall into that category.

They sit at the back of the mind – part of the conversation, but not always part of the decision. Not because business owners underestimate the risks, but the impact is not always visible.

At least, not until it is.

Growth through going digital

As businesses juggle these decisions being made, the environment around them has shifted too.

Going digital is no longer just about efficiency, but access – to customers, to markets and to new ways of working. From digital payments and e-commerce platforms to cloud-based accounting and hybrid operations, much of running a business now sits online.

For many SMEs, this shift was not gradual. It happened quickly, driven by the need to stay competitive, meet customer expectations, or comply with evolving requirements such as e-invoicing.

As adoption accelerates, complexity follows. More devices, more systems, more touchpoints and more data moving across them. While businesses have adapted to this growing digital environment, the way risks are understood and managed has not always kept pace.

This gap creates room for things to go wrong, often unnoticed and only surfacing when something stops working.

As risk moves into daily operations

According to the latest Kaspersky Security Network (KSN) data, over 3.3 million web attacks targeting Malaysian businesses were detected in 2025, averaging around 9,000 attempts each day. It is a scale that suggests risk; this is no longer an occasional risk, but part of the norm.

What is often missed is how these incidents actually begin. They rarely involve highly technical breaches. More often, they start quietly – a phishing email disguised as a business opportunity, a request that appears to come from a familiar contact or a login page that feels legitimate enough to trust. In the pace of daily operations, the warning signs are easy to miss.

Local cases reflect how costly these oversights can be. Business Email Compromise (BEC), for example, has led to reported losses ranging from RM250,000 to as high as RM6.2 million per incident, affecting businesses across industries regardless of size.

By the time the issue is recognised, the consequences are already felt across the business.

Cybersecurity is one of those risks, however it is also one of the few where the starting point does not have to be complex.

Closing the gap between awareness and action

In many ways, the challenge is not a lack of awareness or even access.

For SMEs, this means there are channels to turn to when an issue arises. Platforms such as MyCERT and Cyber999 serve as a point of response for cyber incidents, offering a formal channel to report incidents, seek guidance and better understand emerging threats in the local landscape.

Getting started with cybersecurity is becoming even easier to navigate. A growing number of entry-level tools and learning resources are available to help businesses build a baseline understanding without requiring technical expertise. These range from IT security calculators that put the potential cost of cyber risks into perspective in relation to security investment across different industries, to programmes like cyberhygiene online courses which offer short, practical modules on recognising common threats and improving everyday online habits.

Even with how accessible these tools have become, they are not always factored into business operations and decisions.

Part of this may come down to how risk is perceived. When something does not interrupt operations immediately, it is often deferred.

This is where cybersecurity behaves vastly differently from other business risks. It does not always present itself clearly in its early stages, which is why it is often treated as a future problem – acknowledged but not acted on until the consequences become real, even as more aspects of the business become digitally dependent.

This pattern is not theoretical. In many cases, attacks do not begin with dramatic disruption – sometimes they sit quietly within legitimate processes, trusted software or ordinary-looking traffic. Investigations by Kaspersky, including those campaigns linked to the Lazarus group, have shown how malicious activity can remain hidden for extended periods within commonly used systems or tools relied on for day-to-day operations.

At this stage, the focus has already shifted from prevention to containing the damage and keeping the business running.

In reality, protecting a business in a digital environment rarely comes down to a single decision. Instead, it is shaped by small, everyday choices – how tools are used, how access is shared, how information is handled, how digital workflows are managed and awareness of the threats targeting them – each one subtle on its own but cumulative over time.

In that sense, cybersecurity is not separate from the business. It is shaped in the same moments as every other decision is made. The difference lies in when those decisions begin to take it into account, not as an afterthought, but as part of how the daily grinds run.

-- BERNAMA

Adrian Hia is Managing Director for Asia Pacific at Kaspersky – the global cybersecurity and digital privacy company, where he leads the company’s regional strategy and engagement across the region. With over two decades in the IT industry, he has been closely involved in the evolution of cybersecurity across the Asia Pacific, working with organisations as they navigate increasingly complex digital environments.