In an exclusive interview with MALAYSIA SME, Zoho APAC regional head Gibu Mathew warns that the era of “security through obscurity” is over, and MSMEs can no longer afford to look away.
By Pauline James
You may never hear the breach when it happens. There will be no alarm, no system crash, no ransom note, at least not at first. Instead, an attacker will sit quietly inside your network for weeks, perhaps months, siphoning data one fragment at a time, wearing the digital identity of someone you trust. By the time the damage becomes visible, it is often far too late to contain it.
This is the new face of cybercrime in 2026, and for Malaysia’s small and medium enterprises, it is closer than most business owners dare to imagine. For Gibu Mathew, Regional Head of Zoho APAC, the window for businesses to build their defences is narrowing fast, and the businesses that survive will be those that stopped assuming they were too small to matter.
A New Breed of Threat
The cybersecurity landscape has shifted dramatically. Where attackers once relied on blunt, mass-targeting techniques, AI has handed them a precision instrument. Mathew described what was once called social engineering, a type of cyberattack that exploits human psychology, such as fear, curiosity, or trust, to trick individuals into revealing sensitive information or bypassing security protocols, rather than relying on technical hacking, is now becoming “highly personalised“, meaning AI-crafted attacks are increasingly tailored to specific individuals, making it difficult even for a vigilant person to distinguish a hacker from a legitimate contact. Since people remain the weakest link in any cybersecurity chain, this level of personalisation poses one of the single greatest threats facing businesses in Malaysia and across ASEAN today.
The implications are serious. If a fraudulent message is indistinguishable from a genuine one, even a vigilant employee can be fooled. “People in the loop are the weakest link in any cybersecurity chain,” Matthew said. “And if you can get to people through personalised messages and trick them into doing certain activities, it could open up a whole different kind of problems.”
For users, the danger extends beyond deception. It reaches into the attacker’s operational side. Automated, AI-driven attack systems are becoming smarter and more self-correcting, leaving organisations with less room for error in their defences. “AI-driven attackers could be very much smarter than what was there in the past,” Mathew warned. “Lesser mistakes in the attack world make it bad for good businesses.”
Three Threats to Watch in 2026
When asked about the top emerging risks Malaysian businesses should prepare for, Mathew identified three interconnected priorities.
End-user device security tops the list. “The importance of the device has exponentially grown,” he explained. “Your bank accounts are authenticated using that. Even though you enable two-factor or multi-factor authentication, your device has become very, very critical.” Losing control of a single phone today can mean losing everything.
Another major threat is identity-based attacks. “Somebody could spoof or take over your identity and do things on your behalf,” Mathew said. The danger is that a compromised administrator account looks, from the inside, like perfectly normal activity. “If I am the super admin of my organisation and if I am doing some activity, it is normally understood that it is authorised. But what could actually happen is my identity could have been compromised.”
Finally, what Mathew called “shadow AI” is the ungoverned adoption of AI tools by employees acting independently. “Your employees start utilising digital tools or AI, generative AI tools. They may start installing some apps to do activities on their laptop,” he said. Each unauthorised installation is a potential opening in the organisation’s defences. What makes this even more alarming is that businesses often do not realise the door has been left open until someone has already walked through it.
The Attackers Are Already Inside
One of the most unsettling shifts Mathew described is in the patience and methodology of modern attackers. The old image of a hacker who breaks in, causes obvious damage, and leaves is outdated. “Some of these attacks are currently happening because they stay in your system in a compromised state for months,” he said. “They will be taking bits of information slowly, and you may not even know about it.” The goal is silent data exfiltration, a slow haemorrhage that a business may not detect until long after the damage is done.
Meanwhile, Ransomware has not gone away; it has simply become more sophisticated in its entry methods. The combination of compromised identities and long-dwell intrusions means that by the time an attack becomes visible, attackers may already have deep, persistent access.
No Business Is Out of Reach
A dangerous assumption persists among smaller businesses that they are too insignificant to attract serious cybercriminals. The reality, however, is that no organisation is out of reach, not large enterprises, not mid-sized firms, and certainly not MSMEs.
For larger organisations, the risks are well understood. They invest heavily in defence, dedicating hundreds of security professionals to hardening their systems, running red team exercises, monitoring continuously, and responding rapidly to incidents. Yet even with those resources, the threat never fully disappears.
For smaller businesses, the exposure is just as real, but the protection is not. Where a large enterprise has infrastructure and manpower, an MSME typically has neither. And while a smaller business may believe it flies under the radar, that invisibility offers no actual protection. As Mathew put it plainly, “The exposure is almost equal.” Being less visible does not mean being less vulnerable; it simply means an attacker has not looked yet.
What makes this increasingly urgent is the shifting economics of cybercrime. “The cost of attacking today is getting lower,” Mathew pointed out. “Just like how AI is being used to do an even greater number of personalised attacks, possibly the cost of doing an attack is going to reduce. So, which means the chances of even smaller businesses being attacked are much higher.”
The consequences of a successful breach can be existential. “Security incidents could break an organisation completely,” he said. “Your IP could be lost, your intellectual property could be lost, and your customer data could get encrypted. You could be locked out of your own home, basically.”
Building the Defence, AI Fighting AI
So how should businesses fight back? Mathew advocates for a layered approach that starts with governance and ends with smarter tools.
Governance: Set the Rules Before the Risks Set In
- Establish a clear AI usage policy. The organisation head or CIO must define what data employees are permitted to input into any AI tool. Without this, every employee becomes a potential gap in the organisation’s defences.
- Sanctioned tools only. Businesses must specify which AI tools are approved for use, whether free versions are permitted, and under what conditions.
- Define data boundaries. Not all data is equal. Policies must clearly distinguish what categories of information, customer data, financial records, and intellectual property may or may not be fed into external systems.
- Make policies visible. “You have to set those policies in place transparently so that the business and the users have that visibility on what is allowed and not allowed,” Mathew said.
Technology: Move Beyond Basic Protection
- Retire the antivirus mindset. Traditional antivirus solutions are no longer sufficient against today’s threats. Businesses need tools that do more than match known threats against a database.
- Invest in behavioural detection. Modern security tools should be able to identify when legitimate-looking software is behaving abnormally and act on it immediately, without waiting for an external system to confirm the threat.
- Adopt Endpoint Detection and Response (EDR). Mathew pointed to EDR solutions, including those offered by Zoho’s IT management division, ManageEngine, as the new baseline for device-level protection.
Getting Back to Basics
Despite the sophistication of today’s threats, Mathew believes that some of the most effective defences remain refreshingly straightforward. Something as simple as a clear policy against sharing customer data over personal messaging apps, he notes, can go a long way, the fix often being nothing more than adopting the right business tools from the start. “Getting back to the basics itself and strengthening the basics, using the right tools to reduce the chances of errors, is itself a very important aspect,” he said.
For Malaysia’s MSME community, the urgency is no longer a matter of debate. Digital transformation is no longer a distant aspiration or a competitive advantage; it is the baseline. As Mathew puts it, embracing digitisation and digitalisation is no longer optional for businesses that want to harness the full potential of technologies like generative AI. The foundation must come first.
Zoho Corporation, a global technology company offering a suite of enterprise IT management and business applications, recently opened a new office in Malaysia, marking a significant milestone in its long-term commitment to the country’s digital transformation ambitions. The move underscores a growing recognition that Malaysian businesses, particularly small and medium enterprises, need closer, more dedicated support as the digital landscape grows more complex and more dangerous.
