By Aaron Bugal, Field CTO APJ, Sophos,
AI is no longer an abstract cybersecurity concern for Malaysian businesses. From deepfake investment scams impersonating public figures to increasingly convincing phishing attempts, the technology is already changing how cybercriminals operate.
For defenders, artificial intelligence presents a double-edged sword. AI can strengthen cybersecurity solutions through pattern recognition, summarization and assistance capabilities, but it also gives threat actors new ways to scale deception, automate parts of their operations and test organisations in more sophisticated ways. In a world where businesses are constantly racing to out-innovate cybercriminals, the question is not whether AI has a role in cybersecurity, but how it should be used without introducing new risks.
New technologies mean new threats
Cybercriminals have proven they shouldn’t be underestimated. They are continually updating their tactics, strategies, and tools to breach businesses, and AI only strengthens their arsenal. AI has commonly been used to help threat actors better imitate real people – altering voices, pictures, and messages to carry out convincing phishing attacks.
In Malaysia, this has already translated into real financial harm. AI-generated deepfake videos have targeted well-known leaders including Prime Minister Datuk Seri Anwar Ibrahim and Capital A Bhd CEO Tan Sri Tony Fernandes to promote fake investment schemes, with even the Johor Royal Press Office issuing a public warning after a deepfake of His Majesty Sultan Ismail was used similarly. In the first 11 months of 2025 alone, the Royal Malaysia Police recorded 67,735 online crime cases nationwide, with losses exceeding RM2.7 billion.
While many of these cases target consumers, the same techniques are increasingly relevant to businesses, where impersonation, credential theft and social engineering remain common entry points for attackers.
Beyond mimicking human behaviour, cybercriminals have begun to experiment with AI at a more technical level. Malicious GPTs have been advertised on cybercriminal marketplaces, with functions such as automated penetration testing or malicious malware development. However, sharing a similar experience to legal industries and businesses, there is still some hesitance from cybercriminals when it comes to implementing the technology into operations, as threat actors are mainly exploring generative AI in the context of experimentation and proof-of-concepts.
This does not mean organisations should see this as a sign to slow down, as artificial intelligence will inevitably become a regular feature of cyber attacks. Instead, businesses should be evaluating if they are using the technology in a secure and optimal way within their cybersecurity set up.
AI adoption is not about being first, but being smart
Businesses of all sizes are examining how AI can be used, with a global Sophos survey finding 98 per cent of organisations are using it within their cybersecurity infrastructure in at least some capacity. Further to this, 65 per cent of organisations use cybersecurity solutions that include generative AI capabilities, and 73 per cent use solutions that include deep learning models.
While AI adoption in cybersecurity can bring many advantages, it also introduces a number of risks if approached incorrectly. Poorly implemented AI models can inadvertently introduce considerable cybersecurity risks of their own – as if it isn’t provided with the right inputs, it cannot provide adequate outcomes. Organisations are alert to this risk, with the vast majority (89%) of cybersecurity professionals saying they are concerned about how potential flaws in cybersecurity tools’ generative AI capabilities will harm their organisation, with 43 per cent highlighting they are extremely concerned.
The stakes are particularly high for Malaysian SMEs, which make up over 97% of the country’s business landscape. According to CyberSecurity Malaysia, SMEs were involved in more than 65% of reported cyber incidents in 2024, yet many still lack dedicated cybersecurity resources, making poorly implemented AI tools a particularly costly gamble.
This alertness must also remain for AI that’s implemented in non-cybersecurity related tools, as emerging technologies poses threats in their infancy. Agentic AI for example has become highly topical recently, but will a technology that learns from humans be able to adequately defend itself from cyber threats? At its current level, AI should be approached with the intention that it can serve a single purpose and expecting an individual system or ‘AI agent’ to do everything with minimal human interference is risk inducing.Therefore, an organisation’s artificial intelligence advances – both within cybersecurity infrastructure and their entire technology stack – must be done with guardrails, and thorough oversight.
Fighting fire with fire without getting burnt
In the race against cybercriminals, artificial intelligence will only become a multiplier to innovation that takes place on both sides. For businesses, avoiding the risks of AI within cybersecurity systems is possible when implementation is approached with care. This can be achieved through:
- Inquiring about vendor’s AI capabilities: AI requires transparency and asking cybersecurity vendors about how their data is trained, what AI expertise their professionals have, and their roll out process for deploying AI capabilities will help paint a clearer picture of AI development best practises.
- Providing strict outlines to AI investment: AI investment cannot be rushed, so it is important to assess whether AI provides the best solution for current cybersecurity challenges, prioritise specific AI investments, and measure the impact of AI once it is implemented into cybersecurity infrastructure.
- Remain human first in AI adoption. Organisations should never take a set-and-forget approach to cybersecurity, and this is even more the case when AI is involved. Ultimately, cybersecurity is a human responsibility, and AI should be used as an accelerant to support cybersecurity professionals, not a replacement.
Artificial intelligence will soon be the mainstay for organisations, and this is no different for cybersecurity, however with such high stakes it is vital that AI is used correctly, or it will only work against its intended purpose – giving cybercriminals the leg up over organisations in this ongoing battle.
Malaysia’s regulatory direction is also moving in this direction, with MyDIGITAL seeking consultancy support for the development of the AI Governance Bill to help ensure the proposed legislation is technically sound, aligned with global best practices and practical for public and private sector adoption.
For businesses, the message is clear – cybersecurity leaders do not need to adopt every AI capability available to them. They need to adopt the right capabilities, with the right controls, for the risks they specifically face.