KUALA LUMPUR, June 27— Like the rest of the world, Malaysians have become more dependent on the internet and digital technology.
We spend a lot of our time online and this puts us at risk to be targeted by cybercriminals.
Cyber threats have become far more sophisticated over the years, and pose serious risks to individuals, businesses and national security.
According to Trend Micro Incorporated, most organisations in Malaysia believe that they will be attacked in the next 12 months as the cybersecurity landscape becomes more challenging due to increasing sophistication and advancements in information and communications technology (ICT).
So the question boils down to this: How ready is Malaysia to face incoming cyber threats?
Malay Mail spoke to CyberSecurity Malaysia (CSM) chief executive officer (CEO) Datuk Amirudin Abdul Wahab to find out more.
According to Amirudin, there is no such thing as being 100 per cent secure from cyber threats due to the ever changing nature of the internet.
He said that no matter how strong a country or organisation is in terms of cyber security, it is just a matter of time before it is attacked.
What is most important is to prepare for any attacks.
“It is better to assume that the criminal will eventually break through the organisation’s cyber defences. The most important action for an organisation is to strategise and implement cyber security in order to lessen the impact due to cyber attacks.
“It is crucial to know how to act and recover or bounce back once attacked. There is still much (room for) improvement to be made by many organisations in Malaysia,” he said.
According to the Cyber Incident Reference Centre (Cyber999), the common threats are fraud, cyber harassment, intrusion, malicious code and content related.
In May 2022 itself, the Malaysia Computer Emergency Response Team (MyCERT) under CSM reported 3,057 cyber incidents.
Amirudin said that there is a need to ensure a secure, resilient and trusted cyber environment in order to sustain progression and prosperity, adding that a more innovative, proactive and adaptive security approach is required to address such situations.
“In addition, our approach also has to be adaptive, dynamic and innovative, covering people, processes and technologies.
We also need to strengthen the Public-Private-Academia Partnership and national, bilateral, regional and international collaboration.
“Malaysia should also gear itself towards cyber resilience as the threat of a global cybersecurity breach continues to pose a major risk,” he told Malay Mail.
What about the recent personal data breaches Malaysia faced?
According to Amirudin, Malaysia has launched and conducted various initiatives and strategic national plans, collaborating with other nations, reviewing policies and holding vigorous discussions to determine the best approach to deal with these issues.
He said that Malaysia currently ranks 5th globally in the Global Cybersecurity Index (GCI) ITU 2020 report, with the highest commitment to cybersecurity.
However, he said the government and organisations need to ensure that their digital infrastructure is updated with a good security environment, revise their standards and best practices and personnel equipped with awareness and knowledge on latest security trends and technology.
For this purpose, continuous audit and monitoring are needed.
“The increase in and wider attacks conducted by cybercriminals can no longer be defended by a straight cybersecurity approach.
“Malaysia needs to be more cyber resilient and various strategic approaches should be adopted, such as defence in depth encompassing the people, process and technology aspects of cybersecurity.
“Due to the wide use of the Internet of Things (IoT), multiple devices have the potential to become a risk to individuals and organisations. Organisations must know their system and ensure no risks are coming from external and internal parties,” he said.
Among other things, he said Malaysia can adopt a “zero trust” or “trust but verify” approach — which operates on continuous verification for all resources, limits the scope of credentials and automates context collection and response — constantly backing up data, secure remote working, implement an encryption method to ensure data is secure and have a comprehensive response plan to any attack.
Does Malaysia have a big enough cybersecurity team to handle all the threats?
The quick answer is no.
According to Amirudin, Malaysia has recorded a need for 20,000 professionals in the cybersecurity workforce by 2025.
Amirudin said that the supply of cybersecurity talents being churned out by local universities is insufficient for the needs of the industry in the long run, and that there is a gap between the quality of students against the requirements or expectations of the industry, as students are mainly educated via theory and not so much through practical, hands-on experience.
“The development of skilled cybersecurity professionals cannot be created overnight. It will take time to get the right people into this profession. Addressing the human capital gap requires a combination of strategic public-private collaboration and incentives from various parties such as scholarships, mentorships, and internships with guaranteed employment.
“We need to create a knowledgeable generation capable of fending off the ever-evolving cybersecurity threats. Last but not least, we need to truly produce high value and skilled digital citizens of the future who will keep our cyberspace safe as we head into a new digital economic order,” he said.
So what can CSM do to address this?
Amirudin said that CSM is able to train, retrain and certify people via CyberGuru and the Global ACE Scheme.
“CyberGuru has been designed in-house by the technical experts within the industry. Apart from our content development, we also partnered with other security platforms like SANS, (ISC)2 and others to provide comprehensive training.
“(The) Global ACE Scheme was established to validate and certify cybersecurity personnel as a world-class competent workforce in cybersecurity and promote the development of cybersecurity professionals within the region.”
Amirudin said the scheme uses a holistic framework of cybersecurity profession education that outlines the overall approach, identification and classification of cybersecurity domains, the impartiality of examinations, competencies of trainers and the need for membership for lifelong learning.
“The collective benefit occurring out of such educational and consulting exercises is proof of their enhanced cybersecurity posture within the country and to the external players,” he said.
Among the certifications provided are certified penetration testers, MyCC evaluators, secure application practitioners, digital forensic for first responders, information security awareness managers and information security management system auditors.