Inside Malaysia’s ongoing journey to achieve cyber resilience

Image courtesy of Hewlett Packard Enterprise

2020 saw the launch of the Malaysia Cyber Security Strategy (MCSS) 2020-2024, complete with a budget of 1.8 billion ringgit (about $429 million USD) to step up national cybersecurity preparedness. Notably, the MCSS went beyond the usual talk of cybersecurity defenses and framed the issue in terms of cyber resilience – the ability to not only repel and defeat attacks, but to withstand the impact of successful attacks to minimize disruption.

In other words, the MCSS showed that Malaysian government was aware not only of the need to take cybersecurity seriously in this hyperconnected world, but also that the cybersecurity threat landscape has grown well beyond what traditional security postures are capable of handling – and that a successful hack was a matter of when, not if. Thus, it is imperative for the Malaysian government and enterprises operating in the country to work together to rethink their security strategies and embrace the concept of cyber resilience, powered by an end-to-end, zero-trust architecture that enables them to not only detect and prevent attacks from unknown threats and evolve as the landscape evolves, but also to recover from attacks quickly with minimal or no disruption to the business.

The question, of course, is how Malaysia’s CXOs can actually go about doing that. Panelists at a recent webinar hosted by Hewlett Packard Enterprise (HPE) explored the topic of cyber resilience and how it can be implemented under the MCSS.

Here’s what they said.

Inside the MCSS

The natural starting point of the discussion was the state of cybersecurity in Malaysia and how the MCSS is designed to address it.

Dato’ Dr Haji Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia, pointed out the cybersecurity threat landscape has evolved quickly due to a number of factors, from the increasingly complexity of digital networks to the rise of remote working that was fueled by the pandemic.

In essence, said Dr Amir, the “new normal” for cybersecurity is a landscape where more people are working remotely and using collaboration tools on home devices, while more business apps are migrating to the cloud and e-commerce is more popular than ever – all of which are expanding the attack surface for potential cyberthreats.

Indeed, added Dr Amir, cyberattacks are on the rise – MyCERT recorded 10,790 incidents in 2020, the highest level in at least 10 years. By far the biggest category for cyberattacks is fraud, which includes phishing, scams, and online fraud. “Out of 10,790 cybersecurity cases reported in 2020, almost 7,600 involved fraud of some kind,” Dr Amir said. Rounding out the top five types of attacks: intrusion (which includes hacktivism and web defacement), malicious code (i.e. malware attacks, including ransomware), content related attacks, and cyber harassment.

That trend isn’t going to slow down anytime soon, and as the level of attacks keeps rising, sooner or later an attack is going to succeed, and eventually it’s going to happen to every organization in Malaysia at some point, Dr Amir predicted.

“No matter how secure is an organization, there is no such thing as 100% secure. So it’s no longer the question of how to secure oneself from being attack,” Dr Amir said. “What is more important is that the organization tries their best to strategize in order to lessen the impact due to cyberattacks. It is crucial to know how to act and recover, or bounce back once attacked.”

Hence the shift in focus from cybersecurity to cyber resilience.

To that end, in March 2021, CyberSecurity Malaysia launched the SiberKASA initiative, a holistic ecosystem approach that leverages people, process, and technology to create a highly adaptive and cooperative cybersecurity framework. “Cooperative” is perhaps the key term here: SiberKASA relies heavily on a public-private partnership approach in which every organization in the digital ecosystem has a role to play.

“One thing that we need to understand in this cybersecurity ecosystem is that we cannot work alone,” Dr Amir emphasized. “No one has the ability to do everything, especially in terms of these borderless cybersecurity threats. So it’s very important for us to work together, whether public, private, or academic.”

Dr Amir offered the 2017 global WannaCry ransomware attack as an example of the importance of collaboration and sharing information. As WannaCry spread from Europe to Asia and elsewhere, organizations like MyCERT and APCERT were sharing information with their counterparts in other regions to find out how WannaCry was affecting them, how they were managing it, and how they were resolving it.

“We need an ecosystem of engagement to enhance our capabilities to share information and coordinate in terms of how we respond to incidents, and at the same time build capabilities in terms of innovative research, work, capacity-building, etc,” Dr Amir said.

Cyber resilience and digital transformation

Yogesh Hinduja, Worldwide Cybersecurity Lead at HPE, offered an additional deep dive into the cyber resilience concept, which he sees as essential for enterprises to embed into their digital transformation strategies. Put simply, he said, cyber resilience isn’t IT security with a business continuity/disaster recovery plan stapled on. Rather, HPE sees cyber resilience as one of three pillars for enterprises to implement their overall digital transformation strategy.

The second pillar is a zero-trust architecture – which is not another solution to buy, but is more of a journey towards a security-by-design concept in which you start with a closed ecosystem, and then decide which bits to open up and to whom.

“It’s like going to the airport and boarding a plane,” said Bruce Chai, Head of Threat Prevention for Southeast Asia and Korea at Check Point. “There are all these checkpoints along way to make sure only passengers with valid tickets get through, that they’re not carrying anything harmful, and that they only get on the specific flight they’re supposed to have access to board. That’s really the whole idea behind zero trust: how do I give you the minimum amount of permission to do what you are supposed to do, but nothing else?”

The third pillar is security transformation and modernization, which HPE describes as “advancing security as a business and technology enabler to achieve faster time to value”. In practice, that means developing both a security reference architecture to improve security maturity and readiness, and a roadmap for getting there – again, all of which should be aligned with your overarching digital transformation strategy.

How to get started

Naturally, Malaysian enterprise CXOs will look at the MCSS and the cyber resilience concept and think, “Okay, but how do I actually do that, and where do I start?”

The simple answer: wherever you can, and one step at a time.

Dr Han Ping Fung, GEMs HPE Pointnext Enterprise Architect at HPE, recommended a four-pillar approach to migrate to a cyber resilience strategy:

  1. Identify – perform holistic risk management for the entire organization.
  2. Protect and detect – a more proactive approach whereby you input, design, build, and operationalize your cyber resiliency programs in your organization.
  3. Respond – in the event of any cyber crisis, organizations need to be able to isolate, prioritize, and communicate before the stakeholders are involved, and call in partners and third-party experts if required.
  4. Recover – this includes business continuity, disaster recovery, and procedures, which have to align with the threat landscape and company requirements (i.e. internal/external audit, government records, etc.).

“CXOs don’t need to do everything as a one-off, but they need to go through these steps periodically, and continually improve their organization’s cyber resiliency posture to keep risks and threats to a minimum,” Dr Fung suggested.

As for how to implement a zero-trust architecture, Bruce Chai of Check Point said the best place to start is to engage a trusted partner to help uncover the security gaps in your organization, where the greatest risk lies, and where you should implement first.

Once those gaps are identified, Chai recommended consolidating security vendors as the next step. “On average, enterprises have over 40 different security vendors, and their products may not be speaking to each other, and they may not necessarily overlap. So the more security products you have, the more gaps you have, and that is where the attacks get through. There’s no single vendor that can achieve zero trust, but you want to minimize the number of vendors that you have in your environment, do it in the most cost-effective manner, and in a way so all the products can interact with each other.”

Meanwhile, said Adesh Gupta, Regional Director, Global Account Sales for Intel Technology Asia, like digital transformation itself, cyber resilience is as much a mindset and a cultural shift as a technology solution or strategy.

“Security is not a one-time event or a project – it has to constantly evolve in new ways, because the threats constantly evolve and adapt to your defenses,” Gupta said. “So it’s extremely important for us to create a culture of security in the organization. That has to start with each and every employee of the company, so that you create an environment in which they not only understand the importance of strong cybersecurity, but they also actively participate in creating an organization resistant to cyberattacks.”

CXOs should also understand that security culture takes time, effort and stamina to build up, Gupta added. “It’s a journey, and it takes a strategy. It has to be consistent; it has to be disciplined; there has to be buy-in from senior management all the way from the top of the organization; and most importantly, it must be visible across the organization. By taking appropriate steps to build and reinforce a culture of security, we believe that we’ll be well prepared to push the organization credentials and drive the business forward.”