According to a survey conducted by managed security services provider Quann and research firm IDC, 96% of Malaysian companies are only in the early stages of security preparedness.
The Quann IT Security End User Study 2017 also showed that almost half (46%) of the companies polled had basic IT security features such as firewalls and antivirus software but did not have security intelligence and event management systems to correlate and raise alerts for any anomalies.
Likewise, 52% of respondents did not have a security operations centre or a dedicated team to proactively monitor, analyse and respond to cyber security incidents flagged by the systems.
Thirty-eight percent either did not have any incident response plans to protect the companies’ networks and critical data in the event of a cyber attack, or only reacted when a breach occurred.
Only a third (33%) practised their incident response plans while 31% required all members of the organisation to take part in IT security awareness training.
Seventy-one percent of respondents did not have a dedicated IT security budget and planning process, and 40% had security support only during work hours. One in five respondents (21%) had security support only during the work week.
Quann managing director Foo Siang Tse said many companies were simply not investing enough in IT security despite the obvious threats.
“The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg.”
The global WannaCry ransomware attack began on May 12 and affected over 150 countries. The malicious software worked by locking up files on a computer and encrypting them in a way that denies the owner access to them.
The programme then demanded payment through the Bitcoin digital payment system to make the files accessible again. However, security experts warned there was no guarantee that access would be granted after the payment was made.
The more recent Petya ransomware attack struck major firms and government departments in Ukraine before spreading across Europe.
Like WannaCry, the software shuts down a computer system and then demands an extortionate sum of money to fix the problem.
“Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact,” Foo said.
Simon Piff, vice-president of IDC Asia, added: “Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools.
“They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation.”