Malaysia's cyber risks are shifting faster than many organizations expect
Cyberattacks in Malaysia are lasting longer and arriving through indirect paths such as suppliers and partners, explains Jeremy Moke, Senior Director at Ensign InfoSecurity Malaysia.
Malaysia's digital economy is expanding quickly, and with it comes a changing set of cyber risks. Growth in digital services, cross-border connectivity, and reliance on third parties have altered how attacks unfold, and how long they stay hidden.
According to Jeremy Moke, Senior Director at Ensign InfoSecurity Malaysia, the problem is not only the volume of attacks, but how quietly and indirectly they now happen.
"Large organizations may feel secure against traditional categories of 'state actors' or 'cybercrime,' yet are blindsided by persistent, indirect attacks that occur within the cyber supply chain," he said.
Malaysia's push to become a regional digital hub has made the country more visible to threat actors. National programs such as MyDIGITAL and the New Industrial Master Plan 2030 have accelerated digital adoption across sectors, but that speed has also exposed gaps. Many organizations now operate across fragmented, multi-vendor environments that are hard to monitor as a whole.
A single breach at a trusted partner can be enough.
"A compromise at a law firm, consultancy, software provider, or even an IoT or OT hardware vendor can ripple through corporate networks," Moke said. "Sensitive data can be exposed without triggering internal alarms."
Time has become a weapon
One of the clearest warning signs, Moke said, is how long attackers are staying inside networks before they are detected.
Across Asia Pacific, Ensign's latest Cyber Threat Landscape Report shows maximum dwell time increasing from 49 days to more than 200 days year on year. That time allows attackers to move quietly, extract data, and set up long-term access.
In Malaysia, sectors newly targeted by attackers are seeing similar patterns. The banking, finance, and insurance sector recorded an average dwell time of 21 days, while business and professional services saw an average of 24 days.
"These timeframes give threat actors enough room to steal data, move laterally, and entrench themselves before containment even begins," Moke said.
While many organizations have improved basic security controls, third-party access remains a weak point. Attackers no longer need to break into the main target directly. They look for the least protected connection in the wider ecosystem.
"In highly interconnected markets like Malaysia, attackers increasingly exploit the weakest link rather than the primary target itself," he said.
AI is changing both sides of the equation
Malaysia's growing role as a digital economy player is also speeding up the use of artificial intelligence, by defenders and attackers alike.
Moke expects AI-powered threats to increase overall attack volume in the region. By lowering technical barriers, AI tools allow threat actors to scale reconnaissance and exploitation faster than before.
"AI enables threat actors to expand their operations by making advanced techniques easier to use and repeat," he said.
At the same time, he warned that buying AI-enabled security tools is not a shortcut to better defense.
"Poorly governed or superficially integrated AI can automate bad decisions and introduce new attack surfaces," Moke said.
The value, he explained, lies in how AI is used, not whether it is present. When applied with clear intent, AI can help teams anticipate threats, prioritize alerts, and disrupt attacker movement. When treated as a standalone upgrade, it often adds noise.
The rise of agentic security systems
Long dwell times, decentralized attackers, and AI-driven techniques have created conditions for what Moke described as agentic security systems. These are systems that do more than alert human teams. Under defined oversight, they can take action.
"These systems can isolate compromised assets, correlate weak signals across environments, and reduce response times," he said.
But he stressed that this approach is not simple to deploy.
"Agentic AI is not plug-and-play. It is intent-driven, deeply integrated into human workflows, and governed by strong oversight to prevent unintended consequences."
Successful use depends on digital maturity, reliable data, and clear governance. Board-level involvement is also critical, especially when automated systems are allowed to act within live environments.
Early adoption in Malaysia is likely in sectors where prolonged attacks pose wider risks, including defense, critical infrastructure, utilities, energy, and telecommunications.
"Across industries, AI enhances human capability but does not replace judgment," Moke said. "Ethical oversight, scenario planning, and engagement with regulators remain human responsibilities."
Compliance is not the end goal
Malaysia has taken steps to strengthen its cyber framework, including the Cyber Security Act 2024, updates to the Personal Data Protection Act, and tighter oversight of national critical infrastructure.
Moke views these moves as necessary, but not sufficient.
"Compliance alone does not create resilience," he said. "True resilience comes from understanding how attackers behave, testing supply chains under stress, and governing cyber risk at the board level rather than leaving it solely with IT teams."
He added that collaboration between industry, regulators, and infrastructure operators will play a central role in closing gaps that individual organizations cannot address alone.
What 2026 will reward
In 2026, Moke believes organizations that rely on static, perimeter-based defenses will struggle to keep pace. Attackers no longer respect clear boundaries, and defenders cannot afford to either.
"Organizations that combine agentic AI with experienced human judgment, hunt threats across ecosystems, and disrupt adversary supply chains will set the next standard," he said.
Cybersecurity, he added, is no longer a purely technical issue.
"It has become inseparable from business risk. Those that act decisively now are protecting trust and continuity, not just systems."