A study from cybersecurity firm Palo Alto Networks found that Malaysian firms experienced the largest number of disruptive cyberattacks among Asean members in the past year, with almost a third (29%) of companies facing a 51% increase in incidents.
The report, titled “State of Cybersecurity Asean 2023”, also noted an increase from the 20% recorded in 2022, marking a rising trend of attacks in the country.
According to Palo Alto Networks’ regional vice president for Asean, Steven Scheurmann, the country’s shift towards digitalisation has contributed to the rise of attacks.
“The fact that attacks have increased in Malaysia is confirmation that companies and the public sector in Malaysia are becoming digital, which is what’s happening globally.
“Malaysia is more and more online, that’s why criminal activity is focused and there are more attacks, but the increase in attacks also means Malaysia, unfortunately, is a target.
“Criminals and bad actors will gravitate and focus on areas where they can get an outcome, and that outcome is to steal money or to steal personal data,” he said.
The report goes on to say that the top cybersecurity concerns faced by local organisations are malware and ransomware, which are tied at 64%.“For two years in a row, malware remains a top concern across Asean – we are seeing more and more of this.
“What (cybersecurity incidents) we see publicly exposed is a small element of what is actually happening on a daily basis,” he said, adding that such attacks have become more prevalent.
This was underlined by a 79% increase in cybersecurity budget by Malaysian companies, also the highest in Asean and quite a significant jump from 46% last year.
Of the surveyed Malaysian firms, 84% also claim to be developing strategies in regard to 5G but worry about securing 5G data.
“Because of the speed and amount of data being used on the network for 5G, this means there is more personal data being shared and used, becoming more of a target to threat actors,” he said.
Scheurmann further added that while 5G allows for increased connectivity for operational technology (OT) and IoT devices, many of them were manufactured in the years leading up to the network’s availability.
This can leave them vulnerable to attacks, as many have not been updated or reconfigured, and once connected to the network, can serve as “low-hanging fruit” for threat actors to target.
On the topic of ransomware, companies were advised against paying ransoms to threat actors bôy experts and government agencies such as CyberSecurity Malaysia (CSM).
Scheurmann said that making such payments acts as a reward to cybercriminals and incentivises this sort of criminal activity.
Despite that, a separate report from Sophos revealed that Malaysia had among the highest average ransomware payments in the world in 2021, ranking seventh with payouts reaching almost US$900,000 (RM4.21mil) on average.
David Rajoo, Palo Alto Networks’ Asean system engineering head, also touched on the topic of mandatory reporting of cybersecurity incidents in the country.
“In Malaysia, you see that there isn’t really strong legislation that enforces organisations to actually report on cybersecurity incidents, that’s certainly something we hope will change over time for the better.
“If you look into what’s happening in the United States with the Securities and Exchange Commission (SEC), recently, they mandated that all public-listed companies report on cybersecurity incidents that is of material breach within a specific time frame.
“In Malaysia, it’s something to think about in terms of legislating cybersecurity incidents,” he said.
Also in attendance at the virtual presentation was CSM chief executive officer Datuk Dr Amirudin Abdul Wahab, who touched on the Cybersecurity Bill expected to be tabled early next year, and possible amendments to other existing regulations.
“We don’t have specific regulation on cybersecurity yet, but the government has decided that they are moving towards this direction, that means to have what we call a Cybersecurity Act for Malaysia,” he said.
Cybersecurity incidents have generally been under the purview of the Malaysian Communications And Multimedia Commission (MCMC), the Royal Malaysia Police and the Department of Personal Data Protection in accordance with a number of existing Acts.
Amirudin said that these entities are looking into amending and strengthening existing legislations themselves, with a push for the Personal Data Protection Act 2010 (PDPA) to mandate the reporting of data breaches, along with updates to the Communications and Multimedia Act 1998 (CMA) and Computer Crimes Act 1997 (CCA) for current technological developments.
Amirudin added that these amendments are targeted to be tabled by the end of 2023 or in the first half of 2024.
“We do realise that Malaysia is a bit behind when it comes to legislation, not that we don’t have it, but it has not been updated.“In fact, if you look at the CMA and PDPA, these Acts are actually one of the first in the region.
“Malaysia looked into the ecosystem, understanding how things are done by friends in the region and other countries, and decided this is the time,” he explained, adding that instead of simply copying what’s being done elsewhere, the country wants to implement solutions that take local context and stakeholders into account.
“I believe the next several months will be busy for Malaysia, because it involves various amendments to the regulations and legislations with regards to cybersecurity and data protection in the country,” he concluded.