While Government Focuses on AI and AX, SMEs Become Hacking Targets
Ransomware Evolves with Advances in AI Technology... Defense Remains Stagnant
SME Security Budgets Shrink, Policies Fall Short... Only Small Allocations in Supplementary Budget
As hacking incidents targeting small and medium-sized enterprises (SMEs) become increasingly severe, concerns are rising over the shrinking scope of preventive policies. While the government focuses on fostering promising technologies such as artificial intelligence (AI) and AI transformation (AX), information security for SMEs is being pushed into a blind spot due to reduced budgets and insufficient policies.
According to the Korea Internet & Security Agency (KISA) on July 9, of the 804 ransomware reports received over the past three years since 2022, 655 cases (82%) occurred at SMEs. Midsize companies accounted for 130 cases (16%), while large enterprises reported only 19 cases (2%). Ransomware is a type of cyberattack that encrypts data on a user's computer or server and then demands payment in exchange for restoring access.
With advances in AI technology, ransomware is evolving rapidly. Global security firm Kaspersky, in its "2025 Ransomware Status Report" released in May to mark International Anti-Ransomware Day, identified the "proliferation of AI-based ransomware" as a major factor driving the increase in incidents. A security industry insider commented, "AI and large language models (LLMs), which are core technologies for boosting productivity in IT development environments, are also being exploited by cybercriminals to increase the efficiency of their attacks. The biggest problem is that the difficulty of defense is rising in tandem."
Nevertheless, the reason SMEs have not established robust information security systems is due to a lack of awareness about security and limited response capabilities. According to the Korea Information Security Industry Association (KISIA), last year the rate of information security policy adoption by company size was 48.9% for companies with fewer than 50 employees and 58.9% for those with 50 to 250 employees, remaining at about half. The rate of budget utilization for information security was only 49.9%. The most common reason for not using the budget was "not knowing what information security activities are necessary" (38.3%).
The problem is that government funding to support these efforts is also continuing to decrease. The budget for the Ministry of Science and ICT's "ICT SME Information Security Safety Net Expansion," which supports information security consulting and security solution adoption for SMEs, has plummeted to 5.7 billion won this year from 17.3 billion won in 2022. The "Regional Information Security Support Centers," jointly established by the Ministry of Science and ICT and KISA in 2014 to help SMEs respond to cyber threats and strengthen their capabilities, have not increased in number since being expanded to 10 locations in 2020.
The SME sector is expressing concerns that the government's recent focus on AI·AX may be pushing SME information security measures down the list of priorities. The Ministry of Science and ICT's second supplementary budget, recently passed by the National Assembly, totals 179.3 billion won, but the emphasis is again on the "AI transformation." Of this, only small amounts have been allocated for cyber incident analysis and response: 5 billion won for building AI-based response systems, 9 billion won for enhancing hacking and virus response, and 3 billion won for improving internet route security. Critics point out that the practical security budget SMEs can actually benefit from remains insufficient.
Industry voices are calling for the government to expand funding and develop effective support measures so that SMEs can strengthen their security capabilities as cyber threats become more sophisticated. Kim Jaegi, head of the S2W Threat Intelligence Center, stated, "Rather than relying on punitive regulations such as fines as in the past, incentives are needed, such as increasing budget support for SMEs that actively invest in security and demonstrate strong capabilities, or granting them priority access to government projects." He added, "If such a structure takes hold, companies will voluntarily invest more in security, and the overall cybersecurity culture will mature."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
