As Malaysia charges forward in its digital transformation, cybercriminals aren’t just keeping pace—they’re sprinting ahead. By mid-2024, businesses across the country had already weathered more than 19.6 million cyberattacks, racking up losses north of RM1.22 billion. It’s no longer just the big end of town under siege – threat actors are just as happy to target small- and medium-sized enterprises (SMEs), knowing many are under-defended and ill-prepared.
And that’s the problem. SMEs account for more than 97% of Malaysia’s business ecosystem, yet most don’t have the luxury of in-house cybersecurity teams or the right tools to respond effectively. Many lean on basic software or third-party providers who may not specialise in security—leaving wide-open gaps for attackers to waltz through.
The New Reality: SMEs as Prime Targets
SMEs are no longer flying under the radar of cybercriminals. In fact, they’ve become a deliberate target in today’s threat landscape. According the 2025 Sophos Threat Report, nearly 50% of malware detections in SMEs involved spyware, stealers, and keyloggers – tools designed to quietly harvest login credentials and sensitive business data.
These aren’t isolated threats. Sophos Active Adversary Report 2025 found that 70% of incident response cases in 2024 involved ransomware, with small and midsize organizations making up the majority of victims. This shift reflects an evolving attacker strategy: instead of confronting hardened enterprise defenses, cybercriminals are increasingly exploiting SMEs as soft entry points into larger networks and supply chains.
Part of the problem lies in what Sophos calls “digital detritus” legacy systems, exposed firewalls, and forgotten cloud assets that accumulate over time. Alarmingly, 25-33% of breaches analyzed stemmed from unmanaged or outdated systems. For attackers, these blind spots are low-hanging fruit and for SMEs, they represent a growing and often outlooked risk.
What’s Holding SMEs Back?
Many SMEs adopt a reactive approach, only addressing cyber threats post-attack. Malaysia’s cybersecurity talent gap, with a shortfall of 12,000 professionals, exacerbates the issue. Without in-house expertise, SMEs struggle to assess risks or implement effective defences.
Encouraging Shifts in the Ecosystem
The public and private sectors are stepping up. The Cyber Security Act 2024 sets national standards and strengthens enforcement. Budget 2025’s RM50 million allocation for AI and cybersecurity initiatives will benefit SMEs. Regionally, the ASEAN-led Cyber Security Forum fosters cross-border collaboration, providing Malaysian businesses with a broader framework to enhance their defences.
From Reactive to Resilient: What SMEs Can Do Now
To stay ahead, SMEs must move from passive defence to active detection. This doesn’t require massive in-house teams, just the right approach. Sophos recommends deploying AI-driven tools that continuously monitor endpoints, cloud environments, and network edges. For those without security staff, Managed Detection and Response (MDR) offers 24/7 threat hunting, detection, and remediation, effectively acting as an outsourced Security Operations Center.
The Bottom Line
Cybersecurity is no longer just an IT line item to be ticked off—it’s a business-critical function that can make or break an organisation. As attackers grow more calculated and the financial fallout of breaches continues to rise, SMEs can’t afford to keep playing catch-up. The good news? You don’t need an army of experts or a seven-figure budget to make meaningful improvements. With growing policy support, scalable security solutions, and a little forward planning, Malaysian SMEs can step up their cyber resilience almost immediately. Start small, but start smart: patch systems, enforce strong authentication, and get the right advice. Because when it comes to defending your business, doing nothing is no longer an option.
This article is contributed by Aaron Bugal, Field CISO, Sophos
