By Arun Kumar, Regional Vice President of APAC, ManageEngine
No matter how sophisticated cybersecurity systems may be, their effectiveness ultimately depends
on the people who use them. Common threats such as phishing and social engineering are often
deployed by cybercriminals, not because these systems are plagued by inherent technical flaws, but
due to human error.
According to Malaysia’s Cyber999 incident response centre, the third quarter (Q3) of last year saw
cybersecurity incidents jump from 1,623 cases to 2,020 cases, with 75% of 2025’s incidents involving
phishing.
As cyberattacks escalate, organisations across Malaysia, be they in the public or private sector, must
prioritise one of their strongest defences: their workforce. To build a robust human firewall, they
must put in place the foundations for informed and alert employees who are up to date with the
latest cyber risks and have the tools to respond effectively.
Make security training engaging and practical
Cybersecurity policies often look solid on paper, but their effectiveness is truly tested in everyday
situations. From opening emails to clicking links and following up on requests, these workday
situations are some of the most critical in cybersecurity, particularly because they are often
expected to be performed quickly. In these moments, habits matter more than knowledge alone.
Without regular reinforcement, even well-trained staff can forget what to look out for or how to
respond. That’s why organisations must shift from treating cybersecurity training as a one-off
requirement to making it an ongoing experience that shapes daily behaviour and decision-making.
Much like emergency drills, a single session is not enough to maintain a cyber-aware culture that is
prepared to withstand the consistent prodding of threat actors. Employees are more likely to retain
knowledge when they practise it. It is also necessary to incorporate realistic examples such as fake
invoices or urgent password reset emails with spoofed domains to better prepare teams for actual
threats.
Run simulations and encourage discussion
Even with strong awareness training, there’s often a gap between knowing what to do and actually
doing it in real situations. When faced with a convincing phishing email or urgent request, hesitation,
curiosity, or uncertainty can lead to risky decisions. This is another instance of why practice is
essential.
Just like fire drills prepare people to act quickly in emergencies, simulated cyberattacks help
employees build confidence and develop the right instincts. They also reveal behavioural patterns
that wouldn’t surface in traditional training, giving organisations a clearer picture of where
vulnerabilities truly lie. Phishing simulations are highly effective for both testing and educating
employees. They help identify individuals who may be vulnerable and allow organisations to provide
targeted training. However, the process shouldn’t end with tracking responses; open discussions are
equally important.
For example, consider a financial services company conducting quarterly simulations that found that
while most employees avoided clicking malicious links, some forwarded suspicious emails to
colleagues for confirmation. This revealed an additional training opportunity: recognising that
uncertainty should prompt reporting, not silence. Understanding how to respond is just as critical as
avoiding the threat itself.
Integrate security into daily culture
Effective cybersecurity programs are embedded into everyday activities, not isolated within IT
departments. They should appear in meetings, internal communications, onboarding sessions, and
casual discussions. Regular, relatable reinforcement keeps awareness high without causing fatigue.
Sharing real-world incidents and asking “What would we do in this situation?” helps make the risks
tangible.
After all, cybersecurity requires the whole collective pulling in the same direction. That also means
fostering a no-blame reporting culture because encouraging transparency is far more effective than
creating fear around making errors. Employees who accidentally click on a malicious link, for
instance, should not feel like reporting their error will cost them professionally. This will encourage
early reporting, which allows IT teams to respond quickly and limit potential damage.
Finally, simplifying processes helps users make safer choices. Implement tools like single sign-on,
password managers, and multi-factor authentication in a user-friendly way. The goal is to support
users, not overwhelm them. Clear guidance, visual indicators, and gentle reminders can make a big
difference. Even small features, like colour-coded warnings on external emails, can prompt
employees to think twice before taking action.
To build a human firewall, organisations in Malaysia must commit to an ongoing initiative to ensure
employee awareness keeps pace with the evolution of cyberthreats. Empowering staff to act as
frontline defenders, rather than vulnerabilities, enables the organisations to transform their weakest
point into their strongest safeguard. Cybercriminals rely on human mistakes but organisations will





