Malaysia wants to be the digital hub of Asia. Good dream. Yet there are 15 data breaches every week in the country, at least five of which are personal data breaches.
And it has been steadily getting worse since the last six years. Bad dream. Malaysia's digital world needs a major reset before we even begin to entertain the thought of a deluge of technology investors rushing to our shores. Malaysia needs to be fit for the digital age.
As far as technology per se goes, it has done a decent job, Adequacy of technology infrastructure is just step one. Being a "Digital Tiger of Asia" means more.
Malaysia must have in place everything that is necessary to make business and personal data secure. If cybersecurity experts are right, Malaysia has miles to go before it can let out a tiger's roar. No business would want to be in an environment where two data breaches happen every day. To businesses, data is the new black gold and they want it to be safe in their "vault".
Here is how business misfortune is numbered. Malaysia is as usual sparse on statistics, we will have to rely on 2017 figures revealed in a Frost & Sullivan study commissioned by Microsoft Corp, "Understanding the Cybersecurity Threat Landscape: Securing the Modern Enterprise in the Digital World".
The study, published in 2018, said Malaysia might have lost RM49.15 billion to cyber attacks in 2017. The study was aimed at providing businesses with insight on the cost of cyber security breaches and identifying gaps in response strategies. Judging from the number of data breaches today, our companies may not have taken the report seriously. Let's be clear.
It is not just the government's job to make the digital world safe in Malaysia; companies, too, must take cybersecurity seriously. The Frost & Sullivan study seems to suggest not many are. To them, cybersecurity is an afterthought. Too little, too late is never a good business strategy.
Personal data protection, on the other hand, is more a job for the government. Our Personal Data Protection Act 2010 (PDPA), to put it bluntly, neither has the bark nor the bite. The irony is, the act protects personal data only in name.
This makes it difficult for the regulator, the Personal Data Protection Department, to do its job. But this doesn't mean it can't be transparent with its investigations. If the Malaysia Competition Commission can be transparent about whom it is investigating, our personal data regulator can do the same. Transparency is an excellent deterrent.
Companies rarely get hauled up and if they do it is most often a slap on the wrist. Repeat offenders are made of this. There is no mandatory requirement to report leaks early either. The PDPA must have a European Union flavour. Companies and public bodies there are made to disclose any personal data breach within three days, not just to the regulator but to the public.
PDPA must also make personal data breach claims possible. When personal data is not protected as it should be, there will be serious consequences for the people. It could even be life-threatening. It is one thing to be willing to be the "Digital Tiger of Asia", but it is another to be ready and able to be one.