Cybersecurity Challenges that Small and Medium Enterprises Faced and Its Way Forward

Article by:

Dato’ Ts. Dr. Haji Amirudin Abdul Wahab FASc
Chief Executive Officer
Cybersecurity Malaysia

Cybersecurity Challenges that Small and Medium Enterprises Faced and Its Way Forward


The government has embarked on a progressive program that assists the Small and Medium Enterprises (SME) to grow and prosper in the very challenging business environment. The SMEs are normally family-run businesses or traditionally run enterprises which manage local and traditional products and sometimes these enterprises are being carried out from their family houses or abodes. As reported in the 12th Malaysia National Plan, SME has contributed 38.2 percent or RM512.8 billion to GDP and so far, the development of SMEs has grown steadily over the years. In fact, some of the SMEs had managed to expand their businesses and became successful in terms of output and profitability.

With the advent of the Digital Economy as envisaged by the government and promoted by the Malaysian Digital Economic Corporation (MDEC), the challenge faced by the government is to encourage the SMEs to embrace the digital technology as the way forward in line with the current technology brought forth by the Industrial Revolution 4.0 (IR4.0). The other challenge that the government is facing is to inform the SMEs to be aware and embrace the cybersecurity culture as a means to protect their businesses from potential cyber-threats and cyber-attacks.


The global population currently stands at 7.77 billion people and there are currently 4.6 billion Internet users globally. That is already a healthy 59.20 percent of the total population. As of January 2021, there were already 27.43 million Internet users in Malaysia. In addition, the Internet penetration in the country has stood at 84.2 percent.

The statistics mentioned above shows that today, the world is highly connected to the Internet. Furthermore, there has been an increasing reliance on the information and communications technology (ICT) as a vital tool for nations to progress economically, socially, and politically. Increasing connectivity via the Internet facilitates the vast potential for knowledge-sharing and wealth creation, as well as providing opportunities for increasing prosperity among the citizens.

With a faster Internet connection, it enables the business organisation to intensify its business by venturing into a variety of e-activities such as e-commerce, e-training, e-procurement, e-learning, and e-tendering. In the digital economy, faster internet connection and highly reliable network connectivity augurs very well in ensuring that business transactions and trade are done seamlessly online. The Internet also improves organisational productivity, enhance efficiencies, reduces costs, enables the production of more goods and services as well as foster innovation. It also fosters economic growth for the country.

As a result of Malaysia’s Internet and mobile connectivity, Malaysia has a high rate of e-commerce usage. The e-commerce industry has grown into one of Malaysia’s most significant and competitive industries. Malaysia presents a unique opportunity for businesses as 75 percent of Internet users spend their money via e-commerce, with 58 percent spending through mobile commerce platforms. Based on a report by the Department of Statistic of Malaysia, e-commerce grew 23.3 percent year-on-year to RM267.6 million in the second quarter of 2021. Revenue is also expected to show an annual growth rate of 15.32 percent, resulting in a projected market volume of USD11.35 million by 2025.


The Small and Medium Enterprises (SMEs) account for about 97.2 percent of Malaysia’s total business establishments in 2020 and contribute over 38.3 percent of the nation’s Gross Domestic Product (GDP). SMEs’ shares to total employment and exports of the country are at 66.2 percent and 17.3 percent respectively. Based on the industry’s contribution to the country’s GDP and employment opportunities, it is very important to recognise the pivotal role that SMEs play in our economy.

In order to spur the digital economic growth, the government had launched several programs and initiatives with the aim of enhancing the SMEs ability in harnessing the Internet and the various online economic platforms. The Malaysia Digital Economy Corporation (MDEC) currently offer four solutions for SMEs. The solutions are SME Business Digitalisation Grant, 100 Go Digital, SMART Automation Grant (SAG) and Digital Xccelerator. Through these programs and grant, the SMEs can grow and rake the benefits by:

a. Learning new digital skills.

b. Enhancing the customer experience.

c. Increasing business efficiency.

d. Gaining new market.

e. To potentially reduce the operating cost.

f. Providing free promotion for businesses.

The Department of Statistics, Malaysia (DOSM) conducted a Special Survey Effects of COVID-19 on Economy and Companies / Businesses Firms showed 67.8 percent reported no revenue during this period, a small portion of 12.3 percent generated their sales via online, while 9.8 percent still earned their sales through physical shops. Therefore, SMEs in Malaysia must transit towards the digital era. This is to ensure most SMEs are not left behind and prepared for any potential cyber-attacks that will be coming.


The global cybersecurity landscape has evolved with the emergence of Industry 4.0, Big Data, Cloud Computing, Quantum Computing, Autonomous Vehicle, Nanotechnology, Fintech, Blockchain, Artificial Intelligence (AI), Machine Learning, Deep Learning, Virtual Reality, Augmented Reality, Internet of Things (IoTs) devices, Bring Your Own Device (BYOD), etc.

The advent of digital technology offers a lot of advantages especially to businesses, SMEs included. Among the changes that occurred including the cashless transaction, the introduction of e-wallet, advanced security verification, online shopping, mobile banking and a few others. For major businesses, the gradual migration to digital technology is seen as a means for better business and seamless transaction that could make managing business reliable, convenient, and transparent.

However, for most, if not all the SMEs, the rapid changes brought by the development of technology was overwhelming, to say the least. Most of the SMEs are cottage-based industries or family-run businesses and most of the owners are not really tech-savvy. Hence, the move towards the digital technology is overwhelming and looks so insurmountable to some of the SMEs owners. Despite the convenience of doing business with the digital technology and the Internet, most of the SMEs owners believed the adoption and migration to the digital technology would cause further expenses for them.


The path towards full digitalization or reaching 4th Industrial Revolution era contains various degree of challenges and risks. And the most common one is cybersecurity and the threats it poses. Cybersecurity is ingrained in today’s environment but many do not know the existence and the practical uses within the organisations and nations.

Figure 1: MyCERT Cybersecurity Incident Statistics

There are challenges and downsides of the Internet toward certain individuals, groups, institutions, organisation, and nation-states as a whole. These concerns also include the SMEs, of which among the major concerns is that SMEs are perceived to be lacking in information security awareness which results in the haphazard management of their information and digital assets.

What SMEs and other businesses concern and fear the most in recent years are business disruptions that are caused by cyber incidents, threats and attacks. Thus, cybersecurity is always an issue for the business organisation. Most Malaysians still have doubts about doing business online because they have trust issues when conducting business virtually. This is one of the setbacks that hinder the implementation of digital technology especially to the SMEs.


There were many cyber-related incidents that occurred in the past few years in Malaysia, affecting not just the citizens but also organisations that could be detrimental to their brands, reputation and trust among the customers and stakeholders.

Figure 2: SME being attacked more frequently

Emerging cyber-threats have become a lot more sophisticated, disastrous; and pose serious risks and challenges to individuals and nations. Some of the cyber-threat actors that are against SMEs are hackers, employees, compromised internal accounts, third party contractors, business partners, business competitors, organized crime groups, terrorist, foreign governments, etc. Apart from that, SMEs are concerned with personal identity theft and cyber-attacks that affect the businesses’ confidential data, privacy, and money.

Figure 3: Why SMEs are common targets for cyber-criminals

The common type of cyber-attacks against SMEs are physical theft, access abuse, phishing attacks, social engineering, data breach, supply chain attacks, insider threats, malware attacks, ransomware attacks, Distributed Denial of Service (DDoS) attacks, Internet of Things (IOTs) hacking, biometric hacking, chatbot hacking and etc.


The rapid growth of e-commerce recently was due to the COVID-19 pandemic which forced most businesses to go digital and conduct businesses online using the various available platforms. Since 2020 when the first cases of COVID-19 were detected, most malls, shops and businesses were forced to close during the Movement Control Order (MCO). This had forced businesses to embrace the new normal of doing business online instead of the brick-and-mortar physical shops.

Digitisation of their organisation was not a priority before the COVID-19 crisis hit, due to cost factors and lack of immediate need. But as a result of the pandemic, some of these businesses have had to unexpectedly fast-track their digital transformation journey in order to survive. Limited experience in adopting new technology and its security, along with the massive shift to remote working due to lockdown, has made SMEs vulnerable to an increased threat of cyber-attacks.


There are a few cybersecurity measures that can be taken into consideration to protect the SMEs. Firstly, the leaders and employers have to set an example of following an effective and standardised cybersecurity best practices. The SMEs also need to strengthen its authorization and access control of their premises and also their system network. SMEs should also control physical access to their computers and create user accounts for each employee.

The SMEs should also limit their employee access to data and information and also seek advice on the relevant software to be used into their corporate devices and systems. SMEs should also monitor their system, set up firewall, alerts or red flags for any suspicious activities. This is to protect their information, computers, and their system networks from any cyber-attacks. They also need to update and back-up their files regularly.

SMEs need to embrace and engage with cybersecurity awareness program and employees need to participate in cybersecurity awareness training that the employers conducted. Other than that, they need to create a mobile device action plan, apply strong passwords, and have an authentication policy in place and to be implemented as soon as possible.

SMEs need to adopt a more adaptive, innovative, aggressive, and proactive approaches to stay ahead of cyber-threats. SMEs are encouraged to effectively face the challenges with dynamic approaches, inter-agency cooperation, and strengthening the public-private partnerships. Besides, the need for cybersecurity encompassing people, process and technology is rather critical and such need will continue to grow in many more years to come. All in all, there is an urgent necessity to enhance domestic and international collaboration in information sharing, practical legal and technical approaches, capacity building and cybersecurity awareness and education.


In this complex and connected digital age, traditional cybersecurity measures are no longer enough. There is no 100 percent security for a public and private organisation, academia, and a country as a whole. It is no longer the question of how to secure oneself from being attack. It is just a matter of time or when they will suffer cyberattack. It is better to assume they will eventually break through the organisation’s defences.

More importantly, the organisation should work on a strategy to reduce the impact of cyber-attacks. This is called being cyber resilient. Therefore, Malaysia, as a nation, has successfully adopted a holistic approach to enhance the security of its cyber environment. While at the same time, as part of the global community, Malaysia also aims to strengthen its international cooperation to respond to global cyber challenges. With such an approach, we hope to be able to benefit and take the advantage of a secure, resilient, and trusted cyber environment.

Enterprises today need to adopt and implement digital environment to ensure their businesses would be able to reach the customers speedily and able to expand globally. The adoption of digital platform also comes with risks particularly related to cyber-threats. As daily operation moves towards digital, concurrently the threat will rise to where the perpetrators will take advantage of the increased number of users online.

For example, the promotion and development of technology in IOT, there will be a huge number of devices interconnected in the internet and online that will create vulnerability and loopholes that will provide advantages to the attacker. Based on a study by a research firm, HIS Markit, the IOT market will grow from 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and more than 75 billion in 2025.


CyberSecurity Malaysia (CSM) is a technical specialized agency under the purview of the Ministry of Communication and Multimedia Malaysia. CSM has established 40 services across cybersecurity domains covering responsive, proactive, capacity building, strategic research and engagement. CyberSecurity Malaysia could provide technical advice and professional technical assistance with regard to providing a safe and secure cybersecurity ecosystem to SMEs.

Figure 4: SiberKASA Services

Among the CyberSecurity Malaysia’s initiatives was the introduction of SiberKASA which was launched by the Minister of Communication and Multimedia on 23 March 2021. This initiative is aimed at developing, empowering, sustaining and strengthening cybersecurity infrastructure and ecosystem in the country to ensure network security preparedness.

CyberSecurity Malaysia provides a holistic approach that identifies potential threats to organisations and impacts to the national security and public well-being. Secondly CyberSecurity Malaysia also assists in the development of cyber resilience by having the capability to safeguard the interests of its stakeholders, reputation, brand and activities, to create value for the nation. Some of the services available at CyberSecurity Malaysia are the Cyber Security Emergency Services which include the Cyber999 Hotline for making reports on any incidences, Security Quality Management Services, Information Security Professional Development and Outreach and the Cyber Security Strategic Engagement and Research.

CyberSecurity Malaysia has come up with some cybersecurity guidelines and it has been made available to the public. The guidelines are prepared for the purpose of maintaining ethical use of the Internet and also to safeguard the interests of certain groups such as children, youth, parents, individuals and organisations. The guidelines cover several services such as for Cloud Computing, IoT, Industrial Revolution 4.0 and a few others.


The government is working very hard to improve the standard of living of the poor people in the country. The government also ensures that those people who are involved in the SME industry are given the opportunity to be independent, to grow their business and at the same time being resilient despite the economic setback due to the COVID-19 pandemic. On the other hand, the government is also encouraging the SMEs to embrace the cybersecurity ecosystem to safeguard their SMEs from any potential cyber-threats or cyber-attacks.

One of the challenges that the government is facing is about changing the SME’s mindset to accept changes especially in the digital era. The move towards complete digitalization in the economic sector is long and hazardous but more difficult to those SMEs. The mindset is that by embracing digitalization it would cost more money to be spent on equipping their cottage industries with the Internet network, proper gadgets, and connectivity.

In the current environment, the SMEs are very vulnerable to cyber-threats and cyber-attacks. Any cyber-attack on SMEs would cause the SME to suffer losses and shut down business. An SME cannot stand alone and be independent in the digital landscape because in the cybersecurity ecosystem, the system is very much linked to other entities in the business ecosystem such as stakeholders, partners, suppliers, investors, and customers. If one link is broken anywhere in the ecosystem due to cyber-attack, the others will be weakened too, and business will suffer. It is important to adapt cybersecurity technologies that would be predictive, proactive and responsive.


With the COVID-19 pandemic threat around the world, businesses with digital platform will be the best approach for organisations to reach their customers and conduct promotions regarding their products and services. Most people will assume that the function of cybersecurity is to reduce risk against cyber-attack. However, it is time for the management to look at cybersecurity as a growth enabler instead of growth constraining.

A sound and solid cybersecurity strategy must promote innovation and customer trust that are essential for continued growth. A well-developed cybersecurity strategy keeps the operational wheels of business rolling. Agile organisation will have the advantage by using cutting-edge technologies for producing better product, services, and better customer experience. This will include technologies related to cloud services, big data, IoT etc. With these technologies, security need to be embedded to ensure less vulnerability.

With the right strategy and policy, SMEs will be able to ensure resiliency if any cyber-attack were to happen. The technologies will be able to assist the business to recover and continue their businesses as usual. Effective cybersecurity is needed to enhance product integrity, customer experience, operations, regulatory compliance, brand reputation, and investor confidence.

It is no longer a question of whether SMEs will be attacked but more of a question of when it will happen, and how your organization is going to prevent it. Organisations need to implement the predictive, preventive, responsive and recovery strategy in facing cyber-threats.


  1. 1. Twelfth Malaysia Plan, 2021 – 2025 (
  2. 2. Department of Statistics Malaysia (DOSM), “Report of Special Survey ‘Effects of COVID-19 on the Economy and Companies/Business Firms’- Accessed: December 2020
  3. 3.
  4. 4. yoy-rm2676b-2q (Department of Statistics Malaysia Official Portal (
  5. 5.