Cybersecurity across Asia-Pacific is entering a more complex phase. Organizations are facing pressure from multiple directions at once, including evolving threat actors, expanding compliance expectations, hybrid work, cloud adoption, AI usage, and growing accountability at the board level.

For small and midsize businesses, that complexity can quickly become overwhelming. Many know they need to improve their security posture, but they often struggle to understand where to start, what frameworks apply, which risks matter most, and how to build a security program that supports the business without slowing it down.

In Episode 373 of The 443, Henson Yem, CIO and Technical Services Director at Tang Technology, joins WatchGuard’s Marc Laliberte and Corey Nachreiner to discuss the cybersecurity challenges and opportunities shaping Australia and the broader APAC region.

The discussion makes one thing clear: cybersecurity in APAC is not just a technology issue. It is a business resilience issue.

What are the biggest cybersecurity challenges across APAC?

Across APAC, organizations are navigating a cybersecurity environment shaped by compliance pressure, hybrid work, SaaS adoption, AI usage, and increasingly sophisticated threat actors. For many small and midsize businesses, the challenge is not awareness. Most know they need to improve security. The harder part is understanding what to prioritize and how to build a program that fits the way their business actually operates.

Henson explains that many customers feel overwhelmed by the scale of the cybersecurity problem. They are trying to make sense of multiple frameworks, legal expectations, and technical requirements, often without a dedicated security leader in place. This creates a major opportunity for MSPs to provide clarity, not just technology.

Organizations may ask for a solution that maps to one framework, then another, and then another. But cybersecurity does not work like buying a standard business tool. A framework can help guide priorities, but it cannot replace a security strategy that reflects the organization’s real risks, workflows, and business outcomes.

Cybersecurity is not a one-time project

One of the biggest mistakes organizations make is treating cybersecurity like a single purchase. A firewall, endpoint tool, compliance checklist, or security framework cannot solve the problem on its own.

Cybersecurity must be designed around the business, maintained over time, and adjusted as the organization changes. This is especially important for SMBs that may not have a full-time CISO, a dedicated security team, or the resources to manage risk alone.

That is where MSPs can create meaningful value. The strongest MSPs are not simply selling products. They are helping customers understand their risk, map security to business operations, and build a security stack that reflects how the organization actually works.

Security should be proactive, not reactive. As Henson explains, the mindset is shifting from “we fixed it, call us when there is a problem” to ongoing review, monitoring, and adjustment. Cybersecurity needs routine health checks, not emergency-only intervention.

Why are MSPs important to cybersecurity in APAC?

MSPs play a critical role because many SMBs and SMEs do not have the internal resources to manage cybersecurity alone. They may not have a full-time security leader, a 24/7 security operations function, or the technical depth needed to translate cyber risk into a practical business strategy.

The best MSPs act as trusted advisors. They learn the customer’s workflows, understand their business model, identify where critical data lives, and build a security approach that supports the organization without creating unnecessary friction.

That advisory role is becoming even more important as customers face more compliance pressure, more AI-related questions, and more distributed environments. MSPs can help customers move beyond product-led conversations and toward a more mature approach to risk management.

Compliance pressure is increasing, but frameworks are not enough

Across Australia and APAC, compliance has become a major driver of cybersecurity conversations. Organizations are being asked to align with frameworks, demonstrate accountability, and show that they are taking reasonable steps to protect data and systems.

In Australia, frameworks such as the Essential Eight are often part of that discussion. But compliance alone is not the same as security maturity.

A framework can provide structure, but checking a box does not automatically reduce risk. A security model must account for the organization’s industry, workflows, users, data, applications, and business outcomes.

A retailer with point-of-sale systems, a manufacturer with operational technology, and a professional services firm with sensitive client data may all need strong cybersecurity, but they do not need the exact same implementation.

For MSPs, the lesson is clear: compliance should be used as a guide, not a shortcut. The real value comes from helping customers understand what the framework means in practice and how to apply it without creating unnecessary friction.

Security that ignores the business will fail

One of the most important points from Episode 373 is that security must support the business, not work against it.

Henson describes situations where organizations implemented rigid security controls from the top down without understanding how employees actually work. The result is predictable: users find ways around the controls so they can still do their jobs.

That is a critical warning for security leaders and MSPs. Security that creates too much friction can become self-defeating. If employees cannot complete their work within the approved process, they may look for an easier path. That workaround can introduce new risk, even if the original policy looked strong on paper.

Effective cybersecurity starts with understanding the business. What data is most important? Where does it live? Who needs access to it? How does the organization make money or deliver its mission? What processes are critical to operations?

Once those questions are answered, MSPs can design security around real risk instead of applying generic controls that may not fit.

How is AI changing cybersecurity for SMBs?

AI is changing the cybersecurity conversation in two major ways. It creates new opportunities for defenders, but it also introduces new risks around data exposure, employee misuse, and attacker innovation.

For SMBs, one of the biggest concerns is visibility. Employees may use public AI tools to summarize documents, draft content, analyze data, or troubleshoot issues without realizing what information they are sharing. In many cases, the risk is not malicious intent. It is a lack of governance.

That makes AI policy and education essential. Organizations need clear guidance on what employees can and cannot share with AI tools. They also need visibility into which tools are being used across the business.

Before companies can control AI risk, they need to understand where AI is already being used. For MSPs, this creates a valuable advisory opportunity. Customers need help developing AI usage policies, monitoring AI-related risk, and balancing productivity gains with data protection requirements.

Why does zero trust matter for APAC organizations?

Zero trust matters because work is no longer contained inside a traditional perimeter. Users, devices, applications, and data now operate across offices, homes, public networks, hotels, SaaS platforms, and cloud environments.

This shift makes implicit trust dangerous. Organizations need to verify users, secure access, and protect data wherever it moves. Zero trust helps reduce the risk of unauthorized access while still allowing employees to work productively.

For MSPs, zero trust is not just a technical model. It is a way to help customers modernize security around how business actually gets done today. The goal is not to create friction. The goal is to make secure access practical, consistent, and resilient.

MSPs must secure themselves first

Episode 373 also highlights an uncomfortable truth: MSPs are high-value targets.

Because MSPs manage systems, credentials, security tools, SaaS access, domains, backup environments, and other critical customer assets, attackers see them as a route into many organizations at once. Compromising one MSP can create access to multiple downstream victims.

That means MSPs must hold themselves to a higher standard. They need strong internal controls, secure credential management, zero trust access, monitoring, documentation hygiene, and clear processes for onboarding and offboarding staff.

Customers are trusting MSPs with some of their most sensitive operational data. That trust must be earned continuously.

The best MSPs practice what they preach. They do not simply recommend stronger security to customers. They model it in their own operations.

APAC is not one cybersecurity market

APAC is often discussed as one market, but cybersecurity expectations, maturity levels, government involvement, and business attitudes can vary significantly across countries.

Episode 373 touches on differences across Australia, China, and Singapore. In Australia, organizations often have to take direct responsibility for interpreting and implementing cybersecurity requirements. In Singapore, mature frameworks and strong regulatory expectations provide a useful benchmark for the region. In China, businesses may view security differently because of the government’s role in the broader digital environment.

For MSPs operating across APAC, this matters. A single message or service model may not resonate equally in every market. Regional context, compliance expectations, customer maturity, and cultural assumptions all influence how cybersecurity is understood and adopted.

What should organizations do first to improve cybersecurity maturity?

The first step is to understand the business. Before choosing tools or mapping controls to a framework, organizations need to answer a few foundational questions.

What data is most critical? Where does it live? Who needs access to it? Which workflows are essential to daily operations? What risks could disrupt the business the most?

Once those answers are clear, organizations can build a cybersecurity strategy around real risk instead of generic assumptions. This is where MSPs can deliver significant value. They can help customers move from reactive problem-solving to a more mature, proactive security model that includes technology, process, governance, training, and continuous monitoring.

Security maturity does not happen through a single deployment. It comes from ongoing improvement, practical guidance, and consistent alignment between security and business goals.

The biggest opportunity is security maturity

The APAC cybersecurity challenge is also an opportunity. Organizations do not just need more tools. They need maturity.

That means moving from reactive fixes to proactive security programs. It means shifting from product-led conversations to business-led risk management. It means treating cybersecurity as an ongoing discipline that includes technology, process, training, governance, and continuous improvement.

For MSPs, the opportunity is to become the trusted advisor customers need. That includes helping them understand their actual risk, prioritize the most important controls, improve compliance readiness, establish AI governance, strengthen zero trust access, train users on security expectations, monitor environments continuously, and prepare for incidents before they happen.

The organizations that make this shift will be better positioned to adapt as threats evolve.

The path forward for APAC cybersecurity

Cybersecurity across APAC is becoming more demanding, but the path forward is not simply more technology. It is better alignment between security, business operations, and real-world risk.

The strongest security programs start with listening. They ask what the organization is trying to achieve, where its critical data lives, how its users work, and what risks could disrupt its mission.

For MSPs, that is the opportunity. Customers need guidance, not just tools. They need security partners who can help them cut through complexity, make practical decisions, and build resilience over time.

Listen to Episode 373 of The 443 to hear more insights from Henson Yem, Marc Laliberte, and Corey Nachreiner on the cybersecurity challenges and opportunities shaping APAC.

For continued cybersecurity insights, follow WatchGuard on LinkedIn and subscribe to the Secplicity blog.