Latest News/Investor Alert

Corporate News | Industry News

Cybersecurity Malaysia 2025: What SMEs Must Do as Attacks Surge 42%

,

The Threat Landscape Is No Longer Abstract

Malaysian businesses experienced more than 19.6 million cyberattacks in just the first half of 2024, resulting in losses exceeding RM1.22 billion (Deputy Prime Minister Datuk Seri Ahmad Zahid Hamidi, 2024). That is not an annual figure — it is six months.

Ransomware attacks on Malaysian businesses rose 42% year-on-year in 2025 (CyberSecurity Malaysia). In Q4 2024 alone, ransomware incidents surged 78% compared to the previous quarter. Malaysia also ranked as the eighth most breached country in the world in 2023.

These are not numbers that affect only large corporations. Ransomware groups specifically target SMEs because they know smaller businesses are less likely to have robust backups, dedicated security teams, or cyber insurance.

 

Where Breaches Actually Come From

Most successful attacks in Malaysia do not start with sophisticated infrastructure exploits. They start with:

  • Phishing emails that employees trust — still the most effective attack vector by volume
  • Weak or reused passwords, exploited through credential stuffing and brute force
  • Unpatched software — outdated systems are the most common entry point for ransomware
  • Former employee accounts that were never deactivated
  • Mobile apps handling user data, built without security embedded from the design stage

None of these are purely IT failures. They are business process failures — and fixing them requires leadership buy-in, clear policies, and consistent execution across the whole organisation.

 

The Regulatory Stakes Are Rising

Malaysia’s PDPA Amendment Act 2024 introduced mandatory 72-hour breach notification requirements and increased fines to up to RM1 million for data breaches. For financial services businesses, the NACSA Cybersecurity Act 2024 adds compliance obligations for critical information infrastructure providers and their suppliers.

A single breach now carries the risk of regulatory fines, mandatory public disclosure, and reputational damage that outlasts the technical incident. Businesses that wait for a breach to take security seriously are taking on liability they may not be able to absorb.

 

The Controls That Actually Matter

You do not need an enterprise-sized budget to close the most common attack vectors. These five controls address the majority of successful breaches in Malaysian businesses:

  • Multi-factor authentication (MFA): Required for all email, banking, and business system access. Cost starts at zero using free authenticator apps.
  • Patch management: All software, operating systems, and mobile platforms kept current. Unpatched systems are the primary ransomware entry point.
  • Staff phishing awareness training: Regular, tested — not a one-off annual session. This is the single highest-ROI security investment for SMEs.
  • Access revocation policy: Immediate removal of system access when employees leave. Most businesses have no formal process for this.
  • 3-2-1 backup strategy: Three copies of data, two different media types, one stored off-site or in the cloud and isolated from the main network.

 

AppAsia’s Security Heritage

AppAsia has been protecting Malaysian businesses under the Extol brand since 1984. Our managed security services cover threat monitoring, PDPA compliance readiness, digital transformation security reviews, and 24/7 incident response across Malaysia.

If you want to know where your exposure is before someone else finds it, our team in Kuala Lumpur is ready to help.

 

Frequently Asked Questions

What does Malaysia’s PDPA Amendment 2024 require businesses to do?

The PDPA Amendment Act 2024 requires Malaysian businesses to notify the Personal Data Protection Commissioner within 72 hours of discovering a data breach. It also increases maximum fines to RM1 million for data breaches and expands data subject rights, including the right to data portability and the right to be forgotten in certain circumstances. Businesses must have a documented incident response plan and appropriate technical safeguards in place.

Are Malaysian SMEs really at risk from ransomware?

Yes — significantly. Ransomware attacks on Malaysian businesses rose 42% year-on-year in 2025, and SMEs are specifically targeted because they typically lack dedicated security teams, have inconsistent backup practices, and are less likely to have cyber insurance. The average ransom demand on Malaysian businesses now ranges from RM500,000 to RM5 million, and recovery costs from a successful attack (lost revenue, data recovery, reputational damage) typically exceed the ransom itself.

What does AppAsia’s managed security service include?

AppAsia’s managed security offering under the Extol brand covers continuous threat monitoring, vulnerability assessments, PDPA compliance advisory, secure mobile app development review, staff awareness programmes, and incident response support. Services are scoped to business size and risk profile, making enterprise-grade security accessible to Malaysian SMEs without requiring a full internal security team.

,