Last year three out of four companies in Singapore suffered a breach, and every ransomware victim paid up. For large firms that is costly; for small and medium-sized enterprises (SMEs), it can be catastrophic.

SMEs form the backbone of Singapore’s economy, employing seven in ten workers and contributing nearly half of GDP. Yet they are often the softest targets. The latest State of Cybersecurity 2025 report from Arctic Wolf shows the pressures they face: complex tools that take 20 hours a week to manage, lean security teams (if any), and now a new double-edged risk — artificial intelligence. AI has overtaken ransomware as the top concern for security leaders, but for SMEs, it is also an opportunity they can ill afford to mishandle.

To understand the paradox of being both digitally ambitious and cyber-vulnerable, we spoke with Steve Hunter, Director of Engineering at Arctic Wolf.

Your report shows that 77% of organisations in Singapore suffered a breach in 2024, and every ransomware victim paid. How is this affecting SMEs compared to big companies?

Steve Hunter: Small and medium-sized enterprises (SMEs) often operate with fewer resources, constrained budgets, and limited in-house cybersecurity expertise compared to larger organizations. This makes them particularly vulnerable to cyber threats. A single breach can result in severe operational disruption, reputational damage, and significant financial loss, impacts that can be existential for a smaller business.

Recovery is especially challenging. While large enterprises typically have dedicated, resilient security teams and robust incident response plans, SMEs may lack the capacity to respond swiftly and effectively. The aftermath of a breach can stretch their resources to the limit, prolonging recovery and compounding the damage.

Are smaller businesses more likely to end up paying ransoms, and if so, why?

Steve Hunter: Smaller enterprises often lack robust backup systems and incident response capabilities. So, for many, paying the ransom may be seen as the fastest or potentially only route to restoring operations, even though ransom payment is strongly discouraged by both government and law enforcement agencies.

Compounding the issue, SMEs often lack the leverage and expertise needed for effective negotiation. According to our 2025 Threat Report, ransom negotiations can reduce demands by an average of 64%. However, without access to professional negotiators, many SMEs are forced to accept the attacker’s initial terms, leaving them more exposed and financially strained.

More than half of organisations say security tools are difficult to implement. For a small business with only a few IT staff, is this complexity now the biggest cyber risk?

Steve Hunter: For small businesses with limited IT staff, tool implementation and management can be one of the most significant and often overlooked security risks. Tool sprawl and operational complexity frequently undermine security efforts long before external threats even materialize.

When tools are difficult to implement, integrate, and manage, and staff are stretched thin, it erodes visibility, slows response times, and increases exposure across the attack surface. The result is a cycle of inefficiency and vulnerability, where the sheer number of tools becomes a liability rather than a strength.

Having many tools is not inherently beneficial, especially if they cannot be maintained effectively. In fact, unmanaged tool complexity can pose a greater threat to SMEs than external attacks themselves.

If you were advising a 50-person company, what would a “right-sized” security setup look like in 2025?

Steve Hunter: For a 50-person company in 2025, a right-sized security setup should focus on simplicity, integration, and cost-effectiveness. Core protections like endpoint detection and response (EDR), next-gen firewalls, multi-factor authentication (MFA), and email security are essential. Cloud services should be secured with proper configuration management and access controls, while immutable backups and a tested recovery plan ensure resilience against ransomware. Outsourcing threat detection through managed XDR or MDR services can provide enterprise-grade protection without the need for a large in-house team.

To avoid tool sprawl and operational complexity, SMEs should prioritize platforms that consolidate capabilities — reducing overhead and improving visibility. AI-enhanced tools should be accessible and easy to manage, ideally with automation features that don’t require deep technical expertise. Security awareness training, clear policies, and regular audits round out the setup, helping small teams stay proactive without being overwhelmed. The goal is to build a lean, effective security posture that scales with the business and keeps threats at bay.

The report says AI is now a top driver for cybersecurity plans, but also a top concern. Will AI make it harder for SMEs to keep up with big companies, or can it help level the playing field?

Steve Hunter: There is a duality in AI in enterprise cybersecurity—while businesses gain the capabilities to strengthen their defenses, the same capabilities can be used by attackers to launch more sophisticated attacks. Our 2025 Threat Report highlights this shift: AI has now overtaken ransomware as the top security concern for businesses. This marks a pivotal moment in the threat landscape, where the very tools designed to protect organizations are being mirrored and exploited by adversaries.

For smaller businesses, there’s a risk that the gap with larger enterprises could widen if AI tools remain expensive, complex, and dependent on highly skilled in-house teams. Our data shows that cost and lack of technical expertise are among the top barriers to adopting AI in security operations. That naturally impacts SMEs more than big companies, who have bigger budgets and more people to counter threats.

When AI is delivered in an accessible, integrated, and easy to use, it can be a game-changer for SMEs. This is why we have built AI into our Aurora platform, through tools like Alpha AI and our AI Security Assistant, so smaller teams can automate threat detection, cut through false positives, and make faster, more informed decisions without needing a large security operations center (SOC).

AI isn’t just for large enterprises — it can offer small and medium-sized businesses the same level of protection, provided it’s delivered in a way that fits their resources and realities. When AI tools are affordable, easy to implement, and don’t require deep technical expertise, they become powerful enablers for SMEs, helping them defend against modern threats with the same sophistication as their larger counterparts.

What practical steps can a small business take right now to use AI for defense without creating new security risks?

Steve Hunter: SMEs adopting AI-powered security tools should stay grounded in core security fundamentals — like regular patching, robust incident response processes, and maintaining an up-to-date breach response plan — to ensure AI enhances rather than distracts from essential practices. Choosing hybrid AI tools that support human judgment, rather than fully autonomous systems, helps reduce false positives, enrich alert context, and streamline threat detection while keeping critical decisions in the hands of people.

The report shows insurers are often the ones driving breach disclosure and even ransom negotiations. Are insurers now acting as incident-response teams for SMEs — and is that a good thing?

Steve Hunter: In many cases, yes. Our data shows 23% of Singapore organisations disclosed a breach because their insurer required it, and 83% of ransomware victims engaged a professional negotiator, often arranged through their insurer. The use of professional negotiators reduces the money funding the threat actors, Arctic Wolf’s negotiation team achieves an average of a 64% reduction in the amount of ransom finally paid. For SMEs without dedicated security teams, this can act as a stopgap incident-response capability. It’s a trend we have examined closely in our 2025 Cyber Insurance Outlook Report.

While it is a positive side that insurers can mobilize expert negotiators and legal counsel quickly, it is also reactive; if your first security conversation is after a breach has already occurred, you’re already on the back foot. The best outcomes happen when insurers are part of a broader, proactive security strategy that includes threat monitoring, vulnerability management, and incident response planning. They can be valuable partners, but they should never be the only line of defense.

With Singapore pushing for SMEs to go digital, is enough being done to protect them from cyber threats?

Steve Hunter: Digitalization opens huge opportunities for SMEs, but it also expands their attack surface, and many simply don’t have the resources or skills to manage that risk. Our data shows 77% of organizations in Singapore suffered a breach last year, and malware remains the most common attack vector. That’s a clear signal that more needs to be done.

The good news is we’re seeing stronger incident preparedness; two-thirds of businesses now have an incident-response plan, and 86% use next-gen endpoint security. But gaps remain in areas like vulnerability management and proactive threat detection. To keep pace with the government’s push for digitalization, SMEs need accessible, affordable security operations support and not just compliance checkboxes. That’s exactly the gap that we at Arctic Wolf are working to fill delivering 24/7 monitoring and incident readiness at a predictable cost so SMEs can get enterprise-grade protection without enterprise-level overhead.

If a small business has a tight budget, what three actions should it take in 2025 to protect itself from cyber attacks?

Steve Hunter: SMEs should prioritize high-impact, foundational security steps even as they adopt AI-powered tools. That means keeping systems patched to prevent breaches from known vulnerabilities, ensuring 24/7 threat monitoring through in-house or managed services, and maintaining a current, tested incident-response plan to guide swift action during a breach. When implementing AI, SMEs should opt for hybrid tools that support, rather than replace, human judgment. These tools help reduce false positives, enrich alert context, and streamline detection, while keeping critical decisions in the hands of people. Singapore’s Cyber Security Agency has done a good job of giving practical advice to SMEs through its Cyber Safe program and has kept Cyber Essentials up to date with modern practices in its 2025 refresh and is a great resource for Singaporean companies to use.