Introduction
As the CEO of Sawah Cyber Security, I regularly ask our team, partners and clients what they think about Cyber Security. And our team asked in Indonesia too: How Cyber Secure is Indonesia 🇮🇩 really? In this blog article we will share our observations and vulnerabilities we discovered during our independent cyber security research in Bali.
If Bali was a very large luxury villa, the front gate would have a lock. Not perfect, but enough to make you feel safe. The back entrance though? Always open, with no camera and no security guard. Behind Bali’s warmth and hospitality, that gap is exactly where cyber criminals and hackers find their way inside.
In this blog article we will share our observations.
Cyber Security Statistics in Indonesia
Indonesia is in the top 5 countries worldwide with the highest number of internet users. That means almost every Indonesian has some form of internet access through their mobile phone, or if not, through internet cafes (called “warnet”).
Many sources indicate that Indonesia is among the top targeted countries for cyber attacks globally. If we look at real-time cyber threat data, Indonesia often ranks alongside countries like Ethiopia, Nepal, Uzbekistan, and Georgia.
These countries aren’t targeted because they’re global superpowers. It’s often because:
- they have a large number of internet users
- have a very low overall cybersecurity awareness (education)
- or are insufficiently prepared to respond when incidents occur.
Â
So is there a good reason for hackers, skilled nation hackers and script kiddies to target companies and government systems in Indonesia?
When outdated software, weak configurations, exposed internal systems, and insufficiently prepared to respond when incidents occur, the opportunity is hard to ignore.
Cyber security observations in Bali
We launched an independent research to understand how vulnerable companies and institutions really are in Indonesia. We did this by interview partners and relations, but also carefully seeing how the cyber security posture is from an internet perspective.
Our observations by industry and sector:
Healthcare Sector
Bali has many healthcare institutions, from hospitals and clinics to small doctor practices. Since 2025, the opening of Bali International Hospital (Sanur) receives a large number of patients.
Our research shows that a significant number of critical IT services and assets in this sector are exposed to the public internet without a clear reason. This includes sensitive information about doctors, patients, and internal back-end systems. Data of which we believe should never be publicly accessible. Many of these IT systems and software seem to be also outdated, and maybe vulnerable and waiting to be exploited.
We noticed that large organizations often invest in expensive firewalls. A Fortigate firewall is one of the most common examples. But in most cases, only about 20% of the firewalls capabilities are actually used. We found serious issues in other IT areas, leaving the firewall to no really use.
This is a common pattern we see in Indonesia. If one vendor trusts a specific model/brand, all companies do not want to fall behind on the rest of the industry. The only problem is that these companies do not have a Cyber Security Partner like us, who are there to help and advice on cyber security strategies.Â
In the end, an expensive firewall is sitting there not mitigating the real risks, while other IT areas are left unprotected (the backdoor..) due to IT budget already being cut down to minimum.Â
Hospitality Industry
Bali remains still one of the world’s top tourist destinations, welcoming millions of tourists. More than the number of locals living on the island.
Our research revealed that many businesses in this industry rely on default credentials and outdated systems. Even some of the big beach clubs, as major tourist attractions, run many IT systems and software but lack basic cyber hygiene. This is understandable, as cybersecurity is not their main business. But with their reach and customer base, it quickly becomes a business critical issue where financial fraud could become an issue.
Education & Universities
Many educational institutions in Bali, including universities and vocational schools, face major cybersecurity challenges. Some institutions have seen cyber security breaches happen due to lack of knowledge and experience with staff or IT partners. And the lack of budgets on IT and cyber security.
Interestingly, many of these institutions do have the hardware, like firewalls, access points, and switches. Often donated from larger companies that wanna get rid of the IT assets. But the education industry lacks the people and expertise/skills to actually put the cyber security hardware to good use.
Sawah Cyber Security helps these education instructions already by providing Security Testing, Training and Security Awareness sessions.
Technology Sector
In Bali, there are many technology companies, including a growing number of software houses. But we see that cybersecurity is still not part of the daily conversation, especially in smaller IT companies and development teams.
We mainly looked at the software houses. The main thing we see with software houses is that security is still viewed as just a coding issue. But cybersecurity is much broader than that. It includes the underlying infrastructure, middleware, and also processes and practices e.g. adopting a Secure Software Development Lifecycle (S-SDLC). No company is really doing that, even when they claim to do it. Not because they don’t care, but because it’s just not being talked about and they don’t have the experiences to do it. And often, there is no budget for it either.
Security is seen as a “later” problem. But for many companies “later” comes too late. With our Sawah Cyber Academy training sessions, we see that small efforts can already make a big impact. Common mistakes can be prevented. Quick wins are possible.
Vulnerabilities everywhere in Bali
During our own research across different industries in Bali, our team found real and serious vulnerabilities. Some of them could have a major impact, when exploited by criminals or people who do like to do harm.Â
Note: With any of our cyber security research, our Cyber Security Team responsible reported the vulnerabilities to the related system owners, in order for them to take security measures.
A few highlights from the vulnerabilities we identified:
SQL Injection vulnerabilities
We identified common web vulnerabilities, which is in the OWASP Top 10 of common vulnerabilities, in many web applications we tested. This provided us access to personal data, identity card information, credentials (passwords) and even full control “root” access to the database.
Outdated CMS and Plugins
We have observed many outdated Content Management Systems (CMS) and plugins being used. This includes Remote Code Execution (RCE) vulnerabilities and Cross-site Scripting (XSS) in used plugins. In Bali many hotels, villas and resorts use popular CMS platforms like Joomla and WooCommerce.
Unnecessary IT services exposed to the Internet
We discovered various internal IT systems exposed directly to the internet. Some with weak credentials or without strong protection measures. This highlights the lack of cyber security awareness around network segmentation and network filtering for IT administrators.
Default or weak credentials
We discovered many IT systems still using default usernames and passwords, or no password at all. Some management interfaces gave full Administrator access, allowing us to disable backups or backup power units (UPS).
Broken authorization controls
At several organizations we were able to gain unauthorized access to sensitive data from other users or functions. Sometimes a simple change in the URL gave access to other sensitive resources.
Government Lack of Transparency on Cyber Security Statistics
Looking at the yearly government cybersecurity report from BSSN (Indonesia’s National Cyber and Crypto Agency), the country openly acknowledges issues such as low awareness, increasing attacks, and the lack of proper security controls. One example: many regions still don’t have proper CSIRTs to coordinate responses to incidents.
Despite this acknowledgment, there is still no clear, publicly available data on how serious the cyber security challenges are and what the real progress is on the suggested solutions by BSSN and government (e.g. the intention to deploy more active operational CSIRST for incident response coordination).
- Who is attacking Indonesian companies and institutions?
- Which critical sectors have been breached, and how?
The lack of this information and lack of transparency does not contribute to creating more awareness and a more cyber secure Indonesia. Despite the big marketing efforts from the capital Jakarta.
Our own observations and findings has given “How Secure is Indonesia? How secure is Bali?” more to perspective, as we can’t rely on public (government) data how the industry related to Cyber Security is doing in Indonesia.
Legal challenges
In our mission to make Indonesia, the Netherlands and other countries Cyber Secure, we are fully aware that we sometimes walk a “gray area” in Indonesia when it comes to helping companies. Hacking in Indonesia is by law forbidden.
Scanning and testing systems, even with good intentions (white hat; ethical hacking) or only for educational research purposes, can easily be misunderstood as a criminal hacking activity.
In every case so far we have received positive feedback from all the organizations we have helped so far. They have personally thanked us for reporting real vulnerabilities that others might have abused with bad intentions.
As ethical hackers with years of experience in the field, both in Europe, Japan and Indonesia , we take each step responsible, professional, and a deep commitment to help.
We believe that true cybersecurity progress starts with trust, collaboration, and an open conversation about Cyber Security challenges. That’s why we do what we do, even if it means navigating the “gray areas” of Indonesian law, as long as it moves Indonesia toward a more cyber secure future.
Unpopular opinion
As the CEO of Sawah Cyber Security: we are not here to sit back and watch the country where our company is positioned suffer from preventable cyber attacks. We follow the law, we respect the ethical rules that are internationally accepted, but we will never choose silence or passivity while Indonesia’s critical sectors and companies are falling apart due to Cyber Attacks.
That said, confidentiality and trust are at the core of everything we do. The values we hold high in our internal code of conduct, The Sawah Code, which every team member signs and commits to. We speak up, but we never disclose sensitive client information or specific details without consent or NDA.
In the end, we always navigate the balance. Between speaking up for a Cyber Secure Indonesia, and staying fully professional, ethical, and lawful in how we do it.
