Covid-19 has triggered the rapid adoption of remote work culture and online activities which has exacerbated cybersecurity concerns in Indonesia. In this regard, the Indonesian cybersecurity market primarily focus on network security and advanced malware analysis. It is projected that together they will account for 68% of the total market by 2022. Overall, the cybersecurity market in Indonesia is estimated to grow at a CAGR of 5.5% and reach $488 million by the end of 2022.
- Definition / Scope
- Market Overview
- Key Metrics
- Top Market Opportunities
- Market Drivers
- Market Restraints
- Industry Challenges
- Technology Trends
- Regulatory Trends
- Other Key Market Trends
- Market Size and Forecast
- Market Outlook
- Technology Roadmap
- Distribution Chain Analysis
- Competitive Landscape
- Key Market Players
- Strategic Conclusion
Definition / Scope
Cybersecurity is the protection of internet connected systems, including hardware, software and data from cyber attacks. Anything connected to internet is exposed to cyber threats. Cybersecurity is the need of the hour as of the rising cyber security complexity and proliferation of IoT, mobile networks and cloud-based channels, growing peer-to-peer transactions necessitating users to disclose personal identity as well as increasing adoption of emerging technologies such as robotics, artificial intelligence and quantum computing. anything McAfee, a cyber security firm projects that cyber crimes costs annual $450 billion to the global economy. In addition, it is estimated that the financial impact from cyber attacks is over $2 trillion in the ASEAN region. With digitization and connectivity becoming the norm of the 21st century, people and companies alike are exposed to the increasing risk of cyber threats such as:
Malware is an all-encompassing term for a variety of cyber threats including Trojans viruses and bombs. Malware is simply defined as code with malicious intent that typically steals data or destroy something on computer.
Phishing often pose as a request for data from a trusted third party phishing attacks are sent via email and asked users to click on a link and enter the personal data.
Password attacks refers to an act where a third party try to gain access to user’s system by cracking the user’s password.
DDoS stands for Distributed Denial of Service Ad or staff focuses on disrupting the service of a network. Attackers send high volumes of data or traffic through the network until the network becomes overloaded and can longer function.
By impersonating the endpoint in an online information exchange that is the connection from smartphone to a website the Man in the middle attacks(MITM) attacks can obtain information from the end users and entity the users are communicating with. The MITM will receive all the information transferred between both parties which could include sensitive data bank accounts and personal information.
In case of drive-by downloads, through malware on a legitimate website, a program is downloaded to a user’s system just by visiting the site it does not require any type of action by the user to download it.
Maladvertising is a way to compromise your computer with malicious code that is downloaded to the system when you click an affected ad.
Rogue software is basically malware that are masquerading as legitimate and necessary security software that will keep the system safe
Cybersecurity is a key factor in Indonesia’s transition to a digital economy. In 2018, Indonesia was ranked 41st in the world in the global cybersecurity Index. The country’s cybersecurity industry is still considered to be in nascent stage including its regulations, national strategy development, governance and international partnership. With the boom in Indonesian economy, it is also becoming a major target for cyber attackers. In 2019, the country was a target of 232 million cyber attacks and as a result, the country had to face the loss of revenue of $33.7 billion.
Indonesia’s digital space is different from rest of its counterparts like Singapore and Malaysia. It is a net information exporter and is heavily reliant on foreign companies for its hardware to information highways making its national security architecture susceptible to cyber attacks. Indonesia also home to highest number of internet users globally, with over 80 million active users accessing online services across multiple devices.
in a bid to fortify its cyber security industry, Indonesia had set up a cyber and encryption agency in 2017. In line with this, the government of Indonesia has established multiple cybersecurity protection agencies, such as the National Cyber Security Strategy and the State Cyber and Crypto Agency (BSSN). However, it has not been effective. The future of Indonesia’s cybersecurity, therefore, rests upon the cooperation between public and private stakeholders to rapidly respond to the recurring cyber threats.
In 2020, the global cybersecurity market was worth $173 billion and is estimated to grow to $270 billion by 2026. Cyber Security market is estimated to be $100 billion in 2017 and to grow to US$173 billion in 2022 at a CAGR of 11.6%. The Asia Pacific Cyber Security market is expected to outperform the global market, as of the rising demand for data safety and cybersecurity management. The market is expected to expand from a $20 billion in 2017 to $40 billion in 2022 at a CAGR of 14.6%.
In the National Cybersecurity Index, Indonesia ranks 77th in terms of cybersecurity, 41st in Global Cybersecurity Index, 111th in ICT Development Index and 73rd in Networked Readiness Index. This shows that Indonesia still lags behind the development of cybersecurity and ICT landscape.
The agencies and community responsible for the oversight and management of cybersecurity in Indonesia is led by Ministry of Communication and Information Technology (MCIT) and supported by multiple government agencies to further coordinate and consolidate cybersecurity agenda.
In 2010, MCIT was created to work on security information in collaboration with the government. It includes different Directorate general and Information security teams which function to protect cyber health in the country. Besides this, Indonesia has established an Indonesian Computer Emergency Response Team (ID-CERT) and Indonesian Academic Computer Security Incident Response Team (CSIRT) to build collaboration between the cybersecurity community in the country.
ID-CERT includes as a support agency that works with the government to develop the cybersecurity ecosystem in the country. Indonesia also has a support institution for government organizations, such as Indonesia Security Incident Response Team on Infrastructure (EN-SIRTII).
Key Market Metrics
|Market Revenues (2021, USD)||$488 million|
|Market Growth Rate (2022-2025, %)||5-6%|
|Number of Companies in the market||–|
|Market Concentration (% of market share help by top 3 market players)||–|
Top Market Opportunities
Growth of Fintech sector necessitates cybersecurity
In the last few decades, Indonesia has gone through unprecedented growth in terms of growth in Fintech market and digital content proving to be an integral contributor to its ICT sector. It is projected that Indonesia needs at least 800 FinTech companies to fulfil the financing demand gap of $74.1 billion. Due to rise in adoption of digital payment and FinTech solutions, the investment in the FinTech sector is also estimated to exceed $8 billion by the end of 2021.
The banking and financial service sector was the highest contributor, generating 39% of the overall cybersecurity revenue in Indonesia. Similarly, public sector contributed 20% of revenue to cybersecurity. In 2020 during the Covid-19 surge, there was 200% increase in cyber attacks particularly in the banking sector. The financial services sector is the largest spender on cyber security in the country and the market is expected to grow at a CAGR of 7.5% till 2025. This sector holds strong demand for DDoS mitigation, hosted web application firewall and security asset management and monitoring services.
Government and Public sector
With 20% stake, the government and public sector of Indonesia is the second-largest revenue contributor for cybersecurity owing to strong demand for key infrastructure protection services. Now, more than ever these entities are switching to online services which makes them vulnerable to cyber attacks. In 2019, Indonesia had to face 1.35 million web attacks, the attackers primarily targeted government agencies the General Elections Commission, Defense Ministry, Indonesian Child Protection Commission, Indonesian Association of Muslim Intellectuals and the chairman of its advisory board. In 2020, at least 2.3 million voter data from the General Election Commission (KPU) was leaked and sold in online forums.
Growth in the E-commerce platform
By 2021, the e-commerce market in Indonesia is estimated to be valued at $30 billion. In the first half of 2020, The Ministry of Communication and Informatics (MOCI) reported 40% more internet users during Covid induced lockdown. As per a report by the Mobile Marketing Association, during the pandemic, 70% of Indonesian consumers have tried at least one new digital service, such as online groceries, digital entertainment, online learning, and work from home software.
The increase in internet traffic has also increased the cases of cyberattacks in Indonesia. In the month of May 2020, Indonesia experienced a six-fold surge in cyberattacks especially targeting E-commerce firms. For instance, Tokopedia, Indonesia’s e-commerce platform was hacked leaking the details of 91 million users online. Following this incident, Bhinneka, another E-commerce player, was also prone to cyber attack accessing sensitive information of 1.2 million account holders.
With the advent of pandemic, there has been surge in the use of e-commerce platform in the country which further substantiates the need of cybersecurity resilience in this sector.
Safeguarding healthcare data
As of the Covid 19 outbreak, major hospital operators in Indonesia have introduced their own teleconsultation services which has further added to the cyber security risk in the country. In order to curtail the cyber security threats, one of such efforts in cybersecurity and data management was an initiative known as LaporCovid-19, introduced by UK government’s Digital Access Programme (DAP) to support Indonesian government. The impact of cyberattacks on hospitals and healthcare systems is projected to be almost $6 billion annually. By 2022, in order to combat the enormous cost, the healthcare cyber security market is estimated to be over $10.85 billion globally.
Collaborate with partner countries and regional exchanges
International collaboration is a key part of Indonesia’s cyber security growth. Indonesia continues to actively participate and contribute in regional, sub regional and multilateral cyber security collaboration efforts. In 2018, Indonesia signed bilateral MOU on cyber security cooperation with Australia. Indonesia is also a full member of the Asia Pacific and APCERT FIRST (Forum for Incident Reponses and Security Team), ASEAN Centre of Excellence modelled on the NATO Cooperative Cyber Defense Centre of Excellence as well as Organization of the Islamic Conference-CERT (OIC-CERT) among others.
Indonesia’s commitment to cybersecurity
According to a survey by Palo Alto Networks, around 84% of Indonesian firms aims to raise their IT budget and 44% of them will allocate over half of its IT budget to cyber security investment. The companies in Indonesia are much more committed to increasing their IT budget which is higher than the ASEAN average of 73%.
Start-ups and small-medium enterprises
The Indonesian start-up ecosystem is critical in modernizing the traditional sectors like banking, telecommunications, agriculture, logistics, retail, resources and public services. They are expected to boost the digital adoption in the country and increase the use of cybersecurity solutions in the country. As of May 2020, the country is home to over 2,000 digital start-ups and five tech unicorns. The start-up ecosystem is supported by diverse range of accelerator/incubator programs, co-working spaces, and venture capital investors.
Surge in cyber attacks
Indonesia is the fourth most populated country in the world and the case of digital divide is prevalent in the country because of uneven distribution of infrastructure, dearth of awareness and literacy in the country. All of which makes Indonesia the 4th most susceptible country in the world to cyber threat, making it prey to the 3% of the world’s cyber attacks in 2020.
According to A.T. Kearney, ASEAN countries such as Indonesia, Malaysia and Vietnam are the hotspots for malware attacks especially relating to blocked suspicious web activities which is 3.5 times higher than the standard ratio. It is projected that there were over 232 million occurrence of cyber attacks in Indonesia in 2018, making it one of the world’s most targeted countries for cyber attacks.
Indonesia’s capabilities in the cybersecurity scene is still at its infancy stage and is no stranger to cyber-attacks. Since, the advent of the Covid-19 pandemic, there has been 109% surge in phishing, spams and ransomware attacks underscoring the importance of enterprise-level protection against such threats. As per the National Cyber and Encryption Agency (BSSN), Indonesia recorded more than 88 million cyberattacks in the first quarter of 2020, with over half of the cyberattacks consisting of malware and phishing scams.
According to a PwC 2020 report, Indonesia’s average IT security budget stands at $1.4 million, which accounts for 3.2% of its overall IT budget. This is low compared to the global average IT security budget of $ 5.1 million. The report disclosed that the majority of cyber-attacks were from phishing, fraud, malware and spyware attacks followed by exploitation on mobile device, operational technology system and mobile payment system.
By 2025, Indonesia’s digital economy is expected to contribute $150 billion to its GDP. The Indonesian government plans to support the digitization of 8 million SMEs by 2020. In response to its drive for the digital transformation, the Indonesian government has started many national initiatives, including Go Digital Vision 2020, e-smart IKM and 100 Smart City Movement. These initiatives intend to cultivate local start-ups, nurture Small to Medium Enterprises (SMEs) as well as develop the condition of internet of things (IoT) in the country. In the preparation of Industry 4.0, the Indonesian industries are encouraged to use digital technologies such as big data, autonomous robots, cyber security and cloud.
By 2025, McKinsey reveals that Indonesia can register economic growth by $150 billion, or 10% of its Gross Domestic Product (GDP) if it embraces digital technology which will support the growth of Small and Medium Enterprises in the country. Consequently, this will require a robust cybersecurity system in the country.
As of 2019, Indonesia had over 150 million people, the fourth largest internet users in the world. As of the lax of cyber security system in the country, Indonesia is subject to frequent cyber attacks specifically, hacking cases, targeting government and corporate websites. Some government institutions, including the General Elections Commission, Defense Ministry, Indonesian Child Protection Commission, Indonesian Association of Muslim Intellectuals and the chairman of its advisory board, have become prey of malicious activities.
Lack of cybersecurity commitment
Cyber security investment in ASEAN region was $2.59 billion in 2018, which comprise only 0.06% of regional Gross Domestic Product (GDP). As per a report by Deloitte, there is low investment on IT security management amongst the ASEAN countries. These nations are likely to spend 48% less on information security system compared to developed nations. Indonesia is in the nascent stages of its cybersecurity drive and struggles to embrace Zero Trust.
Indonesia has already had a specific legislation on combating cybercrime, chiefly the Law of the Republic of Indonesia No. 11/2008 concerning Electronic Information and Transaction and several compliances including the SNI/ISO Information Security Management System. However, unlike its neighbors: Singapore, Malaysia among others, Indonesia does not have a formal national strategy in place partaking all critical infrastructures necessary for cybersecurity.
In 2015, during the 5th Asia Pacific Regulator’s Roundtable, the Indonesian government has shown its commitment to formalizing a national cybersecurity strategy. In light of this, the Ministry of Communication and Informatics and the Indonesian Telecommunication Regulatory Authority have presented the Indonesia National Cybersecurity Strategy. Five years later, Indonesia still struggles to envision actionable steps forward in consolidating its cybersecurity platform.
Lack of regulatory initiative
Indonesia has complex thread of regulatory bodies handling cybersecurity in the country. Indonesia’s cybersecurity laws and regulations is spread across the different ministries forming fragmented responsibilities. At present, there are only two primary regulations handling the state of cyber security in the country-the 2016 Law on Electronic Information and Transactions and 2012 Government Regulation on the Implementation of Electronic Systems and Transactions.
In 2019, Indonesia conferred a cybersecurity bill which necessitates certifications, accreditations, approval as well as local content requirements that added to the complications of Indonesia’s cybersecurity for the private sector. As a result, the bill was condemned and withdrawn from the parliamentary agenda in 2020 and 2021.
The BSSN Regulation No. 8/2020 on Security Systems in the Implementation of Electronic Systems, is a technical regulation requested by Article 24 of GR 71/2019. It lays out the need for public and private operators of electronic systems to ensure the safety of their information management. However, these laws and regulations do not handle cyber interception or e-commerce governance. They also do not regulate the government’s roles in the cyber security system. To fill this gap, the government needs to pass cyber security bill in the House of Representatives and introduce a revised cybersecurity bill which is all encompassing for the public-private stakeholders.
The cyber security industry in Indonesia is fragmented and complex involving multiple institutions which includes:
- In 2017, Indonesian government established the national cyber and crypto agency to formulate the cyber security system in the country.
- Likewise, the defense ministry handles cyber defense and governance in the country.
- Police deal with cyber crimes and have also set up a cyber directorate to ensure safe cyber practices.
- Moreover, the Foreign Affair Ministry demarcate cyber diplomacy for diplomatic solutions in relation to cyberspace issues.
- Apart from this, the Communication and Information Ministry formed a response team to warrant internet security in Indonesia.
Since, the cyber security in the country is overseen by multiple institutions therefore, proper coordination amongst them appears to be key challenge.
Indonesia needs to address many challenges in the road to cybersecurity. Indonesia lacks vision and governance to mark cybersecurity as a national priority. The country also lacks awareness in information security, has incomplete and fragmented cyber laws and policies, dearth of organization, coordination and cooperation between concerned stakeholders and agencies, absence of critical and integrated infrastructure protection mechanism and standards (application and data), and most essentially, shortage of skilled ICT professionals.
Outdated cybersecurity infrastructure and lack of awareness
According to Palo Alto Networks, 75% of the Indonesian companies consider legacy IT infrastructure as a cybersecurity challenge. There is absence of ICT Infrastructure Protection Mechanisms and Standards in the country. Followed by low understanding of cybersecurity among employees and management with over 40% considering it to be a key deterrent for the growth of cybersecurity industry. Besides this, they also consider risk from third-party service providers to be one of the challenge that needs to be addressed.
Evolution of cyber security threats
Rapid technological evolution makes threat monitoring and response more difficult, especially with the rise of encryption, multi-cloud operations, the proliferation of the Internet of Things (IoT), and the convergence of operation technology (OT) and IT. According to International Data Corporation, Indonesia ICT spending appear to reach $29.5 billion in 2020 and will decline at a CAGR of 7% beyond 2020 as of the influx of Covid pandemic. Indonesia is embracing technologies such as AI. The development of AI is one of five focus areas of Indonesia to become an innovation centered economy. Indonesia is the fastest growing internet economy in the world with the growth rate of 40%.
AI is used in cyber attack as well as in cyber threat defense. AI based systems is used to spread misinformation and campaigns by nation-state hackers by weaponising social networks and instant messaging apps to influence the sentiment of the population that fuels civil disorders. There are over 160 million Indonesians translating to 59% of the total population who are active social media users in the country. As per a survey by Appier, Indonesian companies top the list in AI implementation with 65% adopting or expanding the use of AI.
The cyber attackers are also continuously evolving their tools, techniques and tactics. Adding on to the strain, many organizations security and IT capabilities are at nascent stage with limited or minimal visibility of the fast evolving cyber threat landscape. Microsoft in its Security Endpoint Threat Report revealed that, Indonesia had the highest malware encounter rate in Asia Pacific and have also experienced high cryptocurrency mining and ransomware attacks in the 2019.
Risk management in the cloud
Conventionally, Indonesian companies were reliant on local data storage and single data centers. They have now switched to cloud based solutions. Following the uncertainty brought about by data sovereignty, Indonesians have now adopted to the local cloud solutions. The key players in cloud migrations in the country are Microsoft, Telkomelstra and Alibaba.
The International Information System Security Certification Consortium (ISC)² revealed that the global IT security skills shortage has crossed 4 million mark, with a 2.6 million shortfalls in the Asia Pacific region alone. It is estimated that there will be 3.5 million shortage of talent working in cyber security jobs by the end of 2021.
Indonesian firms are facing critical shortage of IT talents. The country is estimated to have a shortage of 9 million skilled and semi-skilled ICT workers by 2030. It is estimated that Indonesia’s digital industry requires 600,000 skilled workers annually to meet the growing demand of IT professionals across different verticals ranging from corporates, to public institutions to small and medium enterprises.
Technology is a double-edged sword as the same technology is used by the attacker as well as the security community. So, technology needs to continuously evolve to tackle these sophisticated attacks. The various cybersecurity tools used in Indonesia include:
|Identity Authentication Access Management (IAAM)||Enables authorized individuals access to resources at right times for right reasons||Web access managementIdentify Access Management (IAM) tool|
|Infrastructure Protection||Prevent threat at end-points, databases and cloud||Endpoint protectionEmail gatewayWeb gatewaySecurity information and event managementVulnerability assessmentData loss protection|
|Network Security Protection||Protect network (e.g. corporate network)||Internet Service Provider (ISP) equipmentFirewallVirtual Private Network (VPN)Unified Threat Management (UTM)|
|Security Services||Strategic or operational service protection against cyber threat||ImplementationSupport servicesManaged Security Services (MSS)Consulting servicesGovernance Risk and Compliance services (GRC)Training|
Strong regulatory framework
In Indonesia, BSSN and Kominfo under the Ministry of Communications and Information Technology are the two government entities which oversees the matters related to cyber security. In 2007, Kominfo was established which coordinates and monitors early warning and detection systems and legal action related to cybersecurity. BSSN has also identified 10 critical national infrastructure areas which are prone to cyber attacks. These are including: law enforcement, energy and mineral resources, transportation, finance and banking, health, ICT, Agriculture, defiance, emergency response and water treatment.
security spending for critical infrastructure protection is projected to be worth $109 billion by 2020. Indonesia backs the norms outlined in UN General Assembly Resolution 70/237 which states that there must not be any intentional damage or impairment in the use and operation of critical infrastructure.
Indonesia’s cybersecurity regulatory framework is weak and loosely enforced. The underdeveloped regulation discourages foreign firms to enter the industry over the concern of data security and protection. There is no standalone cybersecurity law in Indonesia but refer to other laws that reinforce cybersecurity growth including:
|Law No. 11, 2008 on Electronic Information an Transactions (ITE)||This is the first cyber law in Indonesia that regulated online content and electronic transactions. It contains provisions related to (1) electronic information, records and signature (2) electronic – certification, transactions and system (3) domain names, intellectual property rights and protection of privacy rights (4) prohibited acts (5) investigation.|
|Law No. 19, 2016 (EIT Law)||The EIT was the revised version of Law No. 11, 2008 which covers several offences such as distributing illegal content, breach of data protection, unauthorized access, illegal and unauthorized interception or wiretapping. It provides legal protection for content of electronic systems and transactions.|
|Government Regulation No. 71/2019 on Implementation of Electronic Systems and Transactions||Based on EIT Law, 2016, GR 71/2019 law contains updates related to the implementation of cybersecurity in electronic systems and transactions. It contains stronger provisions regarding the protection of personal data and information and website authentication to avoid fake, fraudulent or scam websites. It only covers cybercrimes related to electronic transactions and misuse of data. So, because of the limited coverage of EIT and GR 71/2019, there needs to be proper response to the ever-changing cyber threats.|
|Ministry of Defense (MOD) Regulation No. 82/2014||It provides cyber defense guidelines for the national security defense against the cyber threats. National cybersecurity comprises national security threatening national sovereignty, territorial integrity. Unlike the EIT Law, the regulation covers critical infrastructure protection such as for financial and transportation systems developed by MOD for National Armed Forces.|
|Law No. 14, 2008 On Public Information Disclosure||This law regulates information that is produced, stored, managed, stored, sent and received by a public agency. This law also provides access to public information except classified information. It also identify classified information.|
|Law No. 17, 2011 on National Intelligence||It is associated with identification of government secrets.|
|Law No. 25, 2009 On Public Service||It identifies critical or strategic sectors for public services such as, education, health, energy, banking, transportation, natural resources, ICT and tourism.|
|Law No. 23, 2006 on Citizen Administration||This law contain provision related to protection of citizen’s personal data including date of birth, citizen number and family certificate number.|
|Government Regulation No .82, 2012 on Electronic System and Transactions||Out of nine matters regulated by government it regulates seven matters related to Provision of Electronic Systems, Electronic Agent Operator, Provision of Electronic Transactions, Electronic Signature, Provision of Electronic Certification, Trust Mark Certification Body and Domain Name Administration.|
Other Key Market Trends
Surge in Ransomware and Malware attacks
According to Microsoft’s report, in 2019, Asia Pacific experienced a 1.6 and 1.7 times higher than average malware and ransomware attacks respectively, compared to the worldwide average. Particularly, Indonesia recorded the highest malware and second highest ransomware attack in the Asia Pacific region, at 10.68% and 0.14% in 2019.
In Indonesia, fraud, phishing, malware and spyware attacks are common phenomenon. A Security Endpoint Threat Report by Microsoft in 2019, revealed that Indonesia, was one of the most vulnerable country to malware and ransomware threats. In 2017, Indonesia was a victim of the WannaCry ransomware attack which infected 12 companies including plantation and manufacturing firms as well as universities.
Cryptocurrency mining attacks
The cryptocurrency mining attacks is most prevalent in markets with low cyber awareness and cyber hygiene practices like Indonesia. Apropos, it has the fourth highest encounter rate in the region which stood at 0.10% in 2019.
While drive-by download attack volume in Asia Pacific have witnessed a decline by 27% converging at 0.08 as the rest of the world. Indonesia have experienced drive-by attack volume at 0.12, 1.5 higher than the regional and global average. Microsoft disclose that Indonesia holds one of the highest density of drive-by download pages in the world along the likes of Malaysia and Taiwan.
In 2021, it is estimated that there will be a significant increase in cyber espionage campaigns carried out by state-sponsored hackers. State-sponsored attackers aim at gathering intelligence on strategic Intellectual Property, which can give their governments a technological and economical advantage in the post COVID-19 world. Advanced Persistent Threat groups (APT) linked to Russia, China, Iran, and North Korea have the ability to perform malicious operations against countries worldwide especially in countries like the US, Europe, and Middle East due to the escalating tensions between the nations.
In 2019, Indonesia had to go through cyber attack executed by a state-sponsored hacking group linked with the Chengdu 404 Network Technology in China that targeted business houses in Indonesia. Likewise, Australia a major suspect of spying on the then Indonesian president, Susilo Bambang Yudhoyono, his wife, Ani Yudhoyono, along with other senior officials through their mobile phones in 2007 and 2009.
Market Size and Forecast
The cyber security market in APAC region is expected to grow at CAGR of 20% within the 2019-2025 forecast period and 60% market share is seized by Security services segment in the region.
The market for cyber security services in ASEAN is projected to reach $5.6 billion by 2025. ASEAN region appears to be keen on embracing digital economy. However, the region cyber security is still in early stage and is in short of talents and capabilities along with fragmented vendor relationships all of which is creating operational complexity and vulnerabilities. For continued cybersecurity commitment, it is estimated that between 2017-2025, ASEAN countries need to spend around $171 billion collectively on cybersecurity.
The global cybersecurity market has grown steadily over the years and is estimated to be worth $202 billion by the end of 2021. Wherein the Indonesia’s cyber security market alone is estimated to reach $488 million by the end of 2022 and it expected to be worth $1 billion by 2025.
The Indonesian cybersecurity market include network security and advanced malware analysis. It is projected that together they will account for 68% of the total market by 2022. The cybersecurity market is estimated to grow at a CAGR of 5-6% and reach $488 million by the end of 2022.
Indonesia is on the crux of digital first strategy and modernization where large corporation such as Fintech, education, E-commerce hospitals as well as the government agencies are shifting from paper based systems to integrated networks. During the first wave of pandemic in 2020, electronic transactions grew to $1 billion and e-commerce transactions also rose by 26% as per the report by bank of Indonesia.
The global cybersecurity spending will steadily increase over the years and reach $187 billion by the end of 2021. This is because of the shift to remote work during the Covid-19 pandemic which has increased the chances of a cyber-breach. With the integration of technologies in the economy, Indonesian’s government agencies and financial institution are becoming the target of cyber attacks. In this regard, key opportunities in cybersecurity lies in consulting and advisory along with network security services.
Indonesia is one of the fastest growing emerging countries in ASEAN and has been gradually increasing its cyber security spending from $520 million to $1036 million between 2020 and 2025. Indonesia is estimated to spend 1.6% of GDP on digital infrastructure compared to its neighbors like Singapore (4.5%) and Malaysia (6.6%).
The future outlook of cyber security market
- In 2023, spending on cloud security tools is likely to escalate from $5.6 billion in 2018 to $12.6 billion.
- In 2023, spending on cloud security solutions is estimated to be $1.63 billion rising from $636 million in 2020 at a 26.5% CAGR.
- In 2023, spending on Infrastructure Protection is estimated to surge from $18.3 billion in 2020 to $24.6 billion, at a 7.68% CAGR.
- By 2020, global IT security spending is likely to reach $128 billion, out of which the endpoint security tools comprise 24% of the total IT security spending.
- According to IDC, 70% of all breaches appears to originate at endpoints, regardless of the increased IT spending on this threat surface.
Indonesia’s Cybersecurity Market
Indonesia’s cybersecurity industry is still immature dominated by foreign hardware and software products. Only the local consulting industry has grown well, providing services such as digital forensics and security.
- Network solutions is the largest contributor registering 67% of the cybersecurity market share in the country. The segment is projected to grow at a CAGR of 20% by the end of 2022. Network solution providers offer firewalls, Intrusion Defense Systems (IDS), Intrusion Prevention Systems (IPS) and Secure Socket Layer Virtual Private Networks (SSL VPN). Moreover, the key adaptors are banks and government institutions.
- Over the next five years, the cybersecurity market is projected to grow at a CAGR of 23%. The largest adopters of cybersecurity are service providers, banks, government entities all of which have strict compliance requirements relating to data security, protection and privacy.
- The second highest contributor to the cybersecurity market in Indonesia is secure content management which constitute 19.5% of the total market. This segment is estimated to grow at CAGR 13.4% by the end of 2022.
- The Network based Advanced Malware Analysis (NAMA) and Web Application Firewall share 6% and 3% of market share. Whereas, Sandboxing is also showing gradual growth after the encouragement made by government to use security analytics and code emulation.
|Managed Security Services (MSS)||On-premise solutions were popular choice owing to legacy infrastructure, however, shortfall of talents and lower costs makes the market for managed security services to surge in the near future.||Growth|
|Intrusion Detection and Prevention System||Advanced authentication is widely adopted in government and financial institutions. Social media and e-commerce is implemented MFA systems.||Growth|
|Identity Management||As per CBS, Indonesia has the 6th highest internet user in the world. Protecting their data is the mainstay of the country’s national security plan.||Stable|
|Secure Networks, Email and Web Security||Surge in phishing attacks and adoption of cloud networks in Indonesia lead many businesses to invest in cybersecurity.||Growth|
|Advanced Persistent Threat (APT)||APT have is a constant threat to FIs in Indonesia. Considering this, there are several APT related trainings and workshops organized against such threats.||Stable|
|Threat Intelligence, Detection and Remediation||In 2017, Indonesia formed a National Cyber and Encryption Agency to protect cyber domains by tracking cyber crimes and perpetrators.||Stable|
|Advanced Endpoint Detection and Response||Indonesian Ministry of Communications and Information Technology released Regulation No. 20/2016 relating to privacy protection and data security.||Stable|
|Internet of Things (IoT) Security||Indonesia is focusing on threat intelligence, monitoring and detection due to increasing cases of cyber attacks imposed by the IOT and digital convergence.||Growth|
|Supervisory Control and Data Acquisition (SCADA) Security||The Indonesian National Cyber Agency identifies and protect digital assets and infrastructures driving the use of SCADA across critical services.||Stable|
Indonesia’s economy post Covid
Prior to the COVID-19 crisis, Indonesia was able to maintain consistent economic growth qualifying itself as the upper middle income status. with a population of 263 million, Indonesia is the fourth most populous country in the world. it is one of the largest economy in ASEAN region boasting 170 million internet users which is forecasted to generate over $130 billion revenue by the end of 2025. This translates to almost 45% of the estimated total market for ASEAN.
Post Covid-19, Indonesia faced recession since the 1998 Asian financial crisis as its economy declined by 2.1% in 2020. It is estimated that 3.5 million people lost their jobs due to the coronavirus downturn. However, as per Asian Development Bank’s forecast, Indonesia’s GDP growth is projected at 4.5% in 2021 and will rebound to 5% in 2022.
Even so, Covid-19 shows no sign of subsiding anytime soon and so has accelerated the adoption of technology such as e-commerce, financial technology, video conferencing, telemedicine and online education. The COVID-19 pandemic has underscored Indonesia’s transition into the digital economy as increasingly millions of Indonesians are resorting to virtual experiences for their e-Commerce, entertainment and even education needs. With this trend as a way of life there are increasing instances of cyber attacks in the country.
Due to Indonesia’s poor cybersecurity system, the country is subject to frequent attacks. For instance, in just a matter of a week during covid lockdown, Indonesia experienced 1.35 million web attacks. These attacks are primarily hacking cases, targeting government and corporate websites. Some government institutions, including the General Elections Commission, Defence Ministry, Indonesian Child Protection Commission, Indonesian Association of Muslim Intellectuals and the chairman of its advisory board, have become victims of these cyber attacks.
Indonesia accounts for 40% of the ASEAN population the same size of the region’s GDP. Regardless of high mobile penetration and digital consumers, the cyber security market is smaller compared to established market. The market is less competitive however holds immense growth potential in the future due to its transition to a digital first economy.
Post Covid cybersecurity risks
The threat actors exploiting the uncertainty and extraordinary response caused by the Covid-19 pandemic were related to social media phishing, malware, data breaches and other scam involving malicious links, advisories and monetized attacks. Some COVID-19 themed attacks in Indonesia include:
- Phishing emails attaching malicious Microsoft documents containing health information which trigger the download of Emotet or Trickbot malware.
- Phishing emails disguised to originate from various government Ministries of Health or the World Health Organization reporting preventive measures, come embedded with malware which solicit user credentials and passwords.
- COVID-19 tax rebate phishing baits recipients to surf through a fake website that gathers financial and tax information from unwary users.
Cyber criminals are exploiting COVID-19 concerns, adapting, and updating their attack methods. attackers have been pivoting their ransomware, phishing, and other malware delivery infrastructure and highlighting covid related keywords, to capitalize on people’s vulnerabilities. To flight criminal activities in digital space, Indonesia should apply and maintain critical security patches, firewalls and anti-virus software across the entire IT landscape especially when remote working.
Covid-19 has induced a shift to remote work which will bring immediate cybersecurity risks. Working from home does not guarantee the same level of cybersecurity as an office environment and so are more prone to attacks. As many SMEs are switching to Bring Your Own Device (BYOD) approach compared to Corporate Owned Personally Enabled’ (COPE) approach, there have been 47% spike in phishing scam while working at home.
Cyber-attackers are capitalizing on people’s interest in coronavirus-related news by introducing malicious fake coronavirus related websites. The average cost of a data breach resulting from remote working is estimated to be $137,000. In the first quarter of 2020, over half a million people were affected by breaches in which the personal data of video conferencing services users was stolen and sold on the dark web. Recently in May 2021, personal data of almost 279 million Indonesians was leaked and sold on a hacker platform.
In Indonesia, there has been increase in spending on MFA services in collaboration with system-as-a-service solutions including file sharing, virtual -desktop infrastructure and communication platforms essentially by Small and medium enterprises. Mobile phones are a key source of user identification across e-commerce and digital banking services. Majority of mobile applications are developed for Android, as this operation system accounts for 90% of market share in Indonesia. Since, 60% of the population use smartphones, this segment entails MFA protection.
Rather than adding staff or budget companies are automating routine tasks. Especially companies dealing to outsourcing services, managed-service providers are funding security orchestration and automation response tooling. Also, cyber attacks are increasingly being automated, so the only way to reduce and prevent the volume of threats is through automation. In Indonesia, it is estimated that nearly 16% of the total work hours will be automated by 2030. As per Exabeam’s 2019 survey, 88% of cybersecurity professionals believe automation will make their jobs easier, and a mere 10% views automation as a threat to their jobs.
Security for trusted third parties
In Indonesia, 60% of the ICT and software are sourced internationally. This shows that Indonesian firms are heavily reliant on foreign firms to address their software and ICT needs.
Big data and data analytics
Indonesian companies such as Bukalapak, have constructed a R&D center focused on AI to support its business. Indonesian consumers are increasingly using e-commerce and ride-sharing platform post covid resulting in large pools of data. Considering this, AI and identity management players like Kata.ai are safeguarding data from ensuing cyber threat.
Distribution Chain Analysis
There are different distribution channels for ICT in Indonesia. One of the popular option is to appoint a local distributor. The local distributor then imports required ICT products related to cybersecurity and then it will be sold to the customers. International firms have the choice to partner with local companies or form a joint venture to minimize the risk involved in entering exclusively.
60% of the ICT requirements in the country is met internationally whereas only 30% of joint assembly is conducted for software design in-house. Currently, there are no cybersecurity technologies produced locally. After the covid outbreak, Indonesia’s spending on hardware is expected to decline by 7.7%.
|Product||HS Code||Import Duty|
|Automatic Processing Data Machines||84.71||0-5%|
|Parts and Accessories of Automatic Processing Data Machines||84.73||0-5%|
|Telephone sets for Cellular and Wireless Networks||85,17||0-10%|
Indonesia is one of the members in the Information Technology Agreement (ITA) under the World Trade Organization (WTO), which refers to a trade agreement that eliminate import tariffs of specific IT and telecommunications products. Indonesia has pledged to impose tax duty for intangible goods such as software, e-book, music and other items which are purchased online. Indonesia has a Law, No.17/2006 which mandates that software and transmission of electronic data through the internet are considered to be taxable goods. Once approved by the WTO, the Ministry of Finance will formulate a new regulation that specifies the import duties for intangible goods.
On the other hand, the Intellectual Property Rights (IPR) enforcement mechanisms in Indonesia still need to be improved especially due to the presence of counterfeit products and piracy issues.
In Indonesia, local security services providers and telecommunication operators have started to build their security centers and offer cybersecurity solutions. They are capitalizing on the capabilities and experience of foreign firms by entering into partnerships with foreign players.
Key Market Players
|Cyber Security Players||Revenue||Security Services|
|TelkomTelstra||$40 million||It is cybersecurity solution provider headquartered in Jakarta, Indonesia. It offers end-to-end customized managed solutions portfolio and infrastructure by leveraging its vast global and domestic network. The sectors that adopt its offerings are financial services, public sector, manufacturing and service providers.|
|Binaryworks||$1 million||It offers information security services that focus on improving network and system security. It’s growth strategy is to create its own products that could be applied across multiple platforms. It is widely adopted in healthcare, financial services, transportation and manufacturing sector.|
|Xynexnis||$23 million||It offers managed security services headquartered in Jakarta, Indonesia through its subsidiary called Noosc. The company delivers information assurance based on in-depth business and industry knowledge that helps companies to manage Security Operations Centre (SOC) and monitor internal security risk profiles. The sectors that employs its services are public sector, financial services, retail and manufacturing.|
|FireEye||$940 million||Instituted in 2004 and headquartered in California, the company offers network, endpoint, email, managed and cloud security. It also offers Mandiant Consulting and Managed Detection and Response (MDR) services to assist clients analyze security risks, investigate cybersecurity attacks and protect against malicious software.|
|Fortinet||$2.15 billion||Founded in California in 2000, it offers network and computer security, consulting services including anti-virus programs, intrusion prevention, network access control and web application firewalls. It is renowned for its Unified Threat Management (UTM) and Next-gen Firewalls (NGFW).|
|Checkpoint||$2.06 billion||Headquartered in Israel and California, Check Point is an American-Israeli provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security management.|
|Cisco||$49.3 billion||Cisco Systems is an American multinational technology conglomerate headquartered in California. It develops, manufactures and sells networking hardware, software, telecommunications equipment and other high-technology cybersecurity solutions. Through its numerous acquired subsidiaries, such as OpenDNS, Webex, Jabber and Jasper, Cisco specializes in specific tech markets, such as the Internet of Things (IoT), domain security and energy management.|
The increased remote work means greater cyber risks and calls for greater focus on cybersecurity. The rate of cyber attack seems to accelerate at a rapid pace in Indonesia. Currently, the country is a victim to a series of phishing scams, malware and ransomware attacks.
The state of cybersecurity is very fragile in Indonesia, to address this issue, the country should invest in this sector and develop home-grown capabilities and talents in cybersecurity. The future of cybersecurity rests upon the cooperation between private and public stakeholders and enactment of proper cyber regulations to regulate cyber activities, especially in terms of data privacy protection domain which is most vulnerable to cyber threats.
|API||Application Programming Interface|
|APT||Advanced Persistent Threat|
|ASEAN||Association of Southeast Asian Nations|
|BSSN||National Cyber Encryption Agency|
|BYOD||Bring Your Own Device|
|CEO||Chief Executive Officer|
|CIIs||Critical Information Infrastructures|
|CAGR||Compound Annual Growth Rate|
|DDoS||Distributed Denial of Service|
|GDP||Gross Domestic Product|
|HS Code||Harmonized System|
|IAAM||International Association of Advanced Materials|
|IoT||Internet of Things|
|ICT||Information and Communication Technology|
|ID-CERT||Indonesian Computer Emergency Response Team|
|CSIRT||Computer Security Incident Response Team|
|ISO||International Organization for Standardization|
|IEC||International Electro Technical Commission|
|IPR||Intellectual Property Rights|
|ITA||Information Technology Agreement|
|MDR||Managed Detection and Response|
|PIN||Personal Identification Number|
|PTPMA||Foreign Investment Company|
|R&D||Research and Development|
|SMEs||Small and Medium Enterprises|
|WTO||World Trade Organization|