Malaysian Businesses Dearly Affected by Software Supply Chain Attacks

BlackBerry Limited today revealed new research at the NACSA Cybersecurity Summit, exposing the magnitude of software supply chain cybersecurity vulnerabilities in Malaysian organisations.  The majority (79%) of Malaysian IT decision-makers reported receiving notification of an attack or vulnerability in their supply chain of software in the last twelve months, compared to the global average of 76%, with almost two in five (38%) organisations taking up to a month to recover.

The insights from a global survey of IT decision-makers and cybersecurity leaders, conducted in April 2024 by Coleman Parkes, come after the Malaysian Government officially gazetted its 2024 Cyber Security Act (Act 854) on June 26 and announced its National Semiconductor Strategy (NSS) in May, designed to transform Malaysia into a global semiconductor powerhouse over the next decade. The report findings underline the profound need for secure-by-design software practices for IoT components and robust regulation to bolster security and protect the IT supply chain, in line with plans for investment in skills and technology under the NSS.

The BlackBerry study sought to identify the procedures companies currently have in place to manage the risk of security breaches from software supply chains. Nearly a third of respondents in Malaysia stated that operating systems (30%) and IoT/connected components (19%) are at the most risk and continue to create the biggest impact on organisations.  That risk comes at a price, with financial loss (71%), reputational damage (66%) and data loss (59%) having the most impact after a supply chain attack.

“The BlackBerry study findings further emphasise the criticality of the Cyber Security Act 2024 or Act 854, designed to improve the cyber-resilience of Malaysia’s National Critical Information Infrastructure.  To become a leader in sectors such as semiconductor manufacturing and Artificial Intelligence (AI), Malaysia acknowledges it also shares a global responsibility to protect the software supply chain and ensure secure-by-design practices through improved compliance, technology adoption and skills and training initiatives, like the Cybersecurity Center of Excellence with BlackBerry, to grow our cyber-workforce.  This can better protect key infrastructure, boost business confidence, and aid economic growth through smoother international trade and cooperation,” said the Chief Executive of NACSA, Dr. Megat Zuhairy bin Megat Tajuddin.

“It takes more than trust to protect the software supply chain,” added BlackBerry Cybersecurity CISO, Christine Gadsby. “Encouragingly, progressive global governments like Malaysia are increasing regulatory measures and investment in skills and technology to protect critical infrastructure and key industries from cyber-attacks. Though, in an uncertain geo-political climate, widely distributed sectors like semiconductor manufacturing continue to be a lucrative target for threat actors seeking maximum global impact. Hence why a comprehensive approach to cybersecurity that encompasses all aspects – skilled workers, secure-by-design products and modern AI monitoring tools – will contribute to building trust in key Malaysian industries and future economic growth.”

Malaysia Ranks Highly on Compliance With Certification; Aligning With Goals of The Cyber Security Act 2024 

Malaysian organisations confirmed having strict security measures in place to prevent attacks in their software supply chain, including security awareness training for staff (58%), data encryption (48%), and multi-factor authentication (47%), with vulnerability disclosure further down the list (43%).  Though Software Bill of Materials (SBOMs) rated below this (40%), international regulatory and compliance requirements may see SBOMs rise in importance in the next 12 to 24 months – particularly for manufacturing companies designing and trading technology components with global markets.

Meanwhile, the majority (58%) of IT leaders believe their software supplier’s cybersecurity policies are comparable, or stronger than (37%), those implemented at their own organisation. Only 5% of respondents in Malaysia cited their security is stronger than their partners.  Further, the majority (95%) of respondents were confident in their suppliers’ ability to identify and prevent the exploitation of a vulnerability within their environment, again putting significant confidence in the supply chain.

When it comes to the evidence collection that attests to a supplier’s level of software security to underpin this level of trust, Malaysian IT decision-makers were among the highest globally (60%) to ask for confirmation of compliance certification, followed by Standard Operating Procedures (50%), third-party audits (44%) and self-attestation (40%).

Though of greater concern, just over a fifth (18%) of Malaysian companies ask suppliers for evidence of compliance with security certifications and framework, specifically only once, during the onboarding stage. Additionally, four in five respondents (81%) had, in the last 12 months, discovered unknown members within their software supply chain that they were not previously aware of, and had not been monitoring for security practices.

Malaysian Companies Cite Lack of Technical Understanding As Biggest Barriers To Regular Software Inventories

Encouragingly, many Malaysian IT decision-makers confirmed they perform an inventory of their software environment in near-real time (20%) or every month (33%), only (23%) complete this process every 1-3 months, while one in ten (11%) say their organisation completes this process every 3-6 months.

Companies were prevented from more frequent monitoring by several factors, including a lack of technical understanding (58%), effective tooling (44%), visibility (41%) and skilled talent (40%). As such, more than three-quarters (77%) said they would welcome tools to improve the inventory of software libraries within their supply chain and provide greater visibility to software impacted by a vulnerability.

Christine Gadsby concluded, “Malaysian IT leaders indicated in the survey that human factors such as a lack of skilled talent and technical understanding continue to challenge industries, but it was encouraging to see a high standard for demanding compliance certification when dealing with suppliers. Along with training and upskilling efforts, modern AI-powered Managed Detection and Response (MDR) technologies can also support organisations with 24×7 threat coverage, helping IT teams with fewer resources to tackle emerging threats in their software supply chain and navigate complex security incidents.”

Click here for access to the full survey, and here to find out how AI can help to protect the software supply chain.

To learn more about training courses at the Malaysia Cybersecurity Center of Excellence please visit here.