Authored By: Wong Joon Hoong, Country Manager, Sophos Malaysia
In the last two years, the COVID-19 pandemic has served as a major catalyst for businesses to transform digitally, greatly accelerating Malaysia’s digital economy. However, this has also resulted in an increase of targeted cyberattacks and cybercrimes on organisations. Malaysia’s Ministry of Home Affairs revealed in 2021 that more than 20,000 cybercrime cases were reported, totalling losses of RM560 million to the victims.
Despite the rising ransomware incidences, impact and cost, according to the third edition of Sophos’ annual survey report, The Future of Cybersecurity in Asia Pacific and Japan, there continues to be a lack of boardroom awareness of cybersecurity and a broad assumption from executives that their company will never get attacked.
Cybersecurity education is needed at the top
At Sophos, we have seen cybersecurity expenditure and self-assessed maturity increase across the region. Yet, the report still finds that in Malaysia only 29% of companies surveyed believe their board understands cybersecurity very well. Furthermore, the top frustration expressed by local cybersecurity professionals is that they can’t keep up with the pace of security threats, which grow more complex and harder to prevent.
Ninety-three percent of surveyed companies agree that their biggest security challenge in the next several years will be the awareness and education of employees and leadership.
As this is the case, if businesses continue to place digitalisation at the forefront of their strategies, executives must pay heed to the importance of cybersecurity. Failure to do so will prove costly on numerous fronts including the theft of sensitive data, disruption to business operations and loss of business/revenue and critical damage to reputation.
Malaysia’s skills shortage continues to wreak havoc
The shortage or mismatch of cybersecurity skills continues to be a growing problem that needs to be addressed in Malaysia. Seventy percent of companies surveyed expect to have some problems with recruiting cybersecurity employees over the coming years, with 26% expecting to face a major challenge.
With recruiting continuing to pose issues, companies have identified the priority areas they feel skills and capabilities need to be increased for internal security specialists. These include staying up to date with the latest threats, policy compliance and reporting and employee and executive training.
Cybersecurity professionals’ top frustrations
Indeed, cybersecurity professionals have an enormous task ahead keeping companies safe and secure. With concerns around the ability to keep up with the pace of evolving security threats, and not having enough skilled cybersecurity specialists to combat these threats, the real challenge comes from low levels of cybersecurity understanding among company boards.
This low awareness may lead to less funds being invested in necessary programs to alleviate the risks. The issue isn’t technology, it is education.
Cybersecurity education can help you stay on top of ransomware
Often company boards and executives do not understand how cyber issues can affect the bottom line. At present, cybersecurity education must become a focus for all. The following is a five-step approach from Sophos to help bring organisations up to speed on cybersecurity education:
Boards need help to understand it’s impossible to protect everything, and learn to prioritise the most critical information, data, and systems to protect.
Education courses on basic principles, genuine likelihood of an attack, attack vectors, threat actors, and other terminology should be available to all staff.
Once basics are clearly defined, organisations need to develop strategy and integrate with digital transformation programs.
The focus then becomes more operational in nature: applying legislation, breach response protocol, ransom payment policy, gap assessments, and future roles and obligations.
Businesses need to clearly understand compliance, the regulatory environment under which the business operates, what’s legally required when breached and what are the appropriate controls around data security and management.
Until these issues are addressed by company leaders, Malaysian businesses will continue to fall victim to cybercrime leading to loss of revenue, data and reputation. By educating employees and management of the risks and what they can do to mitigate them, together we can put up a good fight against cybercrime.