KPMG Cybersecurity Considerations 2025 — Key Takeaways for Malaysian Businesses
What KPMG's 2025 Cybersecurity Report Means for Malaysian Businesses
KPMG's Cybersecurity Considerations 2025 report identifies the key threats and strategic priorities that organisations worldwide need to address. For Malaysian businesses — particularly SMEs that make up 97 percent of all enterprises — the findings translate into concrete actions that can no longer be deferred.
The report arrives at a critical moment. Malaysia's cybercrime losses reached RM 2.97 billion in 2025, ransomware attacks on businesses increased 42 percent year-over-year, and the PDPA Amendment Act 2024 now mandates 72-hour breach notification with fines up to RM 1 million.
AI-Powered Threats Are Accelerating
KPMG highlights artificial intelligence as both the biggest opportunity and the most significant emerging threat in cybersecurity. AI is enabling more convincing phishing attacks, automated vulnerability scanning, and deepfake-based social engineering at scale.
For Malaysian businesses, this means traditional security awareness training is no longer sufficient. Staff need to understand AI-generated threats — deepfake voice calls impersonating executives, AI-written phishing emails with perfect grammar, and fake trading platforms powered by generative AI.
Supply Chain Risk Is the Blind Spot
The report emphasises that organisations are only as secure as their weakest vendor. Supply chain attacks — where hackers compromise a software vendor to reach hundreds of downstream customers — increased significantly in 2025.
Malaysian SMEs often rely on a small number of IT vendors for cloud services, accounting software, and payment processing. A breach at any of these vendors can expose customer data and trigger PDPA reporting obligations.
Regulatory Pressure Is Increasing
Cybersecurity is no longer optional compliance. Malaysia's Cyber Security Act 2024, PDPA amendments, and BNM's strengthened RMiT framework are creating a regulatory environment where cyber incidents carry direct financial and legal consequences.
KPMG recommends that organisations treat cybersecurity as a board-level concern, not an IT department issue. For SMEs without a dedicated security team, this means engaging external expertise — virtual CISO services, managed security providers, or periodic security assessments.
Key Takeaway
Malaysian SMEs should prioritise three actions from the KPMG report: update staff training to cover AI threats, audit third-party vendor security, and ensure PDPA breach notification processes are tested and ready.
Frequently Asked Questions
What are the biggest cybersecurity threats in 2025?
KPMG identifies AI-powered attacks, supply chain compromise, and ransomware as the top three threats. For Malaysia specifically, investment scams and banking fraud add to the risk landscape.
Does KPMG's report apply to small businesses?
Yes. The report's recommendations on vendor risk management, employee training, and incident response planning are directly relevant to Malaysian SMEs, especially those handling customer data under PDPA.
What should Malaysian businesses do first?
Start with a cybersecurity health check to identify your most critical vulnerabilities. Ensure PDPA compliance with documented breach notification procedures and staff training on phishing awareness.
Stay safe online with Cyberkiz
We offer cybersecurity education for kids and scam awareness workshops for families and communities.
Explore Our Programmes