The pandemic saw Malaysian companies scrambling to move their communication towards the cloud, using Microsoft Teams, Zoom, Google Workspace and so on. Five years later, workers are now back in offices, but the new systems and policies remain in place — perhaps out of convenience, improved productivity or sunk cost.

What’s less talked about are the cybersecurity risks we’ve inherited along the way. Amidst the manic push towards technological adoption, Malaysian companies are now falling victim to newfound threats that they are not fully equipped to prevent.

Enterprise communication tools are a popular attack vector used by bad actors due to the diverse online channels adopted by companies. A 2023 survey by TechTarget’s Enterprise Strategy Group showed that 85% of organisations approve the employee use of six or more enterprise communication tools, with 35% approving 11 tools or more. Each of these tools represents a potential point of vulnerability, such as phishing attacks, employees mistakenly downloading malicious software, or bad actors covertly monitoring communications.

Even with the most stringent of policies, the weakest link could lie in solutions outside the organisation’s control. Platforms like Zoom, Microsoft Teams and Google Suite have vulnerabilities constantly exposed, sometimes taking multiple weeks to fix — of which the vulnerability had been sufficiently exploited.

As a result, 70% of companies surveyed by PIKOM in 2024 were victims of cyber breaches over the past three years. Netherlands-based cybersecurity firm Surfshark cites Malaysia as the 8th most breached country in Q3 2023, facing a 144% increase in breach rates compared to the previous quarter alone.

Digital sovereignty is now a priority — where organisations have authority over their data, infrastructure, and technology usage. Being reliant on foreign servers to store and process data is counterintuitive to that.

Places such as the European Union, India, and China are gradually tightening their Data Residency laws — requiring sensitive data to be stored locally. Malaysia is expected to follow suit, especially with massive investments into establishing data centres within the country.

Cybersecurity is part of the national agenda, and the Malaysian government is welcoming solution providers from across the world. One so happens to be from the Mecca of cybersecurity threats and defences.

Nestled in a corner of CyberDSA 2024 conference held in Kuala Lumpur is a booth by eXpress.ms — a Russian cybersecurity technological provider and their Malaysian partner, Gogopass Asia. Their solution aims to solve a security gap torn open by our move towards cloud communication channels.

Powering communication for Russia’s essential services

eXpress.ms provides solutions that blend elements of enterprise communications and resource planning.

In addition to emails, calendars and video conferencing, their systems include human resources and project management tools — which users can interact with via web browsers, mobile apps and AI chatbots. Clients can even selectively combine relevant features into a super app, and incorporate their own corporate branding.

At first glance, eXpress.ms appears as a direct competition to players such as Zoom, Microsoft Teams and Google Suite. However, the simple decision to prioritise security first and foremost has domino-ed to the other aspects of the company — from product development to their position in the market.

img

“Within the last three years, we have gained 80% [of the market share] within the Russian government and markets. Our solution is being used by the Presidential Administration of Russia, Federal Taxation Service, and Federal Agency for Rail Transport. Our customers also include Rosneft and Rosatom," says eXpress.ms CEO Andrey Vratsky.

For context, Rosneft is the largest oil producer in Russia, controlling over 40% of the country’s total oil production, while Rosatom is a state corporation focused on Nuclear energy, responsible for 20% of Russia’s electricity production.

Building walled gardens for corporations

img

img

eXpress.ms’ crown jewel is a proprietary internet protocol that serves as the foundation that every other product sits upon.

The protocol allows servers to communicate with each other in a way that’s harder to intercept compared to conventional public networks — thus making these servers less attractive as a target.

eXpress.ms is also deployed on the client’s on-premises servers and private clouds, of which eXpress.ms themselves have no access to. This forms a federation network that allows secure internal communication for organisations that span multiple cities and regions — all of which are controlled by the enterprise clients.

Despite the walled garden, the federation network can deploy ad hoc guest servers to accommodate temporary contractors and customers, of which will be erased upon work completion.

eXpress.ms’ other security features are built onto of this federated network.

Data is stored in crypto-containers which can be wiped remotely by an administrator, preventing data theft from lost and stolen devices. Data at rest and in-transit are end-to-end encrypted. Server admins have both broad-based and fine-tune control, allowing them to determine high-level and low-level security segments at will.

Sitting above this secured infrastructure are app features that we come to expect from an enterprise communication software, such as file transfers, screen sharing, integration with corporate telephony systems and so on.

Andrey explains that the company is built upon the idea of sovereignty, an idea so committed that eXpress.ms’ product suite is all built from scratch — without dependencies on external libraries, open source or otherwise.

“Since the end of the 2000s, public cloud servers were the hype. The cloud is easier, cheaper, and faster, and demand peaked until around three years ago,” says Andrey.

“Now, we see the trend reversing because organisations care more about security and data storage. Governments are worried about data sovereignty and wish to have their data stored locally within their borders.”

“So, what does it mean to be digitally sovereign? It means you are independent — not replying on foreign services, foreign clouds and so on. Communication is an important part of digital sovereignty that that’s the purpose for which eXpress.ms was built.”

The decision to avoid open-source dependencies is crucial to the eXpress.ms’ success.

To integrate into Russia’s Critical Infrastructure Facilities, authorities require solution providers to obtain the FSTEC (Federal Service for Technical and Export Control) certification. Without the certification, it’s impossible to operate in sectors such as banking, telecommunications, healthcare, energy, and nuclear power.

To qualify for the certification, the source code undergoes stringent reviews by independent testing centres for potential back doors that allow data to be transferred or altered without permission. That minimises risks of espionage — an aspect Russia is known to be cautious of.

“Every comma [and] every symbol of your source code is checked. That is the only way to obtain the certificate, and you cannot do this with open-source code. This is also why eXpress.ms is absolutely secure,” says Andrey.

Solving a gap in the market.

Before eXpress.ms, Andrey had worked for one of the largest system integrators in the country.

“I had a 15-year career in the industry, and became the vice president of sales. We were one of the largest Microsoft partners in Russia at the time, and I sold more than a billion American dollars worth of licences across 11 years,” he shares.

“However, I always wanted to start something of my own — to create something, and not just be a reseller. At the time, we wanted a secure enterprise communication suite for ourselves, but we couldn’t find such a product on the market. That’s when I decided to build one of my own.”

“We launched a minimum viable product with just chat and video conferencing — and slowly, we added featured and connected to internal services such as Oracle, SAP and so on.”

eXpress.ms is eight years old at the time of writing, but it took them five years to develop the minimal viable product. Within three years of commercialisation, they’ve commanded a considerable part of the Russian market. Now, they are setting their sights overseas.

Andrey explains that Malaysia has several factors that make it an attractive market to tackle for a company like eXpress.ms.

“First of all, we look at the country’s relation to Russia. The second thing is the size and structure of the country. Compared to Indonesia, although it has a larger population, the infrastructure is less structured,” he explains.

“Finally, it is about demand for the product. Some countries, they may have a large population, they may be organised, but perhaps they don’t prioritise cybersecurity. Malaysia is open to adopting Russian technologies, is organised from top to bottom, and checks all these boxes.”

Andrey concludes that Malaysia is a strategic hub for eXpress.ms’ future activities, and will play a key role in their efforts to expand into the global market.