So something went wrong. Someone on your team clicked a link they shouldn't have, customer data might have been exposed, or your files are suddenly locked behind a ransomware screen. Whatever it is, you know something's off and you're not sure what to do next.
The good news is that how you respond matters more than what already happened. This article covers the key steps to handle a data security incident as a Malaysian SME — what to do first, what the law expects from you, and how to get back on your feet.
The first 24 hours are critical, and your number one priority is to stop whatever happened from getting worse.
Start by disconnecting affected devices from your network. If a laptop got compromised, take it offline. If it's a server, isolate it. At this stage, your priority is to isolate the threat and prevent it from spreading to the rest of your systems.
Next, reset your admin passwords for everything you can think of — Google Workspace, Microsoft 365, your web hosting panel, your company email. If you've been reusing the same password across multiple platforms (you shouldn't, but let's be real), change all of them now. Every single one.
Then take stock of what was actually affected. What kind of data are we talking about? Customer IC numbers? Email addresses? Payment details? Internal documents? You don't need a full forensic breakdown at this point, but you need a rough picture so you know what you're dealing with. And whatever you do, don't delete anything or try to "fix" things by wiping data. You might destroy evidence you'll need later.
Many SME owners overlook this until it's too late. With the updated PDPA rules in effect since June 2025, notifying authorities about a breach is no longer optional.
It is a legal requirement that your business must follow today.
Here's the key thing: not every breach needs to be reported. However, if the incident is likely to cause 'significant harm' to individuals, you must act fast.
You are legally required to notify the Personal Data Protection Commissioner within 72 hours of becoming aware of the breach.
Significant harm includes situations where the leaked data could be used for identity fraud, where it involves sensitive personal data like health or financial records, or where the breach affects more than 1,000 people.
If your breach hits any of those thresholds, you also need to inform the affected individuals within 7 days after your initial report to the Commissioner.
The stakes are high.
Failing to report a qualifying breach can lead to fines of up to RM250,000, imprisonment for up to two years, or both.
The maximum fines for breaching data protection principles in general have also gone up to RM1,000,000 under the updated PDPA.
On top of that, businesses that process personal data on a large scale are now required to appoint a Data Protection Officer (DPO), so if your SME handles a significant volume of customer information, that's something you need to sort out too.
Managing the aftermath requires contacting the right authorities.
Get your legal side covered by notifying the Personal Data Protection Commissioner (JPDP).
Call the MyCERT Cyber999 Hotline at 1-300-88-2999 during business hours or +6019-266 5850 for 24/7 assistance
And file a police report at your nearest station if the incident involves criminal activity like hacking, ransomware, or data theft.
If customer data was involved, don't sit on it and hope nobody notices. That strategy never ends well.
You don't need a fancy press release, especially as an SME. A clear, honest message goes a long way. Tell them what happened in plain language, explain what you've done to secure things, and give them practical steps they can take on their end. People appreciate honesty and action far more than silence and spin. The longer you wait to say something, the worse it looks when it eventually comes out — and it always comes out.
If you're not sure what to say, something along these lines works as a starting point:
"We recently identified a security incident that may have affected some of your personal information. We've taken steps to secure our systems and are currently investigating the matter. As a precaution, we recommend that you change your password for any account associated with us and monitor your bank statements for any unusual activity. We sincerely apologise for any concern this may cause, and we're committed to keeping you updated as we learn more."
Adjust it to fit your situation, but the idea is the same: be upfront about what happened, tell them what you've done, and give them something actionable.
Once the immediate crisis is under control, it's time to get back on your feet.
If your data was compromised or locked by ransomware, restore from your most recent clean backup. Don't have a backup? Make sure fixing that is your top priority as soon as this is over.
After that, go through your systems and update everything.
A huge number of SME breaches happen because of outdated software. Common culprits include old version of Windows, unpatched plugins on your website, or router firmware that nobody's touched in years.
These are easy wins that make a real difference.
Then talk to your team. Most security incidents start with a human mistake; someone clicking a phishing link, using a weak password, or sharing files through the wrong channel.
You don't need a three-hour seminar for this. Even a quick 15-minute briefing on what happened and how to spot red flags going forward can go a long way.
One more thing to remember is that under the updated PDPA, you're required to keep a breach register for at least two years, documenting the cause, impact, and actions you took.
Keep everything. It shows regulators you handled things properly, and it'll help you do better next time.
To be honest, if the breach is anything more than simple, trying to handle recovery entirely on your own is risky.
It’s too easy to make a mistake.
A wrong move during cleanup can lead to permanent data loss. If the job isn't thorough, attackers will simply use the same backdoors to get back in.
Getting professional help for digital forensics and recovery is just practical business management.
It ensures the job is done right.
After all, the cost of a failed recovery almost always exceeds the price of hiring an expert.
A data security incident doesn't have to be the end of the world for your business.
What matters most is how you respond: act quickly, meet your legal obligations, communicate honestly, and learn from what happened.
The worst thing you can do is nothing.
If you haven't thought about your incident response plan yet, don't leave it for later.
Start small — make sure your backups are running and actually working, write down a list of who to call if something goes wrong (your IT person, MyCERT, your lawyer), and have a basic notification template ready to go.
These are things you can sort out this week, and you'll be glad you did if the day ever comes.
Need immediate assistance or a security health check? Don't wait for a breach to happen. Contact our security team today for a professional consultation and protect your Malaysian SME from evolving cyber threats.
