How Malaysia is securing its critical data

By Ranamita Chakraborty

Dr Maslina Daud, Senior Vice President, Cyber Security Proactive Services Division, CyberSecurity Malaysia, shares how Malaysia is securing its critical data and disposing of them safely.

Costa Rica recently declared a state of emergency after a major ransomware attack. Hacking organisation Conti exploited gaps in the country's public cybersecurity infrastructure to steal sensitive data and demand a US$20 million ransom. This disrupted government services and digital public platforms for over a month.

It is clear that a new age of catastrophic cyberattacks has begun. It is critical for government and private sectors to bolster their cybersecurity approaches as threats escalate. This is where CyberSecurity Malaysia plays a crucial role in developing Malaysia’s cybersecurity environment as the country's reference centre for cybersecurity.

Dr Maslina Daud, Senior Vice President, Cyber Security Proactive Services Division, CyberSecurity Malaysia, shares Malaysia's cyber defence approach for securing critical data and disposing of them safely.


A proactive approach to cybersecurity


First, it is important for organisations to be proactive in managing their cybersecurity so they can be resilient to cyber threats, says Daud. Organisations typically take cybersecurity matters seriously only after they have been attacked or after security breaches occur.

New tech such as AI, IoT devices, and 5G have created a risky environment for organisations to operate. For instance, AI systems can be compromised and data from IoT devices running on 5G could leak easily without authentication mechanisms in place, says Daud.

As the head of the Proactive Services Division, Daud’s role is to assure trust and confidence in the Malaysian cybersecurity space. Her team works to prevent cybersecurity breaches and minimise impacts should they occur.

To counter cyber threats, organisations can implement a variety of security measures. These include conducting risk assessment exercises consistently and reviewing security logs regularly, explains Daud. Through such measures, organisations can minimise chances for cyber attackers to exploit system weaknesses.

Most organisations consider money spent on security measures as expenses, highlights Daud. Instead, they can view it as an investment that gives them returns in the form of increased resilience.

Cybersecurity cannot be treated as an afterthought just because it may be expensive, she adds. Preventing cyber attacks is cheaper than paying for damages following an attack, she notes. For instance, attacks may affect the reputation of organisations which can eventually devalue stock prices. Instead, organisations can practice cost benefit analysis when selecting cybersecurity controls if there is a budget constraint, suggests Daud.


Data classification protects data


Second, classifying data correctly is a key way organisations can better secure critical data. It allows them to know the value of their data and understand the implications of data corruption or loss. It also helps them comply with data protection requirements set forth by their regulatory bodies.

Data classification is one of the listed cybersecurity controls under the international standard Information Security Management System (ISMS). It categorises data based on its type, sensitivity, and value to the organisation. Methods like modifying sensitive data and data encryption can protect different types of data.

Different classes of data require different levels of protection. When data is underclassified, it leads to insufficient protection and when it is over classified, unnecessary costs are involved in protecting them. Having a full understanding of data allows organisations to protect them from threats, says Daud.


Secure data disposal


Next, it is also important to destroy sensitive data in a secure way because data owners are put at risk if such data is not disposed of properly. Organisations may handle data that is no longer required differently depending on how securely classified the data is. They usually perform physical destruction when disposing of data, says Daud.

However, it is crucial for organisations to establish their own security processes when dealing with third parties that are contracted to perform data disposal, notes Daud. These processes need to provide a high level of assurance that the data is no longer readable and accessible.


Best practices for cybersecurity


Finally, organisations can adopt best practices in cybersecurity by adhering to security guidelines, says Daud.

For instance, government agencies in Malaysia observe guidelines on information security management for cloud computing issued by the Chief Government Security Officer’s Office. These guidelines include recommending agencies to perform risk assessment for understanding possible security risks and implementing security controls to mitigate them.

Additionally, government agencies refer to the National Trusted Cryptographic Algorithm List also known as MySEAL to securely encrypt data, shares Daud.


Upcoming security projects


CyberSecurity Malaysia is currently seeking to instill trust and confidence among the public on biometrics and digital identity initiatives. The agency is working on data projects evaluating biometric security for mobile devices which is focused on personal verification and remote authentication capabilities, shares Daud.

The agency is also coming up with a blockchain security assessment initiative which could allow organisations to fix any potential weaknesses in their blockchain-based applications, she adds.

In this age of sophisticated cyberattacks, it is crucial for organisations to take a proactive approach to cybersecurity and govern it properly. They can do so by classifying critical data, disposing of data securely and adhering to security guidelines. Such practices can help them mitigate and detect cyber attacks and threats efficiently.