When a cyberattack disrupts services, the damage rarely ends with the initial intrusion. What happens next depends on people. How quickly do responders share what they know? How effectively do technical teams communicate with executives who must make decisions about disclosure, service restoration, and public messaging? How well do handovers work when an incident spans departments, time zones, or regulatory jurisdictions?

These questions matter urgently for Southeast Asia. According to the e-Conomy SEA 2025 report, the region’s digital economy continues its remarkable growth trajectory, with gross merchandise value exceeding USD 300 billion in 2025. This growth is driven by expanding e-commerce, digital financial services, and cross-border data flows. It creates prosperity and opportunity, but it also creates exposure. Every new digital service is a potential attack surface, and every failure in incident response erodes the public trust that sustains digital adoption.

Policy and organisational leaders often treat cyber resilience as a procurement problem by buying better monitoring, endpoint protection, and faster detection systems. These investments matter, but they address only half the equation. Cyber resilience is equally a social capability, and that capability remains underdeveloped across the region.

From Intrusion to Impact: Where Response Fails

The evidence of coordination failure is visible in incident after incident. Singapore’s SingHealth breach in 2018 compromised 1.5 million patient records, including the Prime Minister’s medical information. As detailed in a comprehensive post-incident analysis, technical forensics revealed that the intrusion had persisted for months. However, the review also highlighted significant coordination gaps because information moved slowly between teams, escalation pathways were unclear, and decision-makers received fragmented and incomplete assessments. Critically, cybersecurity was treated as an issue for IT staff to address and resolve fully before senior management was informed, a pattern that the subsequent Singapore Committee of Inquiry identified as reflecting deeper cultural issues within the organisation.

This pattern repeats across sectors and borders. Indonesia’s rapid digitisation has brought millions of new users into the digital economy, and with that growth has come increased targeting by threat actors. Recent research on the threat landscape identifies dozens of organised hacking groups, including state-linked operatives and financially motivated cybercriminal networks, actively targeting Indonesian enterprises. The Philippines, Thailand, and Vietnam face similar pressures as their digital infrastructures expand faster than their organisational capacity to defend them.

The problem is not a lack of skilled responders. Many organisations have capable technical teams. The challenge is that those teams operate within organisational environments where communication breaks down under pressure, non-technical leaders struggle to interpret uncertainty, and the stress of a live incident causes coordination to fragment precisely when it should tighten.

Organisational Barriers to Effective Incident Response

Incident reviews and industry research document three persistent obstacles that undermine how organisations respond to cyber incidents.

1. The first is communication opacity. When technical responders brief executives during an incident, they often use language that obscures rather than clarifies. Executives hear jargon and uncertainty and respond by either demanding false certainty or withdrawing from decisions they are responsible for making. The SingHealth Committee of Inquiry found that decision-makers received fragmented and incomplete assessments during the 2018 breach because information moved too slowly between technical teams and senior leadership. The result is delayed action on disclosure, resource allocation, and service prioritisation.
2. The second is pressure-driven questioning. Managers under stress tend to ask questions that feel natural but worsen the situation. “When will this be fixed?” demands a timeline that responders cannot credibly provide. “Who caused this?” shifts attention from containment to blame. “Are we sure it’s not worse?” introduces doubt without actionable direction. These questions consume time, increase stress, and yield little useful guidance. The Splunk State of Security 2025 report found that 52% of SOC teams are already overworked, and pressure-driven management cultures compound that burden when a live incident hits.
3. The third is coordination atrophy. Most organisations do not practice cross-functional response until a real incident forces them to do so. When an attack spans IT, legal, communications, and executive leadership, each function operates from its own playbook and assumptions. Handovers fail, priorities conflict, and recovery takes longer than it should because teams discover coordination gaps in real time rather than during rehearsal. The SingHealth inquiry found that no written protocol existed for reporting cybersecurity incidents and that existing annual exercises had been designed for classroom settings rather than realistic operational conditions.

Strengthening Incident Response with Practical Interventions

These obstacles are addressable without significant investment. Three interventions can improve outcomes across sectors.

1. Standardise incident communication for non-technical stakeholders.
   Organisations should adopt a simple, standardised reporting format for use when responders brief executives. The format should answer four questions in plain language. What do we know happened? What is the current impact on services and data? What actions are we taking? What decisions are required from leadership? This structure gives executives the information they need to act without requiring them to interpret technical detail. It also disciplines responders to translate their findings into terms that support organisational decision-making, reducing ambiguity at critical moments.
2. Train managers to ask better questions.
   Instead of demanding certainty, leaders should learn to ask for evidence, impact, and options. “What evidence supports that assessment?” invites responders to share what they actually know. “What is the impact if we wait two more hours before deciding?” surfaces relevant tradeoffs that should inform timing. “What options do we have, and what are the risks of each?” shifts the discussion towards actionable choices. These questions extract useful information without adding pressure that degrades response quality.
3. Build cross-team recovery muscle through short rehearsals.
   Organisations do not need elaborate simulations to improve coordination. A 90-minute tabletop exercise, conducted quarterly, can test handovers between technical response, legal, communications, and executive leadership. The exercise should focus on decision points rather than technical exploits. Who decides when to notify regulators? Who approves public messaging? Who sets priorities on which services to restore first? Practicing these handovers reveals gaps early, before a real incident exposes them and makes them costly.

These interventions are not theoretical. Following Singapore’s SingHealth breach, the Committee of Inquiry recommended regular tabletop exercises involving both technical personnel and senior management, clearer incident reporting protocols, and stronger coordination between cybersecurity teams and organisational leadership. Several of these measures have since been adopted across Singapore’s public healthcare sector.

These interventions require no new procurement. They require only the recognition that resilience is a social capability that must be built deliberately, not assumed.

Treating Cyber Resilience as a Social Capability

Southeast Asia’s digital future depends on trust. Citizens and businesses will adopt digital services only if they believe those services are reliable and that the organisations can recover effectively when things go wrong. Technical defences are necessary, but they are not sufficient. The organisations that preserve trust through incidents will be those that invest in the human infrastructure of response.

Policymakers can encourage this investment by incorporating coordination capability into resilience frameworks and regulatory expectations. Industry leaders can prioritise response readiness alongside prevention spending. Organisations across sectors can begin immediately by implementing the low-cost interventions outlined here.

Cyber resilience is a social skill–one that warrants more deliberate investment in training and organisational practice.

The views and recommendations expressed in this article published on March 2026 are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.