This article first appeared in Digital Edge, The Edge Malaysia Weekly on February 26, 2024 - March 3, 2024

Organisations worldwide are grappling with unprecedented challenges to safeguard their digital assets in the face of escalating threats of ransomware attacks, and Malaysian organisations are no different.

According to Clarence Chan, PwC’s digital trust and cybersecurity partner, local organisations appear to be complacent about their cybersecurity measures. This observation is based on PwC’s survey of 3,876 business and tech executives, including 30 respondents from Malaysia, for its 2024 “Global Digital Trust Insights” report.

The poll, which was conducted from May to July last year, found that there is a gap in security investments alongside the digitalisation of cloud adoption plans, and generative artificial intelligence (GenAI) is being used in the security space.

The survey explored the landscape of cybersecurity and digital trust, uncovering critical issues that test the defences of today’s businesses.

Chan tells Digital Edge that there is a crucial connection between cybersecurity and overall business strategy, urging leaders to view it not merely as an IT concern but also as a fundamental aspect of business-centric decision-making.

“Cybersecurity, at the end of the day, is a business-centric issue and not just an IT issue. In gathering the views of business leaders, the survey explores a few perspectives, such as budget/spending, investment, the potential of GenAI in cyber defence and the overall business strategy.”

While hack-and-leak remains the top concern for Malaysian respondents, Chan says, nearly a third still do not consistently incorporate data security and privacy features in their operations.

“Hack-and-leak incidents, third-party breaches and attacks on connected devices rank as the primary cyberthreats that concern Malaysian respondents. This indicates that data trust and cyber risk are central to today’s business transformation.”

In Malaysia, cybersecurity has become increasingly critical due to the rising prominence of digital and technological advancements. As a result, it has emerged as a top priority for tech executives, yet it currently holds the fifth position in terms of overall ranking. Organisations in Malaysia appear to be content with their cybersecurity measures status quo, which do not align with the increasing pervasiveness of ransomware attacks.

“We are seeing ransomware attacks almost every other day, or every other week. We have also seen a massive shift in terms of ransomware attacks or cyberattack campaigns.”

The cyberattack campaign used to focus on the critical national information (CNI) in the infrastructure industry, banking services and telecommunications. Now, there is interest in the non-critical sectors such as manufacturing, retail and professional services.

It is concerning to note the increasing frequency of ransomware attacks on both critical and non-critical sectors, including small and medium enterprises (SMEs), which often lack the resources and expertise to effectively address cybersecurity threats.

Despite the talent crunch and lack of resources in the industry, there are ways for businesses and SMEs to defend themselves against cybersecurity threats, which include investing in the right skills or people and technologies to manage cybersecurity risks, says Chan.

Cybersecurity investments are often misallocated, with companies spending about 10% to 15% of their technology costs on security despite ideally needing higher investment.

Companies can consider exploring third-party service providers to tap their specialist skill sets, which could be more cost-effective, he adds.

There are common misconceptions about technology costs, including underestimation of security measures and shared responsibility in cloud computing.

With the adoption of GenAI, are companies also thinking hard about the security threats? How about the security measures that should be implemented while running on GenAI?

These two considerations may not have been factored in and included in the budget, says Chan. Therefore, oftentimes the technology costs are not representative of the total technology cost, which includes ensuring that the technology and underlying data are safeguarded, secure and meet privacy requirements.

The integration of GenAI in cybersecurity is a noteworthy development, prompting business leaders to rethink their strategies in fortifying cyber defence capabilities.

“There are some things that are very often overlooked as companies modernise. As more and more companies, corporates and organisations shift to the cloud, it incentivises the attacker to target the cloud platform and attack them, given that many of these baseline security controls are not in place after modernising the operations,” Chan says.

While GenAI poses security risks, it also offers significant business benefits, he adds. These include improved cyberthreat detection and less laborious work for security operations and analysts.

Organisations should consider security considerations when transitioning to new technology, as cybersecurity is often an afterthought.

Emphasising the crucial role of mandatory breach notifications and reporting in cybersecurity, Chan points out that a major hurdle in tackling cyberthreats stems from the lack of shared intelligence and knowledge base among organisations.

Mandatory breach notifications and reporting can foster collaboration and transparency, allowing organisations to learn from each other’s experiences and better defend against attackers.

“Attackers have a shared pool of information and knowledge base, whereas in the corporate world there is no shared intelligence or shared knowledge base. Ironically, hackers can appear to be more united than the non-hackers,” Chan says.

Local organisations must invest in incident response planning and cyber drills to mitigate the reputational impacts of cyber breaches, says Chan. “When it comes to cyber breaches, the response encompasses personnel throughout the organisation. Senior management holds ultimate responsibility collectively, ensuring they are well-informed on how to respond, the necessary support required and their role in the process.

“Establishing a robust incident response plan and regularly conducting cyber drills are crucial to familiarise the team with appropriate actions in the event of an attack.”

The cost of securing organisations does not necessarily have to be exorbitant; it is more about thoughtful consideration and strategic allocation of resources. The key is understanding the essential investments required and devising solutions to maximise returns. Often, organisations struggle because they lack a clear understanding of their needs, assuming that comprehensive tool implementation makes security prohibitively expensive.

An analogy can be drawn to securing one’s home — not everyone can afford top-tier security monitoring systems or CCTV cameras, Chan says. “Nevertheless, even with a limited budget, there are practical measures such as investing in sturdy locks and diligently securing all entry points. The point is that effective safeguarding involves exploring alternative and cost-­efficient methods.”

In essence, organisations can mitigate risks and ensure security without incurring substantial costs. It is about adopting a pragmatic approach, implementing essential measures and tailoring solutions to fit the available budget. Of course, for those with the financial means, investing in sophisticated technologies remains an option to enhance overall security.

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's App Store and Android's Google Play.