Ethical hackers find hidden vulnerabilities as AI-driven attacks exploit slow patching, with human error often the root cause of breaches.

PETALING JAYA: Malaysian organisations may be underestimating their cyber risks as ethical hackers continue to uncover hidden vulnerabilities that automated scans miss.

Delays in patching the lapses leave firms dangerously exposed to rapid AI-driven attacks.

“Ethical hacking and authorised penetration testing provide a battle-tested view of an organisation’s defences,” CyberSecurity Malaysia acting CEO Roshdi Ahmad told theSun.

“Unlike automated scans, white-hat hackers simulate real world breaches to expose hidden vulnerabilities that routine checks may miss,” .

He said current benchmarks show that organisations take an average of two to three months to remedy critical vulnerabilities, a delay increasingly dangerous in an era in which attackers could rapidly weaponise newly discovered flaws.

When asked whether organisations promptly fix issues uncovered by ethical hackers, he said: “Not fast enough. With the help of AI, attackers can weaponise new vulnerabilities in as little as a couple of days, or even within an hour in some cases.

“This creates a dangerous gap between discovery and remediation.”

He said organisations broadly fall into two camps – those that treat penetration testing as part of a continuous security improvement process and those that remain largely compliance driven.

“In more mature environments, testing results feed directly into real-time patching pipelines. In reactive settings, findings are treated as one-off audit deliverables, leaving organisations in a constant game of catch-up.”

Beyond delayed fixes, Roshdi said most breaches still stem from a combination of human behaviour and technical weaknesses rather than highly sophisticated cyber warfare.

“While the entry point may be technical, such as unpatched systems, default credentials or exposed admin interfaces, the root cause is almost always human driven.

“Whether it is delayed patching, misconfigured cloud storage or staff reusing passwords for convenience, these lapses create the perfect storm for attackers. Breaches are rarely purely technical failures.”

Among recurring weaknesses observed across Malaysian organisations is the continued use of weak or default credentials, particularly generic administrative accounts paired with easily guessable passwords.

He added that at the same time, the threat landscape facing local enterprises is becoming more aggressive and complex.

Roshdi said ransomware operations involving data exfiltration and double extortion continue to surge, while credential-focused attacks targeting active directory systems, which manage user accounts and access across corporate networks, virtual private networks and cloud identities are also rising.

He said advanced phishing campaigns, including email, SMS and QR-code-based “quishing” attacks, are increasingly localised to mimic Malaysian brands and government agencies, making them harder to detect.

“There is often a perception that meeting audit requirements and deploying security tools means the organisation is adequately protected.

“In reality, cybersecurity readiness depends on day-to-day operational discipline, identity management, timely patching and effective incident response.” 

 The Sun Malaysia