The report, Beyond Compliance: The State of Cyber Resilience in Malaysia 2026, by the National Tech Association of Malaysia (Pikom) said that some organisations it surveyed also reported losses exceeding RM5 million from a single major incident.

“Cybersecurity is no longer just ‘IT security’; it is a pillar of national economic stability,” Pikom’s cybersecurity adviser Rodney Lee said at the Future of Cybersecurity Summit 2026.

He said 35.9% of surveyed organisations experienced at least one cybersecurity incident between January 2024 and December 2025.

The report found that the most common attack types were AI-generated phishing or deepfake impersonation (32.6%), followed by malware or ransomware-as-a-service (30.2%), and credential theft (25.6%).

Lee said this showed that attackers were increasingly targeting identities and human vulnerabilities rather than relying only on conventional malware tactics.

“… the tactics have become more convincing, faster, and harder to detect,” he said.

Despite the rising threat level, the report found that many firms continued to operate with limited cybersecurity resources.

It said 51.3% of respondents had annual cybersecurity budgets below RM250,000, while 78.8% had five or fewer dedicated cybersecurity personnel.

The report also found that 54.9% of organisations reported difficulty in hiring cybersecurity talent.

It said the Cyber Security Act 2024 had pushed cybersecurity higher on organisations’ list of priorities, especially in sectors linked to national security and public safety.

These organisations now have to adhere to sector-specific codes of practice, perform annual risk assessments, conduct audits every two years, and report cyber incidents within six hours (initial) to 14 days (detailed).

“The Cyber Security Act 2024 has ended the era of ‘voluntary’ security for critical infrastructure,” the report said.