The 2024 seismic attack on the Asahi Group was merely a prelude. Throughout 2025, Southeast Asia's digital transformation became its greatest vulnerability.
A sophisticated ransomware syndicate, leveraging a compromised vendor for a major Indonesian energy company, cascaded from corporate IT to operational technology (OT), forcing a days-long shutdown of critical refining capacity.
Simultaneously, a state-aligned threat actor exploited weak access controls in a regional financial services API, exfiltrating millions of customer records.
The repercussions are stark: billions in lost revenue, severe reputational damage, and a tangible threat to national stability. The old "Trust-First" model, where a single vendor's lapse could cripple an entire ecosystem, needs a revisit.
In response, governments accelerated regulatory shifts, with Singapore's MAS and Indonesia's BSSN mandating stricter third-party risk controls. Organisations are now pivoting from a futile quest for total prevention to a pragmatic strategy of resilience.
As IoT adoption accelerates and cross-border supply chains deepen, the region faces escalating risks from fragmented regulations, AI-driven malware, and legacy infrastructure gaps. Traditional prevention models are faltering against sophisticated, fast-moving threats.
Instead, governments and enterprises are shifting toward containment-first frameworks—rapid isolation of compromised nodes, segmented supply chain networks, and resilient recovery protocols. This reckoning reflects Southeast Asia's dual reality: digital economies expanding at breakneck speed, yet exposure widening. By embracing containment as the new prevention, the region positions itself not to eliminate breaches, but to survive and adapt within them.
Following Singapore's pivot in 2025–2026 toward containment-first cybersecurity, perhaps there is merit in treating containment as the new paradigm.
Enforcing "Never Trust, Always Verify"
In the wake of third-party breaches dominating 2025 headlines, Kenny Ng, head of network business division, Asia Pacific at Alcatel-Lucent Enterprise, advocates treating external partners no differently from internal users.
"For third-party digital partners, they must also be treated like any other users or devices that are connected to the network infrastructure," Ng explains, emphasising rigorous access controls.
The shift lies in moving from network-based trust to an identity-first model under Zero Trust Network Access (ZTNA). Vendors' devices, presumed to be potentially compromised, warrant no implicit trust in the broader infrastructure.
Micro-segmentation enforces least privilege, granting task-specific access—such as a maintenance vendor patching a single application for the duration of the job—without exposing the entire network. This balances security with efficiency, averting operational paralysis amid rising supply chain vulnerabilities.
Beyond MFA: Contextual factors for least privilege
Multi-factor authentication (MFA) has gained traction, yet Ng urges enterprises to layer in dynamic contextual checks for vendors. Security must blueprint the entire network, granting only necessary access profiles.
"The first step we look at is to authenticate everything and everyone, to enforce the 'Never Trust, Always Verify' principle," he states, followed by isolation to curb lateral threat movement.
Continuous real-time monitoring detects anomalies in segmented zones, while time-bound privileges prevent prolonged exposure. Policy cycles—validation, refinement, and optimisation—ensure adaptability.
Device posture, access timing, and requested applications thus dynamically calibrate privileges, embedding Zero Trust holistically beyond mere MFA.
Micro-segmentation in OT environments
Operational technology realms, often air-gapped or legacy-bound, demand phased, data-driven micro-segmentation to establish containment zones without disruption.
Aligning with the Zero Trust lifecycle—Monitor, Validate, Plan, Simulate, Enforce—Ng outlines deploying sensors for OT asset visibility, mapping communication flows, and establishing baselines of regular traffic.
"We look at organisations that must look at how they deploy the sensors to gain the full visibility of the OT assets, including the legacy system," he notes.
Enforcement leverages these baselines for granular segmentation, isolating threats without outages. This preserves critical processes in Southeast Asia's industrial hubs, where legacy gaps amplify AI-driven malware risks.
Bridging IT-OT silos for secure boundaries
Silos persist, with security, operations, and IT teams siloed in focus. Ng champions micro-segmentation to delineate domains: one for corporate IT (desktops, IP telephony) and another for OT (industrial controls, production sensors).
Operating on a no-trust premise, ZTNA explicitly verifies all cross-domain access, thwarting lateral breaches. "This will eliminate the implicit trust that allows this lateral movement once the initial boundary has been breached," Ng asserts.
Firewalls bolster policies for necessary IT-OT crossings, ensuring a compromised corporate side cannot infiltrate production assets. Collaborative policy-setting fosters cross-functional resilience, a vital capability IDC highlights as Zero Trust plays a role in building Asia/Pacific enterprise trust amid hybrid cloud mandates.
Metrics for containment success
Shifting from prevention to containment, as per Singapore's "containment first" praxis, demands metrics beyond blocked attacks. Ng defines containment as limiting the spread of threats and localising disruptions.
Key gauges include incident response time—how swiftly teams notify and remediate; network downtime and availability impact; ticket resolution duration (minutes versus days); and user experience effects, such as Wi-Fi isolation sparing wired users.
"Success in this regard will have to continue to safeguard the operational continuity in a way that the Zero-Trust framework protects the process, even though breaches have occurred," he says.
These align with Gartner's 2025 call for focused programmes emphasising business continuity.
Redesigning incident response for rapid isolation
To prioritise isolation, organisations must tailor playbooks to customer needs.
"It helps to identify threats that are happening in real time in the network infrastructure and helps to mitigate the risk immediately," he describes, enabling mobile alerts and one-click remediation—anywhere, anytime.
Close collaboration with security and operations teams customises frameworks, accelerating recovery in the face of fast-evolving threats.
The business case for Zero Trust
Justifying Zero Trust investments over perimeter defences hinges on quantifying breach costs. Ng flips the narrative: "The approach is not to look at the cost, but to look at the financial impact or losses of not doing security right."
Data losses and supply chain halts—potentially millions in unfulfilled deliveries—underscore the value of mitigation, alongside operational efficiency gains enabled by robust infrastructure.
ROI manifests in continuity and risk reduction, echoing IDC's observation that Asia/Pacific firms prioritise Zero Trust for resilience against AI threats, with investments surging in IAM and incident response.
Forrester notes that 79% of APAC leaders will boost threat intelligence budgets by 2026, signalling proactive Zero Trust adoption.
Ensuring Interoperability in ZTA Implementation
Post-approval, seamless ZTA integration avoids "rip and replace." Ng's Alcatel-Lucent Enterprise framework overlays existing platforms via the OmniVista NMS, managing ZTNA alongside legacy systems to maintain consistent policies.
"It's definitely not a rip-and-replace kind of architecture that we should look at," he affirms, reducing complexity and gaps through unified oversight.
Evolving IT-OT collaboration
IT and OT teams must evolve through joint governance, co-definition of access rules, and conflict resolution. Shared threat monitoring platforms grant visibility—OT viewing IT denials, IT tracking OT health. "It's basically a shared vision framework between the OT teams and IT teams," Ng concludes, embedding unified Zero Trust.
Extending Zero Trust across the supply chain
To sustain ecosystem resilience into 2026, businesses must mandate ZTNA in vendor contracts, enforce identity-based checks, and ensure compliance. Ng urges supplier cooperation on use cases, training, and support: "This cooperation will enable and also accelerate the enforcement of this digital transformation."
As Zero Trust matures after over a decade, contractual imperatives fortify Southeast Asia's interconnected chains against collective threats.
In this paradigm, containment does not concede defeat but redefines victory: not breach absence, but swift adaptation. Southeast Asia's digital ascent, tempered by resilience, charts a sustainable course forward.
Click the PodChats player to hear Ng's perspectives and recommendations in detail.
- Given that third-party digital partners were the primary attack vector in 2025, what is the most effective way to enforce "never trust, always verify" without crippling operational efficiency?
- Beyond multi-factor authentication, what specific contextual factors—such as device posture, time of access, and requested application—should enterprises use to grant vendors the least privilege required dynamically?
- For Operational Technology environments, which are often air-gapped or rely on legacy systems, how can enterprises practically implement micro-segmentation to create containment zones without disrupting critical processes?
- How do security and operational leaders rigorously define and enforce the boundary between the corporate IT network and the production OT network to prevent a cross-functional breach?
- With the mindset of "containment, not prevention," what are the key metrics IT and OT should track to measure their success in limiting the blast radius of a potential incident, rather than just counting blocked attacks?
- How can organisations redesign their incident response playbooks to prioritise the immediate isolation of compromised segments, thereby containing threats before they can move laterally?
- What is the business case for prioritising investment in ZTA over traditional perimeter defences, and how can enterprises demonstrate its ROI to the board through enhanced business continuity and reduced operational risk?
- As organisations implement ZTA, how can they ensure seamless interoperability between existing security investments and new ZTA-enabling technologies to avoid creating new security gaps?
- How must the roles and responsibilities of IT and OT security teams evolve, and how must they collaborate to implement a unified Zero Trust policy across both corporate and production environments?
- Looking beyond their own enterprise, how can businesses encourage or mandate the adoption of Zero Trust principles across their entire supply chain to strengthen the collective ecosystem resilience?
