Cybersecurity A-Z
Plain-language definitions of the terms you need to know.
B
Breach Notification
The legal requirement to inform regulators, affected individuals, or both when a data breach involving personal data has occurred.
Brute Force Attack
An attack method that systematically tries every possible password or key combination until the correct one is found, relying on computational power rather than cleverness.
Business Email Compromise (BEC)
A sophisticated scam where attackers impersonate executives or business partners via email to trick employees into transferring funds or sharing sensitive data.
C
Cloud Security
The set of policies, technologies, and controls used to protect data, applications, and infrastructure hosted in cloud computing environments.
Credential Stuffing
An automated attack where stolen username-password pairs from one data breach are systematically tried against other websites, exploiting password reuse.
Cyber Insurance
Insurance coverage designed to mitigate the financial impact of cyber incidents including data breaches, ransomware attacks, business interruption, and regulatory fines.
Cyber Security Act 2024
Malaysia's cybersecurity legislation establishing licensing requirements for cybersecurity service providers and mandatory security measures for critical infrastructure.
Cyberbullying
Deliberate, repeated harassment, intimidation, or humiliation carried out through digital platforms such as social media, messaging apps, or online games.
D
Data Controller
The person or organisation that determines the purposes and means of processing personal data, bearing primary responsibility for PDPA compliance.
Data Loss Prevention (DLP)
Technologies and policies that detect and prevent the unauthorised transfer, leakage, or destruction of sensitive data from an organisation.
Data Processor
A person or organisation that processes personal data on behalf of a data controller, such as a cloud provider, payroll company, or IT service provider.
Data Protection Officer (DPO)
A designated person responsible for overseeing an organisation's data protection strategy, ensuring PDPA compliance, and serving as the point of contact for data subjects and regulators.
Data Subject
An individual whose personal data is being collected, stored, or processed by a data controller.
DDoS (Distributed Denial of Service)
An attack that overwhelms a website, server, or network with massive amounts of traffic from multiple sources, making it unavailable to legitimate users.
Digital Footprint
The trail of data and information left by a person's online activities, including social media posts, search history, website visits, and online purchases.
Digital Literacy
The ability to safely, responsibly, and effectively use digital technologies — including evaluating online information, protecting privacy, and recognising digital threats.
E
Encryption
The process of converting readable data into an unreadable format using mathematical algorithms, ensuring only authorised parties with the correct key can access it.
Endpoint Security
Security measures protecting individual devices (laptops, phones, tablets) that connect to a network, including antivirus, encryption, and access controls.
F
I
Incident Response Plan
A documented set of procedures for detecting, responding to, and recovering from cybersecurity incidents, minimising damage and downtime.
Insider Threat
A security risk posed by individuals within an organisation — employees, contractors, or partners — who misuse their authorised access to harm the organisation.
K
M
Malware
An umbrella term for any software intentionally designed to cause damage, steal data, or gain unauthorised access to computer systems.
Man-in-the-Middle Attack (MITM)
An attack where the attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other.
Multi-Factor Authentication (MFA)
An authentication method requiring two or more independent verification factors — something you know, something you have, and something you are.
MyCERT (Malaysia Computer Emergency Response Team)
Malaysia's national cyber emergency response team that provides incident response, threat advisories, and cybersecurity coordination services.
N
NACSA (National Cyber Security Agency)
Malaysia's national agency responsible for cybersecurity policy, coordination, and incident response, operating under the National Security Council.
Network Segmentation
Dividing a computer network into smaller, isolated segments to limit the spread of attacks and restrict access to sensitive systems.
NIST Cybersecurity Framework (CSF)
A voluntary framework developed by the US National Institute of Standards and Technology providing guidelines for organisations to manage and reduce cybersecurity risk.
O
P
Parental Controls
Software features and settings that allow parents to manage and monitor their children's online activities, including content filtering, screen time limits, and app restrictions.
Patch Management
The systematic process of identifying, acquiring, testing, and installing software updates (patches) to fix security vulnerabilities and bugs.
PDPA (Personal Data Protection Act 2010)
Malaysia's primary legislation governing the processing of personal data in commercial transactions, requiring organisations to protect individuals' personal information.
Penetration Testing (Pen Test)
An authorised simulated cyberattack against a computer system, network, or application to identify exploitable vulnerabilities before real attackers find them.
Phishing
A social engineering attack where criminals impersonate trusted entities via email, SMS, or fake websites to trick victims into revealing sensitive information.
R
S
Security Awareness Training
Structured education programmes that teach employees to recognise and respond to cybersecurity threats, reducing the human risk factor in organisations.
SIEM (Security Information and Event Management)
A platform that collects, correlates, and analyses security logs from across an organisation's IT infrastructure to detect threats and support incident response.
Smishing (SMS Phishing)
A form of phishing conducted via SMS text messages, where attackers send fraudulent messages to trick victims into clicking malicious links or revealing personal information.
Social Engineering
Psychological manipulation techniques used by attackers to deceive people into revealing confidential information, granting access, or performing actions that compromise security.
Spear Phishing
A targeted phishing attack directed at a specific individual or organisation, using personalised information to appear more convincing than generic phishing.
SQL Injection
A code injection attack where malicious SQL statements are inserted into application input fields to manipulate or extract data from the underlying database.
Supply Chain Attack
A cyberattack that targets an organisation by compromising a less-secure vendor, supplier, or software provider that has access to the target's systems or data.
T
Trojan Horse
Malware disguised as legitimate software that tricks users into installing it, giving attackers hidden access to the victim's system.
Two-Factor Authentication (2FA)
A security method requiring two different forms of verification — something you know (password) and something you have (phone, security key) — before granting access.
V
Vishing (Voice Phishing)
A phishing attack conducted over phone calls, where scammers impersonate authority figures to extract money or sensitive information from victims.
VPN (Virtual Private Network)
A technology that creates an encrypted tunnel between your device and a remote server, protecting your internet traffic from eavesdropping and masking your IP address.