PETALING JAYA: Cybersecurity experts say there should be a balance between quick reporting and protecting sensitive information in implementing the Cyber Security Act 2024.
Cybersecurity expert Prof Datuk Dr Norbik Bashah Idris, who is the chief digital officer of the Information Technology Division at International Islamic University Malaysia, said while the regulations look demanding, they are positive, and their success depends largely on the readiness of the National Critical Information Infrastructure (NCII) entities to comply.
“Ensuring that these entities have the necessary infrastructure and training to detect, report, and respond within the stipulated time frames is essential.
ALSO READ: Cyber Security Act 2024 and linked Regulations to take effect from today
“The Act should balance the need for quick reporting with the protection of sensitive information. Entities must ensure that while they report incidents promptly, they also safeguard any personal or confidential data involved,” he said.
He said the Act is a proactive and necessary step in safeguarding the country’s critical infrastructure against cyber threats.
“No doubt, the effectiveness of the Act will largely depend on how well NCII entities implement and comply with these new regulations,” he said, adding that the requirement for immediate notification ensures that cybersecurity incidents are reported in real time. Prof Norbik Bashah said the legislation also strengthened national security, as NCII entities are the backbone of a nation’s infrastructure.
“The Act fosters better coordination between NCII entities and cybersecurity authorities, enabling a unified approach to tackling cyber threats that could potentially disrupt critical services,” he said.
ALSO READ: Hackers target Malaysia frequently
Cybersecurity specialist Fong Choong Fook said the Act spells out the responsibilities of the NCII.
He said the six hours given to develop the initial findings of a cybersecurity incident are quite “lenient”.
“In the commercial world, every second of impact will be counted as losses. We need to ensure our prevention and preparation are done properly. Then we will have much better assurance that we will meet the six-hour requirement or less,” he said.