KPMG: Businesses still not prepared for rapid recovery after a cyber-attack

High-profile cyber-attacks highlight the need for appropriate cyber recovery capabilities

PETALING JAYA, 31 January 2023 – Businesses today are making good progress in developing cyber prevention and response programs. However, latest reports from global professional services firm, KPMG, found that appropriate recovery capabilities continue to be lacking as business-continuity planning is not keeping pace with the evolving cyber threat landscape.

Ransomware attacks, which spread across the network and encrypt data, are soaring worldwide. Organizations in Malaysia are caught in the same net, as evidenced by the ransomware attack reported in November 2022 involving a leading budget airline, which compromised the personal data of five million passengers and employees.[1]

Ubaid Mustafa Qadiri, Head of Technology Risk and Cyber Security at KPMG in Malaysia, commented, “When an attack strikes, the initial 72 hours are critical to grasp the scope of the attack. Businesses tend to underestimate the effort it takes to address the initial impact on operations and costs immediately after a cyber-attack. And too many organizations wrongly assume that recovery will require several weeks to return to business as usual — when the reality is that it may take several months or more.”

“While many businesses are racing to enhance prevention and response programs, they also need appropriate recovery capabilities to minimize disruption to the business. Recovery measures to restore operations quickly require a precise assessment to determine that the initial underlying threat has been eliminated. This can become a complex task amid the immediate need for response measures that include shutting down internal systems and key elements of the business network, along with rushed policy changes,” he advised.

This is particularly critical in the Operational Technology (OT) domain, where physical processes are typically involved. In context, businesses engaged in manufacturing, mining, oil and gas, utilities and transportation rely heavily on OT to connect, monitor, manage and secure their industrial operations. OT security is becoming vital today as OT is integrated with IT to create IT/OT convergence. Because IT and OT networks can no longer be separated, attacks on IT affect OT and vice versa. This offers attackers a wider attack surface and makes a comprehensive security approach crucial.

There were also high-profile cyber incidents reported in Malaysia last year involving large-scale data thefts and leaks. These include the theft of the personal data of 22.5 million people from the National Registration Department (NRD)[2], and the illegal extraction of nearly two million pay slips and tax forms from the civil servants’ ePenyata Gaji (ePaySlip) system[3]. According to the Communications and Digital Ministry (KKD), almost RM600 million in losses were recorded throughout 2022 as a result of cybercrime in the country[4].

The KPMG Cyber Trust Insights 2022 report, which surveyed 1,881 executives worldwide, revealed that Chief Information and Security Officers (CISOs) are optimally placed to help their organizations navigate these challenging waters. However, many are struggling to fulfill them as they still lack a clear mandate to protect their organizations and data, as 73 percent of businesses in Asia-Pacific (ASPAC) said their CISOs do not have the influence they need to protect their organizations fully.

Further, almost two-thirds of respondents from ASPAC (63 percent) say that information security is seen by their organizations as a risk-reduction activity, rather than a business enabler. And 55 percent say that senior leaders do not understand the competitive benefits that are possible due to enhanced trust that is enabled by better information security.

“Investing in appropriate protection is the cost of doing business today. Businesses of all shapes and sizes are ramping up data collection, expanding the use of new technologies and embracing ESG. This is happening while increasingly stringent regulatory standards are being put in place, with the 2023 Regulatory Framework on Technology Risk Management for businesses to consider before long[5], which is expected to be released by the Securities Commission Malaysia this year.

“Against this backdrop, the role of CISOs needs to be reimagined and evolved. CISOs need stronger support from senior leaders. They should be empowered to deliver change, collaborate with the wider ecosystem, and build internal alliances; essentially, the CISO is key to building digital trust,” Ubaid concluded.

Media queries?

For media-related queries, please email