Cybersecurity: Annual Security Review Checklist for Businesses

By: Stevie Heong, Director

Cyber threats evolve constantly, and what protected your business last year may not be enough today. Malaysia’s government recognises this and has rolled out a major legislation Cyber Security Act in 2024, marking the first time Cybersecurity is put into the forefront of corporate Malaysia. However, many companies are still at sea on how to prioritise their focus, money and time. Here we explore the baselines that companies should look at, before even embarking on a deeper reconstruction of their security practices. These are general baselines—or what we deem as security hygiene that all companies, big or small should adapt.

An annual security review helps you identify vulnerabilities, strengthen defenses and stay ahead of emerging risks before they become costly breaches.

1. Areas of Control

Access and Authentication - Audit all user accounts to remove access for former employees and contractors. Ensure multi-factor authentication is enabled on critical systems and verify that password policies meet current security standards.

2. Network & Systems

Review firewall rules, remove outdated exceptions and scan for unauthorized devices. Test your patch management process to ensure critical vulnerabilities are addressed promptly across all systems.

3. Data Protection & Backups

Verify that sensitive data is properly classified and protected. Conduct actual restoration tests from backups to confirm they work when you need them most and ensure backup systems are protected from ransomware.

4. Incident Response Readiness

Update your incident response plan with current contact information and lessons learned. Run tabletop exercises with key stakeholders to test your team's ability to respond effectively to realistic breach scenarios.

5. Third-Party Security

Review security practices of vendors and partners who access your systems or data. Ensure contracts clearly define security requirements and breach notification obligations.

Schedule your annual security review during a slower business period and assign clear ownership for each area. Document your findings, prioritise remediation efforts based on risk, and present results to leadership with specific resource requirements and timelines.

As always, we generally just wait and see before we adopt certain practices. For cybersecurity, this could be detrimental or even fatal to the business. Regulatory penalties, loss of customer trust, destruction of data—these days, it does not take fire or earthquake to destroy a business. Cyberattacks can just be as dangerous.

Don't wait for a breach to expose gaps in your security. Contact our cybersecurity team at pkfae@pkfmalaysia.com today for a comprehensive security assessment tailored to your business needs and industry requirements.