INTERNATIONAL INVESTMENT
AND PORTAL

How companies can ramp up cybersecurity protections

Invest Global 08:32 09/04/2024

As Vietnam’s digital economy grows, so does the bullseye for cybercriminals. Cyberattacks - numbering approximately 13,900 - have rippled through Vietnam’s systems, seizing more than 83,000 computers and servers with encryption ransomware in the past five years.

As Vietnam’s digital economy grows, so does the bullseye for cybercriminals. Cyberattacks - numbering approximately 13,900 - have rippled through Vietnam’s systems, seizing more than 83,000 computers and servers with encryption ransomware in the past five years.

Financial institutions, e-commerce platforms, telecom networks, and tech firms have borne the brunt of these digital onslaughts, endured not just operational hiccups but also grappled with the loss of customer trust and potential legal quandaries if found lacking in cyber hygiene. Indeed, for individuals, the stakes are no less dire: compromised banking details and personal data misused for nefarious ends.

How companies can ramp up cybersecurity protections Bui Thi Thanh Ngoc Partner (left) and Tran Bao Trung Associate director KPMG in Vietnam

In Vietnam, the fabric of data protection laws is being stretched and tested. Decree No.13/2023/ND-CP effective July 2023 on the protection of personal data articulates a two-fold defence: managerial and technical. Yet, it stops short of prescribing specific safeguards, leaving entities to patch together a defence from a mosaic of industry-specific regulations and network security mandates.

The decree’s call for violations to be reported within 72 hours of detection sounds less like a preventive strategy and more like a race against the clock.

There’s talk of a new decree, poised to introduce administrative penalties for data breaches - picture financial penalties converting to the tune of $400-3,000 for general noncompliance, and ranging $3,000-7,000 for dragging feet in the face of security incidents. But will fines alone weave a tighter net of cyber-resilience?

The 2015 Network Information Security law sketches the outlines of Vietnam’s cyber defence strategy, detailing everything from creating security policies to forming specialised teams and securing human resources. On a technical level, secure network zones, remote management, access controls, intrusion prevention, and defences against malware are demanded.

In 2015, Vietnam enacted a comprehensive law on network information security to safeguard against cyber threats. In this legislation, the principles of securing information systems within the country, including networks and servers, are outlined. For information systems that support online services or government functions, a 2016 decree on the security of information systems by classification and a 2022 circular provide detailed security standards and practices.

Let’s not forget the sector-specific regulations that throw down the gauntlet for industries handling our most sensitive transactions. Securities firms must operate like digital fortresses, ensuring seamless and secure online trades, while banking institutions have been directed to catalogue and shield their IT assets with everything from encryption to data loss prevention strategies.

Yet, the existential question lingers: Are these measures enough? Or are we merely plugging holes in a dam, unaware of the deluge potential? Legal representatives are thrust into the frontline, expected to be the bulwark against breaches, a tall order for those who might not speak the cryptic language of cybersecurity.

Vietnam’s legislative efforts against cyber threats embody a duality: recognition of the menace and a reactive stance that must evolve. They underscore an understanding that in our interconnected world, reactive postures give way to persistent vulnerabilities. The true fortress lies not in the fines or the fragmented regulations, but in a culture that pre-empts cyber threats, transforming cybersecurity from a technical afterthought into a strategic cornerstone.

Although Decree 13 does not provide specific mandates on the actions companies must take for personal data protection and cyberattack prevention, the legal framework comprising the aforementioned legislation will continue to ensure compliance with information security practices among companies managing information systems.

As a result, in order to reduce the company’s legal risk in the event of a data breach, it is essential that the company adhere to established technical standards for network information security, along with fulfilling its obligations under the Network Information Security Law and regulations applicable to its industry.

This is the juncture where professional consultancies like KPMG prove their expertise. Together with our IT advisory experts, we offer a one-stop solution to help businesses navigate the ever-changing legal landscape.

Few organisations prepared for cyber threats: Cisco Few organisations prepared for cyber threats: Cisco

Only 6 per cent of organisations in Vietnam have the ‘Mature’ level of readiness needed to be resilient against modern cybersecurity risks, according to Cisco’s 2024 Cybersecurity Readiness Index released on March 28.

Vietnam logs 17.1 million business cyberthreats in 2023 Vietnam logs 17.1 million business cyberthreats in 2023

2023 witnessed nearly 43 million local threats targeting organisations in Southeast Asia, of which Vietnam saw the highest number of threats at 17.1 million incidences, according to the latest data released by global cybersecurity company Kaspersky on April 5.

By Thanh Ngoc and Bao Trung