Many firms in the country lack proper cyber security measures, making them vulnerable to threats like malware, ransomware and phishing
by AKMAR ANNUAR / pic HUSSEIN SHAHARUDDIN
LAST year, Malaysia suffered multiple cyber attacks, including the theft of 22.5 million personal data from a national registry and a payment gateway data breach. In the same year, hackers broke into a payslip system, extracting nearly two million payslips and tax forms, stealing up to 188.75 gigabytes of data. This group, known as the “grey hat cyber security organisation”, highlighted the vulnerabilities of the system.
These cyber-attacks have shown that many organisations in Malaysia are vulnerable to threats like malware, ransomware and phishing due to the lack of proper cybersecurity measures. Cyber security should be taken seriously as it poses significant financial risks to enterprise value, justifying its classification as a governance issue and management quality indicator.
The Malaysian Reserve (TMR) spoke to Novem CS Sdn Bhd CEO Murugason R Thangaratnam to understand cyber security in the environment, social and governance framework.
Murugason explained that a secure and efficient cyber ecosystem is only attainable by striking the right balance and setting priorities across the people, process and technology framework, and overseen by proper governance structures.
He emphasised the importance of cyber governance as a priority on board of directors, senior management and investor agendas, highlighting that cyber security risks should be considered within the framework of enterprise risk management, instead of just a technical problem to be solved by the IT department.
“With the advent of 5G technology and the increased reliance on Internet of Things enabled devices, the attack surface has grown to be more complex and fast becoming a playground for threat actors globally.
“Today no individual or organisation, be it public or private, is safe,” Murugason told TMR, adding that ransomware is still one of the most common threats and the strategies used by the threat actors have rapidly evolved and are getting more sophisticated and organised.
At the same time, he highlighted that the increased reliance on technology, hybrid work environment, geopolitical and economic factors are continuing to drive cybercrime, and the recent high-profile breaches globally are proof of it.
“One thing for sure, the bad guys are getting bolder and the good guys are playing catch up,” he warned.
Lack of Laws, PDPA Not Enough
According to Murugason, there has been a lot of talk but little progress on Malaysian cyber security laws.
He believes that while Malaysia may have passed a data protection act first, the difference in execution and enforcement has caused the country to lag behind Singapore.
“When there is a data leak, everyone immediately points to Cyber Security Malaysia (CSM), but most people don’t realise that they do not have the legislative authority compared to the Personal Data Protection Department (PDPD). CSM, which has the infrastructure and technical expertise to handle such matters, has no enforcement powers,” he elaborated.
He added that the current Personal Data Protection Act (PDPA) only applies to commercial transactions and are obsolete compared to the General Data Protection Regulation, which in contrast, are not restricted to commercial transactions only.
“Good news is the amended PDPA is supposed to be tabled sometime this year as well as the Act on cyber security.
“This will create at least a baseline and framework moving forward. However, how effective it is going to be, is dependent on how effectively it is enforced,” he said.
Murugason added that currently, there are no governing agencies over cyber security.
This is crucial as he said the last thing a nation needs is another toothless body wasting taxpayers’ money and working in silo.
“Then there is talk of a Cyber Security Commission being formed, however, how far-reaching and effective it is going to be depends very much on its terms of reference, statutory powers and composition,” he said.
Murugason also points out the need to identify if the scammers and hackers are within Malaysia or otherwise.
He said if the threats are identified as from outside of the country, then it is best to set cross-border cooperation and a concerted effort to share information and stories, and consequently combat cybercrime on a global scale.
He further pointed out that awareness and practices of cyber hygiene must become a way of life moving forward.
“We need to be aware of the basics such as, ‘if it sounds too good to be true, it probably is.’ Having said that, it is not always the end user’s fault,” he said.
Murugason also suggested that the data holders and takers such as banks, telecommunication companies (telcos) and even government agencies must be held accountable for any kind of data breach.
He was skeptical that these data takers use fancy terms like “data is the new currency” or “digital assets” but then the holder of the asset is negligent in safeguarding it.
“To make matters worse, following a breach, they will either try to deny it ever happened or when exposed, is not held accountable or punished for it,” he said.
Bright Future for Novem
Meanwhile, sharing on Novem’s future, Murugason is confident that it is looking very bright, from a business point of view.
Together with his co-founder, Datuk Ranbir Singh Nanra, they were very focused on positioning their company as bespoke, which simply means they first understand the customers’ pain points and risk appetite, before advising them on the way forward to improve their cyber security posture.
“We have partnered some of the best-of-breed global leaders in cyber security solutions and with established Malaysian companies to provide a full suite of services to our customers,” he said.
Another way to further assist its customers, an award-winning cyber security company takes a holistic approach with the clients, starting with a discovery workshop and conducting a readiness review to further understand, identify, recommend and execute a customised framework.
Once all the above steps are in place, he explained then only the company brings in the partners or solutions that fit that framework.
“This formula has helped us secure clients across many verticals including telcos, healthcare providers, financial institutions and even universities,” he said.
Murugason also noted that Novem’s business model could pivot and be flexible to meet the growing demands and increased awareness towards prioritising cyber security by design and not an afterthought.
Moving forward, the company is focusing on increasing its partnerships, also constantly on the lookout for unique and relevant solutions that can complement its vision on becoming a respected and professionally run bespoke cyber security provider.
Additionally, his team is adamant to play an active part in creating awareness on the importance of being vigilant and practising cyber hygiene.
Novem CS has achieved a milestone when it was bestowed with the Cyber Security Product of the Year award at the CSM-ACE Malaysia Cyber Security Awards 2021.
- This article first appeared in The Malaysian Reserve weekly print edition