Cyber Security: The Spine of Digital Transformation

Post-pandemic, it goes without saying that cyber security teams have a lot on their plate, and you would be forgiven for feeling we live in an age of permanent crisis and paranoia, driven by rising geopolitical tensions, mass digitalisation, hybrid work, and a skilled labour shortage. While a new era of almost limitless connectivity is changing the way we live, work and produce, we are struggling to adapt to the rising threats posed by malicious actors and the borderless cyber threat attack surface.

As cyber breaches continue to grow exponentially and malicious actors continue to evolve, new verticals are becoming their targets. Today, the automobile industry should be just as concerned about a supplier or its equipment being infected with malware as a malfunctioning part. The pandemic changed working patterns, and a hybrid approach has become the norm for many businesses; employees are just as likely to work from another country as they are from the office. At the same time, data flows outside traditionally closed networks and into the cloud, while the 5G-powered Internet of Things (IoT) means that equipment is cloud-centric, too.

The battle is not how to effectively implement a secure digital transformation programme but the mindset transformation required to accept and execute it. The typical size of an IT team in an enterprise is almost always disproportionate to the size and revenue generated, making it virtually impossible to monitor and analyse all aspects of the environment. However, the upside is that more organisations and governments are waking up to the value of cyber security investment over the last couple of years. This is reflected in global spending, which Gartner estimates could be as high as $1.75 trillion by 2025.

This year, it was approximately $172 billion, and investment is paying off in some areas like data analytics. Security teams are becoming increasingly effective at proactively detecting and mitigating cyber threats, with the added power of data and automation also playing more of a role.

Traditionally, cyber security has been framed as an ongoing battle between hackers and criminals on the outside and security experts on the inside. It is easy to frame organisations as closed shops, and this narrative is reflected in popular culture. However, the reality is much more complex. To secure against evolving cyber threats, businesses moving forward must adopt advanced security technologies, continually test and update controls and educate employees on cyber risks. Cyber security must be integrated into software, system design, coding and implementation. Employee awareness and reporting of anomalies to IT administrators can greatly reduce the risk of a successful attack. Proactive cyber security minimises the impact of cyberattacks and can strengthen customer trust, reputation and business growth.

Malaysia is also undergoing a major transformation and finding its place in the digital world. Despite robust cyber security measures, the country faces challenges securing its vast digital landscape.

Cyberattack cases

Fortinet's Southeast Asia and Hong Kong vice-president, Peerapong Jongvibool, noted that the attacks included viruses, botnets, and exploits detected by FortiGuard Labs' cyber security solutions, ranking Malaysia among the most vulnerable locations in the region. According to FortiGuard Labs, Malaysian cyber threats in the fourth quarter of 2022 included 61.1 million virus detections, 50.2 million botnet attacks, and 7.5 billion exploit detections.

Furthermore, Malaysia fell victim to multiple cyberattacks last year, including data theft from a national registry and a payment gateway data breach. A group known as the "grey hat cyber security organisation" broke into a payslip system, extracting nearly two million payslips and tax forms, stealing up to 188.75 gigabytes of data, and highlighting system vulnerabilities.

Such cyberattacks reveal that many Malaysian organisations lack proper cyber security measures, leaving them vulnerable to malware, ransomware, and phishing threats.

As cyber threats become increasingly sophisticated, so must the knowledge and awareness of employees. Regular training, for example, using an e-learning platform on recognising potential threats such as phishing emails, implementing strong password policies, and understanding the importance of regularly updating software can significantly reduce an organisation's vulnerability to cyber-attacks. Creating a culture of cyber security awareness requires ongoing communication, training, and leadership support, including board level. By adopting these approaches and committing to continuous improvement and adaptation in the face of evolving threats, Malaysia can build a more resilient cyber ecosystem and significantly reduce cyberattacks' impact on its digital landscape.

Cyber security awareness and FDI
Based on a recent study by the Department of Skills, The Centre for Instructor and Advanced Skill Training (CIAST) and Cyber Security Malaysia, the country needs 27,000 cyber security knowledge workers by the end of 2025. This must be addressed to support the national ecosystem and make Malaysia an attractive investment destination for international cyber security companies. Foreign direct investment (FDI) catalyses digital economy development, which cyber security is a crucial part of. With competition increasing as countries announce various FDI-attractive policies, policymakers must think strategically, not tactically. Malaysia should actively direct investments into targeted cyber security services with a focused approach.

Sharing session on cyber resilience and cyber hygiene organised by the Malaysian Dutch Business Council (MDBC) and hosted by Malaysia Digital Economy Corporation (MDEC).

Investment policies, incentives, and the investor pitch must resonate with the country's unique strengths – business ecosystem, political stability, excellent infrastructure, and technological capabilities.

FDI into cyber security requires alignment in several functions and measures addressing regulatory bottlenecks, including pro-competition policies and avoiding agencies working in a silo; and broader higher education/training; bottlenecks in labour supply with regards to skills mismatch; better data privacy policies; and adequate incentives to facilitate retention of skilled workforce are essential.

Better cyber security could further bolster the country's economy and capability. The government must have a comprehensive strategy and a concerted approach to ensure security within cyberspace and engender trust in the use of digital services, bearing in mind the increased proliferation in the use of ICT on a national level, the increasing economic importance of technology as well as the envisaged use of emerging technologies such as cloud computing, generative AI, Big Data and IoT.

One of the ultimate goals is to establish coordinated structures to protect national information infrastructures and to establish a national cyber risk assessment plan to identify gaps and strengthen the capability to investigate and combat cybercrime.