According to the General Incident Classification Statistics 2019 by Malaysia Computer Emergency Response Team (MyCERT), there were a total of 10,772 incidents reported in 2019. The figures represent various cybersecurity incidents that were reported to CyberSecurity Malaysia in 2019 and has seen an increase compared to the same period in 2018. The figures do not, however, cover the number of breaches that organisations experienced in 2019.
Fraud continues to be the biggest incident reported in 2019, making nearly 70% of the total with 7724 cases reported. In fact, there are close to 500 cases of fraud reported every month. This is almost a 20% increase from the previous year, which indicates that more organisations and individuals are becoming victims to online fraud which includes phishing emails such as business email compromise and malware.
While organisations have been taking the necessary steps to improve their cybersecurity, fraud is still an ongoing issue for them. Phishing emails are the main type of fraud organisation employees often find themselves becoming victims of. This includes falling for scams or having their emails compromised by cybercriminals.
It is often said that the weakest link in any organisations cybersecurity are the employees themselves. And the figures are just showing that. Companies can have the best cybersecurity protection in the world but if their employees keep on accessing unauthorised sites or surfing the web for non-work-related use, they are not only putting themselves in jeopardy but the entire organisation as well.
In Malaysia, employees are advised to avoid websites that are not work-related. While they may concur to these rules, they may still use their mobile devices to access company WiFI and access non-work websites. This, in turn, can lead to cybersecurity issues as their devices are not protected. Also, malware can go through their devices onto the office network and access company information.
The other concern is, of course, business email compromise. Most employees need to have the habit to check the email address of emails they receive before doing any corresponding, especially when it comes to dealing with financial issues. There have been too many cases where cybercriminals mimic employer profiles and trick employees into making or transferring payments online.
Moving from fraud, there was also a large number of intrusions reported last year. While the figure has decreased a bit compared to 2018, the numbers show that cybercriminals are still finding ways to intrude organisations. This is where organisations need to ensure their cybersecurity protection is up to date and has all the latest patches. In most cases, the reason why an organisation becomes a victim of intrusion is that its cybersecurity protection does not update with the latest patches, making them vulnerable.
CyberSecurity Malaysia continues to educate organisations on the importance of cybersecurity. As the figures for some types of incidents have decreased, intrusions and fraud continue to report alarming figures. In fact, the report by MyCERT only represents incidents that have been officially reported to them. The total number of victims could be a lot more as a lot of individuals and organisations do not want to report incidents they face, which is also another problem.
The bottom line is, organisations need to ensure their employees are well aware of how unsecure suspicious links and emails can be. They could run tests and checks on their employees and see how they react on suspicious links and educate them on that. Organisations also need to try and have visibility over personal devices that are using the company network. If possible, ensure those devices are protected or block them from using the network.
At the end of the day, if your employees are easily sold by cheap bargains and offers that are too good to be true, they are most likely to end up being victims to cybercriminals and end up causing your organisation losses as well.