BlackBerry Limited unveiled research at the NACSA Cybersecurity Summit, highlighting significant software supply chain cybersecurity vulnerabilities within Malaysian organisations. The study found that 79% of Malaysian IT decision-makers had received notifications of attacks or vulnerabilities in their software supply chains in the past year, exceeding the global average of 76%. Almost 38% of these organisations took up to a month to recover from such incidents.

The survey, conducted in April 2024 by Coleman Parkes, followed the Malaysian Government's gazetting of the 2024 Cyber Security Act (Act 854) and the announcement of the National Semiconductor Strategy (NSS) in May. These initiatives aim to bolster Malaysia's position as a global semiconductor powerhouse and underscore the need for secure-by-design software practices and robust regulations to protect the IT supply chain. The report emphasised the critical importance of these measures in supporting Malaysia's ambitions in sectors like semiconductor manufacturing and Artificial Intelligence (AI).

The study aimed to identify current procedures for managing security breaches in software supply chains. It revealed that nearly one-third of Malaysian respondents identified operating systems (30%) and IoT/connected components (19%) as the most at-risk areas, leading to significant financial loss (71%), reputational damage (66%), and data loss (59%) after an attack.

Ir. Dr. Megat Zuhairy Megat Tajuddin, Chief Executive, NACSA, presented at the media briefing during the NACSA Cybersecurity Summit 2024.

Dr. Megat Zuhairy bin Megat Tajuddin, Chief Executive of NACSA, stressed the importance of the Cyber Security Act 2024 in enhancing the cyber-resilience of Malaysia's National Critical Information Infrastructure. He highlighted Malaysia's commitment to becoming a leader in semiconductor manufacturing and AI, while also recognising the global responsibility to protect the software supply chain through improved compliance, technology adoption, and skills and training initiatives.

BlackBerry Cybersecurity CISO, Christine Gadsby, noted the need for a comprehensive approach to cybersecurity, encompassing skilled workers, secure-by-design products, and modern AI monitoring tools. She acknowledged Malaysia's efforts to increase regulatory measures and investment in skills and technology to protect critical infrastructure and key industries from cyber-attacks.

Malaysian organisations reported strict security measures, including security awareness training (58%), data encryption (48%), and multi-factor authentication (47%). However, only 40% prioritised Software Bill of Materials (SBOMs), despite international regulatory and compliance requirements likely increasing their importance in the coming years. Most IT leaders (95%) expressed confidence in their suppliers' cybersecurity policies, with many demanding compliance certification and third-party audits.

The survey also highlighted challenges in maintaining regular software inventories, with factors such as a lack of technical understanding (58%), effective tooling (44%), visibility (41%), and skilled talent (40%) cited as barriers. More than three-quarters of respondents expressed a need for tools to improve software library inventories and visibility into software vulnerabilities.

Christine Gadsby, Chief Information Security Officer, BlackBerry Cybersecurity, presenting at the media briefing during the NACSA Cybersecurity Summit 2024.

Christine Gadsby concluded that addressing human factors and leveraging AI-powered Managed Detection and Response (MDR) technologies could support organisations in managing emerging threats and complex security incidents. The full survey and further information on AI's role in protecting the software supply chain are available online, along with details on training courses at the Malaysia Cybersecurity Center of Excellence.