Cyber Security Training for Malaysia’s Remote and Hybrid Workforce
by Indu Krishna
June 3, 2025
Who should read this?
Malaysia is undergoing a sweeping digital transformation that is reshaping every aspect of its business landscape. This shift has changed how people work, transitioning from on-site offices to flexible remote and hybrid environments. Simultaneously, it is triggering ripple effects across the country’s cyber threat landscape, heightening risks that organizations must urgently address.
In this context, the Malaysia Cyber Security Strategy 2020-2024 (MCSS) points to a crucial reality for today’s business leaders: in a world where nearly everyone and everything connects to cyberspace, digital connectivity is both a powerful advantage and a significant source of risk. As Malaysian businesses deepen their use of technologies—from mobile and social platforms to Big Data, Internet of Things (IoT), Artificial Intelligence (AI), and hyper-scale cloud services—their cyber risk landscape continues to broaden. Every connected device and user become a potential entry point for attackers.
The most effective defense? Building a well-prepared workforce. Cyber security awareness and targeted workforce training must be at the forefront of organizational priorities—especially as remote and hybrid work models expand the attack surface and introduce new vulnerabilities.
This blog explores what Malaysian business and security leaders need to know and do to tailor their organization’s cyber security training in 2025.
Key Cyber Risks in Hybrid and Remote Work
Remote and hybrid work models increase the number of potential vulnerabilities within organizations. Key risks include:
- Unsecured Devices and Networks: Unlike corporate environments with tightly controlled networks, remote employees typically rely on home networks that often lack robust security controls such as firewalls or encryption. The use of personal and IoT devices, frequently shared with family members, expands the attack surface, increasing the risk of malware or ransomware infiltrating corporate systems.
- Phishing and Social Engineering: According to MyCERT statistics, over three-quarters of fraud incidents reported in Q4 2024 were phishing-related. Common attack methods include contextualized and localized phishing campaigns, mobile-focused phishing like smishing and app-based scams, as well as vishing (phone scams) and calls impersonating CyberSecurity Malaysia and various Malaysian law enforcement agencies. Remote work has significantly increased employees’ vulnerability to these attacks. Cyber criminals exploit the isolation and reduced oversight of remote workers by sending highly convincing phishing emails, SMS messages, and voice calls designed to steal credentials or install malware. The extensive use of social media and messaging apps —such as WhatsApp and Telegram—for work communication further expands the attack surface, increasing the risk of social engineering attacks. (Source)
- Shadow IT: To enhance productivity, remote employees often resort to unsanctioned applications or cloud services, collectively known as “shadow IT.” These tools create security blind spots beyond IT’s visibility and control, presenting exploitable vulnerabilities to attackers.
- Delayed Incident Reporting: Remote workers may hesitate or delay reporting security incidents due to lack of immediate support, limited awareness, or fear of repercussions. Such delays can allow cyber threats to escalate unchecked.
Above all, human behavior remains the most significant cyber security risk factor. Employees may unintentionally click on malicious links or neglect important security updates due to cognitive biases or lack of awareness. Addressing these behavioral tendencies requires psychology-informed training methods to meaningfully improve program effectiveness. Use reminders, alerts, and prompts (e.g., password change notifications, security tips) to reinforce good security habits and prompt safe actions. Use relatable stories and case studies to make risks memorable, and encourage employees to share experiences and tips, leveraging social proof to positively influence behavior.
Cyber Security Training Tips for Malaysia’s Remote and Hybrid Workforce
1. Implement Multilingual Cyber Security Training to Engage Malaysia’s Diverse Workforce
Malaysia’s workforce is uniquely diverse, with Malay, Chinese, Indian ethnic groups and multiple languages including Malay, English, Tamil and Mandarin (Source). Cyber security training must be therefore multilingual and culturally relevant to ensure comprehension across all regions and communities. Use familiar references and local examples that resonate with employees’ daily lives—such as common scams related to popular local banks, government services, or festive season frauds—to make training more relatable and effective. By reflecting familiar scenarios and communication styles, employees could be better equipped to recognize real-world threats and apply safe practices both at work and in their personal digital activities.
2. Customise Cyber Security Training to Different Technology Skill Levels
Workforces often have a wide gap in digital confidence—being comfortable with everyday technology doesn’t necessarily mean employees understand cyber security risks. A one-size-fits-all training approach can leave many workers unprepared and vulnerable. To bridge this gap, training must be customized to meet different technology skill levels. Organizations should begin by assessing employees’ digital literacy and security awareness through surveys or baselining evaluations. Based on these insights, customise training programs to offer tiered modules with clear, jargon-free content for beginners and more in-depth material for experienced users. For example, beginners could be provided interactive modules covering fundamentals like password management and safe browsing, while experienced users could access advanced training on topics like threat detection and incident response. Additionally, providing ongoing support via chat, helpdesks, or other channels could ensure that learners get timely help, making the training more effective and accessible for everyone.
3. Use Local Examples to Teach Phishing Awareness
Phishing attacks in Malaysia frequently impersonate familiar local entities—such as banks, government agencies, retailers, and popular delivery services (Source). Training should prioritize these localized scams, teaching employees how to identify and verify suspicious communications unique to Malaysia’s digital landscape rather than relying only on generic global examples. Additionally, highlight the risks associated with widely used messaging apps like WhatsApp and Telegram, which are common channels for social engineering attacks targeting remote workers. Emphasizing these local contexts makes training more relevant and effective in helping employees recognize real threats.
4. Equip Remote and Hybrid Workers with Location-Aware Security Best Practices
Remote and hybrid workers may work from anywhere—home, coworking spaces, or cafes—and must be equipped with practical knowledge to protect themselves and corporate data regardless of their location. Training should include guidance on securely using shared or personal devices, identifying risks unique to various work environments, and adopting best practices such as using trusted VPNs and avoiding unsecured or suspicious public Wi-Fi networks whenever possible.
5. Deliver Mobile-Optimized Microlearning to Fit Malaysia’s Busy, Multi-Generational Workforce
Many employees could be juggling multiple responsibilities and commitments alongside work. To accommodate this, training content should be delivered in short, mobile-friendly modules that can be accessed anytime and anywhere without disrupting daily routines. Using dedicated mobile learning management system (LMS) apps could be an effective way to deliver bite-sized, mobile-optimized training. Alternatively, organizations can use custom web-based training portals designed responsively for mobile devices, accessible via any browser and easily linked from commonly used communication apps. Such flexible delivery enables workers everywhere to fit training into their schedules easily, improving accessibility and encouraging higher completion rates.
6. Lead by Creating a Blame-Free, Open Communication Culture
Malaysian workplaces often emphasize strong respect for authority, which often makes employees hesitant to report security issues due to fear of blame or losing face—fears that are amplified by the isolation of remote and hybrid work. To overcome these barriers, leaders should actively participate in training programs and become vocal advocates for cyber security. Visible leadership commitment—such as leaders sharing personal cyber security experiences or openly endorsing training initiatives—can help break down resistance and promote a security-first mindset across dispersed teams. Leaders must regularly engage teams through virtual channels like video calls, emails, and interactive town halls, providing employees with opportunities to ask questions and share concerns. By cultivating a supportive, blame-free environment aligned with Malaysia’s social norms, leaders reassure employees that reporting incidents is safe, valued, and free from punishment. Recognizing and rewarding positive security behaviors further encourages a security-first mindset and peer influence.
A Note to Leaders
As Malaysia embraces remote and hybrid work, organizations’ cyber security depends more than ever on employee vigilance. As cyber threats grow in sophistication and frequency, generic training programs no longer suffice. Business and security leaders must implement customized, ongoing training strategies that address the specific needs and cultural nuances of the Malaysian workforce.
By fostering a culture of vigilance, encouraging open communication without fear of blame, and equipping employees with practical skills to detect and respond to threats, organizations can significantly reduce their cyber risk exposure. Proactive investment in tailored cyber security training empowers organizations to safeguard their most valuable assets—people and data—and build long-term resilience against cyber attacks.
The time to act is now. Organizations must prioritize workforce readiness as a cornerstone of their cyber security defense.