Weak defence keeps Malaysia vulnerable to cyber threats

Weak defence keeps Malaysia vulnerable to cyber threats

High internet penetration, hybrid work and online payments open the way for attacks.

Most organisations in Malaysia still lack the proper mechanisms to prevent cyber attacks, says Cybersecurity Malaysia.
PETALING JAYA:
Most organisations in Malaysia still lack the necessary defence against cyber threats, making them vulnerable to attacks.

The lack of resources, tools, processes and personnel makes it difficult for them to establish security operations centres (SOCs) and to gather cybersecurity threat intelligence (CTI) to pre-empt such attacks, according to CyberSecurity Malaysia (CSM).

An SOC is an IT security team while CTI is information collected by an organisation to understand possible threats.

Without adequate defensive mechanisms, these organisations face an arduous task of detecting, responding to and preventing cyber attacks, CEO of CSM Amirudin Wahab told FMT Business.

He said that while small companies often assume that being tiny makes them a less likely target, the fact is that it is more lucrative to jam the muzzle on them, he said.

“They may think they are not worth the trouble or resources but with problems such as Log4j and other major vulnerabilities, these businesses get swept up in attacks that aren’t explicitly targeted at them,” he added.

A Log4j is a popular logging framework that enables software developers to troubleshoot issues more easily. However, as an open-source logging framework, it is also an easy target for cyber attacks.

Rising threat

The threat of cyber attacks has risen exponentially over the last two to three years, mainly arising from the shift to remote or hybrid work necessitated by the Covid-19 pandemic.

A total of 4,741 cases of cyber threats were reported in Malaysia last year, according to CSM.

The high internet penetration rate of 97%, high usage of digital payments and progressively high adoption of technology, which accelerated during the pandemic, have made Malaysia particularly vulnerable.

In January, deputy communications and digital minister Teo Nie Ching said cyber crimes resulted in losses of almost RM600 million last year.

Malaysia is by no means the only country in this region that is under threat.

The number of cyber attacks against businesses in Southeast Asia rose 45% last year from the year before, according to global cybersecurity and anti-virus provider Kaspersky.

Singapore was the biggest victim, recording an almost three-fold jump to 889,093 web attacks from 207,175 in 2021.

Malaysia came in second with a 197% increase, followed by Thailand with 63%, Indonesia with 46% and the Philippines with 29%.

On the other hand, Vietnam saw a 12% drop in the number of attacks — from 2.82 million in 2021 to 2.49 million in 2022.

As Kaspersky general manager for Southeast Asia Yeo Siang Tiong sees it, with the reopening of borders and markets this year, it has become more essential now for businesses to spend more to strengthen their defences.

The weak points

The rising popularity of the hybrid work model has left companies more vulnerable. Going hybrid opens businesses to three types of threats — phishing, malware and data leaks.

Amirudin said there is also a misconception that such threats come into a company’s IT system only through emails via computers.

However, he said, cyber criminals have become more sophisticated and are using telephone calls and mobile messaging services as conduits to deliver such threats.

“An example is the Macau Scam, which utilises the phone, social engineering and the internet to fool victims,” he said.

As Malaysia becomes more digitally-connected, more people will be exposed to cyber attacks as the Internet of Things (IoT) eases access to various devices.

However, people continue to feel safe, placing their trust in a good awareness programme or robust technology that has kept them protected so far, Amirudin said.

What has been done?

Apart from harming businesses, cyber attacks can also cause chaos to a nation’s security and its people’s well-being.

As such, Amirudin said, the responsibility to prevent cyber attacks falls on the shoulder of every stakeholder. For instance, in a business, the company’s board of directors is as accountable as the IT department.

In January and February alone the National Scam Response Centre (NSRC), which was set up in October 2022 to coordinate rapid response to online financial scams, received 3,482 genuine calls.

Under Budget 2023, the NSRC has been allocated RM10 million to upgrade its equipment and raise awareness on cybersecurity.

Communications and digital minister Fahmi Fadzil said key legislations, such as the Personal Data Protection Act 2010, will be amended to make those holding the data more responsible for its protection while the data is in their custody.

He said the government is also mulling the merger of the National Security Agency and CyberSecurity Malaysia into the Malaysia Cybersecurity Commission (MCC).

On April 10, the Select Committee on People’s Well-Being in the Dewan Negara called for more severe penalties against online fraud perpetrators.

To that end, several legislations, namely the Penal Code, Criminal Procedure Code, Financial Services Act, Evidence Act, Computer Crimes Act and Malaysian Communications and Multimedia Commission Act, will be amended.

Stay current - Follow FMT on WhatsApp, Google news and Telegram

Subscribe to our newsletter and get news delivered to your mailbox.