The People Problem Why Cybersecurity Starts With Your Staff

---

 
WHEN we think cybersecurity, most imagine AI tools, firewalls, or endpoint protection. But despite all that blinking tech, the real wildcard is still the human behind the keyboard.
In Malaysia and across the Asia Pacific region, cyber investment is on the rise. Over 60% of Malaysian organisations plan to increase their cybersecurity budgets by up to 10% in 2025 alone.

But what good are those dollars if one employee falls for a phishing email? Or if your overwhelmed security team misses a threat buried in a flood of alerts?
A local reality check
Malaysia continues to be a ripe target. Smartphone use is among the highest in the region, and cybercriminals are well aware.
In just the first quarter of 2025, CyberSecurity Malaysia reported 1,657 cyber incidents, a 7% increase over the previous quarter, with 68% involving fraud. The Royal Malaysia Police (PDRM) recorded RM1.919 bil in losses from 47,854 online fraud cases as of Sept 2025.
The biggest problem? Humans. Always have been. Always will be.
Sophos’ 2025 Future of Cybersecurity in Asia Pacific and Japan report pulls back the curtain on what’s happening inside Malaysia’s cyber defence teams.
22% of local professionals frequently experience burnout, with another 68% occasionally feeling the same. The result? Slower response times, mistakes, and an overall weakened cybersecurity posture.
Burnout isn’t just a wellbeing issue—it’s a breach waiting to happen.
Build people, not just systems
So how do we plug the human-shaped hole in our defences? It comes down to treating people like part of the solution, not just a risk to mitigate. That means building a workforce that is:
Aware and empowered– Malaysia’s threat landscape is unique. Employees need practical, localised training that speaks to real-world scams from SMS phishing to WhatsApp impersonation. Security shouldn’t be a tick-box exercise. Make it relevant. Make it stick.Supported by smarter technology– No tool can compensate for fatigue. But AI-powered Managed Detection and Response (MDR) can at least take the grunt work off your team’s plate—triaging threats, escalating real issues, and filtering the noise so your humans can do what they do best: think.Part of a shared culture– Right now, only 25% of Malaysian organisations have dedicated security teams separate from IT. That’s a missed opportunity. Cybersecurity is a team sport. From HR to finance to marketing, every department should understand their role. And leadership needs to model that mindset.Changing the cyber narrative
There’s a glimmer of hope: a growing number of Malaysian businesses are recognising that cybersecurity isn’t just an IT issue—it’s a business risk. That 60%+ increase in budgets is encouraging. But more money isn’t a magic fix. A mindset shift is.
Leaders must acknowledge that human error isn’t a bug in the system – it is the system. Employees are either your first line of defence or your weakest link. How they act when it counts comes down to how well you’ve equipped them.
A united front for defence
The future of cybersecurity in Malaysia isn’t just about tools and trends; it’s about trust, training, and treating people like the critical security assets they are.

When humans and machines defend together, that’s when cybersecurity works well. 
Aaron Bugal is the field CISO, APJ at Sophos.
The views expressed are solely of the author and do not necessarily reflect those of  MMKtT.
- Focus Malaysia.

---