Priority pendulum swings with Malaysia now under attack

Once considered a distant danger to Kuala Lumpur and Selangor – a global problem with minimal local implications – the severe spike in high-profile attacks targeting Malaysia has triggered a significant resetting of corporate priorities.

This is now a nation on the radar of malicious hackers, galvanised by increased digital adoption and ongoing economic pressures.

According to Cyber Security Malaysia (CSM) findings, the country reported 4,741 instances of cyber threats in 2022, including ransomware attacks, espionage attempts, data leaks and scams.

Most recently, two local subsidiaries of Prudential fell victim to the global MOVEit data-theft attack, “where a zero-day vulnerability was exploited”.

The Russian-backed attack – which also targeted a host of government agencies and multi-national corporations across the world – impacted Prudential Assurance Malaysia Bhd (PAMB) and Prudential BSN Takaful Bhd (PruBSN), likely exposing personal customer information as a result.

“Customer appetite for enhanced cyber protection is on the rise despite the ongoing economic challenge,” noted Alan See, co-founder and CEO of Firmus. “As the threat level increases, cyber security has become a top priority for organisations of all sizes and industries in Malaysia.”

Citing recent ransomware attacks such as AirAsia – which exposed the personal data of five million passengers and employees – See observed that the high-profile nature of the breach in Malaysia helped create an “urgent need” for effective action within organisations.

Even the hack of Singtel – revealing sensitive information relating to approximately 129,000 customers – created a ripple effect from across the border in Singapore.

“Organisations are no longer treating cyber security as another back-office function but as a critical business priority that requires investment in the right technologies, processes and people,” See outlined.

Acknowledging that no “plug and play” solution exists, See said the top challenges impacting Malaysian businesses include protecting against advanced threats, managing the complexity of a hybrid cloud environment and securing the endpoint.

This is in addition to navigating a range of local regulations such as the Risk Management in Technology (RMiT) framework set out by the Malaysia Central Bank (BNM) and the Personal Data Protection Act (PDPA).

“The current economic slowdown also represents a challenge as companies may reduce spending on security products and services,” See cautioned.

“But cyber threats remain a major concern for businesses and a lack of investment during an economic downturn could leave companies vulnerable to attacks and data breaches, potentially resulting in even greater financial losses.”

Regionally speaking, Malaysia currently experiences more cyber attacks than any other country in Asia Pacific – 76% of local organisations have been impacted ahead of Philippines (75%), Indonesia (52%), Singapore (46%) and Hong Kong (43%).

That’s according to Kroll findings – published via Asia Pacific State of Incident Report 2022 – which claims Malaysian organisations are chiefly concerned with data loss (82%), cost incurred and business interruption (64%) and reputational damage (51%).

“Gaining customer trust is of primary importance and we must do this in the shortest time possible,” See advised. “We are entrusted by customers to secure their most important information assets; thus our product, solution and service must withstand the robust and dynamic challenges from cyber attacks.

“We have maintained this trust with all our customers for over 15 years and that is our biggest achievement.”

As businesses kick-start plans to digitise operations – triggering a spike in cyber risks as a consequence – demand for managed security service providers (MSSP) continues to heighten in Malaysia.

“MSSPs have emerged as a solution for businesses that lack the expertise or resources to manage their own cyber security,” See observed. “Due to the evolving rate of digital adoption, client expectations have changed.”

For example, 10 years ago, the primary expectations of organisations were centred around monitoring firewalls, intrusion detection system (IDS) logs, incident handling and reporting.

Today however, businesses are seeking management of multiple security information and event management (SIEM) technologies, plus capabilities in threat intelligence, incident response, organisational reputation and cost-effectiveness.

“Organisations are no longer treating cyber security as another back-office function but as a critical business priority that requires investment in the right technologies, processes and people”

^{Alan See (Firmus)}

“Understanding expectations is crucial for MSSPs to sustain their business model as clients become more conscious and informed about their cyber security needs,” See added.

Seizing the cyber moment in Malaysia

Built by a group of cyber security veterans in Kuala Lumpur, Firmus goes to market as a MSSP with expertise spanning Malaysia and Singapore.

Key end-to-end offerings include assessment in the form of penetration testing linked to networks, wireless and web and mobile applications, as well as security configuration reviews and attack simulations.

Services capabilities extend to managed incident response, endpoint recovery and compliance advisory, underpinned by technology implementation and ongoing management. This is in addition to assurance solutions focused on governance, risk and compliance, plus cyber risk awareness frameworks.

“Our top strategic priority for this year is achieving sustainable high growth which includes expanding our service offering and increasing our market share,” See stated. “We are also focusing on enhancing operational excellence while adopting the concept of ESG [environmental, social and governance].”

Central to achieving such ambitions will be “continuous investment” in people through knowledge-based programs, supported by an enhanced portfolio and strategic vendor alliances.

“Short-term opportunities exist to offer endpoint recovery, incident response and managed detection and response (MDR) services,” See advised. “These incidents serve as a reminder of the critical importance of proactive security measures to safeguard against the risk of cyber threats.

“Another big opportunity is the regulatory compliance of companies specific to BNM’s RMiT framework. With the new version set to be announced within this year, we are seeing interest from both current and future customers.”

Despite demand for security solutions and services heightening in Malaysia, See acknowledged that a shortage of skilled cyber experts continues to challenge an industry already under sizeable attack.

Notable specialist gaps include security analysts and threat intelligence experts with the top 10% of job opportunities in Malaysia soon expected to be related to cyber.

This is further impacted by the local rise of insourcing – adopted by enterprise-level organisations such as banks – and the internal building of Security Operations Centers (SOC) which moves incident and monitoring in-house.

“Cyber security is an ever-evolving landscape and it requires a continuous learning approach,” See said. “We continue to ensure that our team members are trained with the latest skills and meet certification targets.”

Escalating operating costs is also impacting local MSSPs, observed See, notably “sky-rocketing” salaries since COVID-19.

Currently, the average gross salary of a cyber security specialist in Malaysia is RM 151,428 ($34,000 USD) with an equivalent hourly rate of RM 73 ($16 USD), according to Salary Expert data.

An entry-level cyber security specialist (1-3 years of experience) earns an average salary of RM 107,311 ($24,000 USD), while a senior level expert (more than eight years of experience) commands an average salary of RM 189,036 ($42,000 USD).

“The high salaries of cyber security experts places a significant financial burden on MSSPs, making it challenging for them to provide affordable security solutions to their clients,” noted See, who also stressed the importance of industry and academia collaboration in maintaining a healthy talent pipeline.

“We are collaborating with several educational institutes to development talents to ensure that we have the right expertise not just today but also in the future,” he added.