Indonesia is racing toward a digital future. With more than 221 million internet users and a penetration rate of roughly 79.5%, the nation’s digital economy is projected to approach US$100 billion (about Rp1,672 trillion) in 2025 — the largest in Southeast Asia. Yet behind this impressive growth lies a danger that too often goes unnoticed: Indonesia’s digital security is in a critical state.

The pace of digital transformation has far outrun the readiness of its cyber defenses. As a result, every new economic opportunity also opens a door for cybercriminals. This article explains why cybersecurity in Indonesia is no longer optional — it is the foundation that determines business continuity, public trust, and national data sovereignty.

An Alarming Surge in Cyberattacks

Figures from Indonesia’s National Cyber and Crypto Agency (BSSN) paint a picture that is far from safe. Throughout 2025, Indonesia recorded around 5.5 billion cyberattacks — a sevenfold jump, or roughly a 714% increase, compared to the annual average across 2020–2024. The trend has shown no sign of slowing: in just the period from January 1 to April 15, 2026, some 1.52 billion attacks were logged.

The overwhelming majority of these attacks are malware-driven. In the first half of 2025, about 83.68% of traffic anomalies were malware-based, and that share rose to 93.8% in data through September 2025. The most frequently detected strains include the Mirai Botnet, Remcos RAT, and various trojans. The most targeted areas are digital services, government institutions, e-commerce, and the financial sector — domains that hold the largest volumes of data and transactions.

What makes the situation even more pressing is that BSSN officials describe today’s attacks as behavior-based and increasingly powered by artificial intelligence. Modern malware can mutate the moment it is detected, which means legacy defenses relying on manual detection are no longer adequate.

Real Losses, Not Just Statistics

Cyberattacks have shifted from a potential threat to actual financial damage. Indonesia’s Financial Services Authority (OJK), together with the Indonesia Anti-Scam Center (IASC), reported that losses from online fraud exceeded Rp2.6 trillion through May 2025 — and that figure does not even account for reputational harm, system recovery costs, or lost customer trust.

Micro, small, and medium enterprises (MSMEs) are among the most vulnerable. Many small traders across the country who have only recently embraced online marketplaces end up as fraud victims, despite having the fewest resources to recover.

New threats are also emerging. The Ministry of Communication and Digital Affairs reported that deepfake content in Indonesia has surged by as much as 550% over the past five years. The technology is used to forge identities during customer verification at banks and fintech firms, with the average loss per corporate deepfake incident reaching around US$250,000.

Why Is Indonesia Such an Easy Target?

Several structural reasons make Indonesia especially exposed:

High internet penetration, low security literacy. New users are joining at a rapid pace, but awareness of phishing, strong passwords, and data hygiene lags far behind. Scammers exploit this gap directly.

The human factor remains the weakest link. Verizon’s Data Breach Investigations Report (DBIR) for the financial sector found that around 60% of incidents involve a human element — negligence or social manipulation. Even sophisticated technology can be breached by a single careless employee click.

Digital infrastructure is growing faster than its governance. Many organizations adopt digital services without a mature security framework, leaving misconfigurations and unauthorized-access points ripe for exploitation.

The sheer value of the data. As the region’s largest digital economy, the personal and transaction data of Indonesian citizens is a prized commodity on the dark market.

The Regulations Exist — Enforcement Is the Key

Indonesia has not stood still. Law No. 27 of 2022 on Personal Data Protection (the PDP Law) marks a new era in data governance, and it carries serious penalties:

Administrative sanctions of up to 2% of a company’s annual revenue. For a firm with Rp5 trillion in revenue, the potential fine could reach Rp100 billion.
Criminal penalties for severe violations, such as falsifying personal data (up to 6 years’ imprisonment and/or a Rp60 billion fine) and illegally buying or selling personal data (up to 5 years and/or a Rp50 billion fine).
Additional corporate penalties, including confiscation of profits up to the dissolution of the business.

The transition period for PDP Law sanctions ended in late 2025, and an independent Personal Data Protection Agency is expected to be fully operational by late 2025 or early 2026. The government is also advancing a Cyber Security and Resilience Bill to strengthen the legal framework. The message is clear: compliance is no longer a formality but a legal obligation with real financial consequences.

What Needs to Happen?

Building cyber resilience is a shared responsibility spanning three layers.

For businesses and organizations: Adopt recognized security governance frameworks such as ISO 27001, appoint a Data Protection Officer (DPO) when processing data at scale, conduct regular security audits and risk assessments, and invest in behavior- and AI-based threat detection rather than relying on conventional antivirus tools. The most overlooked step: train employees, because they are both the first line of defense and the largest vulnerability.

For the government: Accelerate the operationalization of the Personal Data Protection Agency, strengthen protection of vital national information infrastructure, and expand digital literacy programs all the way down to MSMEs in the regions.

For individuals: Use unique passwords and two-factor authentication, stay alert to suspicious links and messages, avoid public Wi-Fi for sensitive transactions, and keep software regularly updated.

Conclusion: Digital Security Is a Foundation, Not an Add-On

The figure of 5.5 billion attacks is not just a statistic — it reflects a vulnerability that has reached crisis level. As long as cybersecurity is viewed as a cost rather than an investment, Indonesia will remain an easy target. Conversely, the organizations and individuals who treat digital security as a foundation will be the ones able to survive and thrive amid the onslaught.

Indonesia’s remarkable digital economic growth can only be sustained if it is underpinned by strong cyber resilience. The urgency of digital security in Indonesia is not a question of “if” — it is a question of “how quickly” we act.

Frequently Asked Questions (FAQ)

How serious is the cyber threat in Indonesia today? Very serious. BSSN recorded around 5.5 billion cyberattacks throughout 2025 — a 714% jump over the 2020–2024 annual average — and the trend continued into 2026.

What is the PDP Law and why does it matter? Law No. 27 of 2022 on Personal Data Protection is the legal framework requiring organizations to protect personal data, with administrative fines of up to 2% of annual revenue and criminal penalties for serious violations.

Which sectors are most vulnerable? Digital services, government institutions, e-commerce, and the financial sector are prime targets due to their large data and transaction volumes. MSMEs are also highly vulnerable because of limited resources.

What is the most basic step to protect myself? Use strong, unique passwords, enable two-factor authentication, stay alert to phishing, and keep software updated. For organizations, start with security audits and employee training.

The Urgency of Digital Security and Cybersecurity in Indonesia: A Priority That Cannot Wait