THE government has stepped up efforts to tighten Malaysia’s cybersecurity this year including passing a new cyber security law. But, experts and businesses say the only sure way to fight cyber threats and protect businesses and individuals is still money, and lots of it in the form of government assistance.
What the government and business owners do agree on is that public-private collaborations are “essential” but the form they should take is hard to pin down.
“The government should bring together cybersecurity solution providers and come up with a special package for SMEs,” suggests SME Association of Malaysia immediate past president Datuk Michael Kang. “There must be some government grants for SMEs, depending on the number of staff they have.”
Employers with some 20-30 staff members can face yearly costs of up to RM300,000 to adequately protect their operations and digital assets from frauds and scams; and this is out of reach of most small–to–medium enterprises.
Experts say that depending on the number of digital assets, which include personal data in the form of graphics, text, or softcopies of documents that are controlled by employers, costs to protect them can range from RM30,000 or 10 times more.
“In my experience, a lot of SMEs do not listen to the dark web, which is where people’s data are sold on the open market. But even when SMEs get hacked, they still hesitate to subscribe to some cybersecurity services,” says a cybersecurity firm owner who does not wish to be named.
The new Cyber Security Bill was tabled for the first time on March 25 and passed in Dewan Rakyat on March 27. On April 3, it was unanimously passed in Dewan Negara in its third reading.
Digital Minister Gobind Singh Deo, in his winding up debate, says the bill could ensure the viability and efficiency of the Critical National Information Infrastructure (CNII) in handling cyber security incidents affecting government, banking and finance, transportation, national security, which are typically targeted in cyber attacks to cripple the government. Also listed in the bill were healthcare services, water supply and waste management, energy, agriculture and farming, industry and trade.
ALSO READ: Concerns of ‘overreach’ plaguing the new bill
Weighing cost
Many cybersecurity firms charge by the number of digital assets owned by the firm or a company could set up its own security operating centre if they could afford it.
“The dilemma comes with what you think is important or not. Protect the most important secrets and let the non-important ones be hacked,” he says.
“The government and solutions providers must look at this issue as a volume game when cybersecurity affects so many people,” says Kang. “Private companies such as Microsoft have offered good enterprise packages paid per user in the past but so far the government has not done any special package before.”
Foong Cheng Leong, a writer and lawyer specialising in privacy and data protection laws, agrees that cyber insurance from the government can be used to protect SMEs and individuals from cyber threats.
“Such insurance should also give them access to experts to assist them,” he says.
CyberSecurity Malaysia chief executive officer Datuk Dr Amirudin Abdul Wahab , however, says good security practices do not necessarily come at high financial costs.
“Most security practices, such as using complex passwords or promoting cybersecurity awareness, are free. It all depends on the approaches of individuals and SMEs,” he says in an emailed response.
Dr Amirudin says government financial assistance must be carefully organised to avoid unwarranted costs for both SMEs and government cybersecurity efforts. — MUHAMAD SHAHRIL ROSLI/The Star
However, Dr Amirudin adds that while government financial assistance in any form is beneficial, it must be carefully organised to avoid unnecessary confusion and unwarranted costs for both SMEs and government cybersecurity efforts.
“Policies and regulations must be fully utilised to enforce them effectively. Such as defining clear eligibility criteria for accessing financial assistance to ensure that it reaches those who genuinely need support in enhancing their cybersecurity measures.”
Enforcement with education
In the ongoing and endless fight against cyber threats, for now, it is still education and awareness that the government and businesses must rely on. But experts say enforcement efforts must have more bite.
“Authorities must also take the fight to the criminals to deter potential cybercrimes before they happen. An expedient and systematic measure must be in place to assist the tracing and recovery of assets that have been obtained illegally by the criminals,” says Marcus Tan Kian Han, a lawyer who frequently speaks on data privacy and cybersecurity.
Other authorities including the police are also ramping up their efforts against cybercrimes in the form of frauds and scams with Inspector-General of Police (IGP) Tan Sri Razarudin Husain announcing during this year’s 217th Police Day celebration a new department to be set up to focus on digital crimes and technology.
The police will need to work with other cross-border partners including Thailand, Australia, and the United States after pledging to intensify crackdowns on call centres as their operations last year (2023) resulted in the arrest of 2,052 suspected scammers in 266 raids across the country.
And still, the police continue to warn of new tactics being used to dupe victims of their cash. The latest tactic has separated RM1mil from 34 victims last year and more than RM960,000 this year alone. This new tactic called “e-reporting” has scammers posing as police officers pretending to receive a police report from the victim. A range of information would then be divulged by the victim.
Looming AI threat
The worst of artificial intelligence’s (AI) misuse to scam victims remains to be seen but already there are multinational companies and politicians falling victim.
“From fraudulent investment schemes to identity theft and phishing scams, the avenues through which AI can be weaponised against us are vast and ever–expanding,” says Dr Amirudin.
“Stricter enforcement measures are needed. They also need to enhance cybersecurity protocols, and ethical guidelines for AI development and deployment are essential steps in mitigating this growing threat.”
ALSO READ: Check your cybersecurity health
In the entire fabric of cybercrime, the individual is still often the final victims who usually only have their wits and awareness to fall back on.
“What is lacking in law now is the recourse available for victims of cyberscams. Should the banks or telcos or any platform that assisted the fraud be liable? It is unlikely that victims can recover their losses from the frauds as the latter may not be in Malaysia and unlikely to be traceable,” says Foong.
“A proper regulation should be introduced to impose obligations on certain parties.”
Source Agencies
