Here's a scenario that plays out too often: someone in accounts payable clicks a link in what looks like a Maybank email, enters their Microsoft 365 credentials, and just like that, attackers have full access to the company's cloud storage. No sophisticated hack needed.
Darktrace's 2026 Annual Threat Report found that in Europe, 58% of cyber incidents began with compromised cloud accounts and email credentials, with the figure climbing to nearly 70% in the Americas. Not malware. Just stolen passwords and cloud platforms with weak or missing multi-factor authentication. For any cybersecurity-conscious Malaysian business, these numbers should be a wake-up call.
Cloud is the new front door for attackers
Five years ago, attackers spent weeks probing network perimeters. Now they buy stolen credentials on dark web marketplaces for a few dollars per account.
Darktrace's 2026 report found AI-enabled credential abuse is now driving the majority of intrusions globally. Attackers use AI to craft phishing emails in Bahasa Melayu and English, with correct company branding and executive names pulled from LinkedIn. In Malaysia, these commonly impersonate banks (Maybank, CIMB, RHB), government agencies (LHDN, SSM), or cloud providers.
Once inside, attackers move fast. CrowdStrike's 2026 Global Threat Report found the average eCrime breakout time fell to just 29 minutes. CyberSecurity Malaysia (MyCERT) reported cloud-related incidents climbing steadily throughout 2025, with business email compromise and cloud account takeover among the top reported categories.
How can a Malaysian business improve its cybersecurity against cloud attacks?
Most of these attacks are preventable. The fixes aren't expensive. They just require doing the basics properly.
-
Turn on multi-factor authentication for every cloud service, every user. This single step blocks over 99% of credential-based attacks according to Microsoft's own data.
-
Move toward zero trust. Verify every access request regardless of where it originates. Google's BeyondCorp model and Microsoft's Conditional Access policies make this possible even for small teams.
-
Run phishing simulations every quarter. Services like KnowBe4 offer simulation platforms, and local providers such as LGMS run cyber drill exercises for Malaysian businesses. People get better at spotting fakes when they've seen them before.
-
Use your existing cloud security tools. Microsoft 365 Business Premium includes Defender for Office 365. Google Workspace offers security alerts and admin audit logs. Most Malaysian businesses already pay for these features and never turn them on.
-
Limit access by role. Use role-based access control and review permissions quarterly. When someone leaves, revoke access that day.
What is Malaysia's cybersecurity strategy right now?
The Cyber Security Act 2024 (Act 854) came into effect on 26 August 2024, establishing mandatory cybersecurity standards for organisations in designated National Critical Information Infrastructure (NCII) sectors.
The Personal Data Protection Act (PDPA) amendments tightened data breach notification requirements. If your cloud systems get breached and customer data is exposed, you must notify the authorities and affected individuals. A breach caused by negligent security practices can trigger investigations by the Personal Data Protection Commissioner.
If you store customer data in the cloud (and almost every business does), you are the data controller. You're responsible for protecting that data even if the cloud provider manages the infrastructure.
CyberSecurity Malaysia runs the CyberSAFE programme with free cybersecurity awareness resources. NACSA coordinates national policy, and MyCERT offers incident response support and regular advisories. If your team needs help, our cybersecurity services cover vulnerability assessments and PDPA compliance.
Cybersecurity action plan for Malaysian businesses this week
You don't need a big budget. Most of the work is turning on settings you're already paying for.
Start by listing every cloud service your company uses and checking which ones have MFA enabled. Then look at email, because that's where 90%+ of attacks start. If you're on Microsoft 365 or Google Workspace, the advanced security features are included in your subscription. Most Malaysian businesses never activate them.
Malaysian businesses are moving to the cloud faster than ever, pushed by the government's AI Nation 2030 agenda and Budget 2026 incentives. That's good for business. But security has to keep pace.
We build custom software and web applications at Gotchaa Lab, and security is baked into how we work. If you want to chat about your project, we're happy to talk through the security side too.
This article is for general informational purposes only and does not constitute legal or professional cybersecurity advice. Consult qualified professionals for guidance specific to your situation.
