Answer ... We believe that the top three cyber-related problems or challenges in Thailand are as follows.
Implementation of the Personal Data Protection Act: Companies that are data controllers were given only a one-year grace period – from the date of first publication until the effective date of the Personal Data Protection Act, on 27 May 2020 – to establish or revise their privacy policies and internal systems to comply with the act’s requirements. However, these requirements remain unclear, as no further details on the implementation of the cyber statutes have been issued. Companies must therefore spend time and effort monitoring forthcoming privacy requirements, which will be further prescribed under the Personal Data Protection Act in the future (although no specific timelines have been indicated in this regard). Therefore, any privacy policies and internal systems that have already been adopted will be subject to further revision as and when such requirements are updated – a process which will doubtless be time consuming and cost intensive, and which may affect the operation of their businesses. Failure to comply with such requirements (either intentionally or through negligence) may also result in the imposition of penalties such as imprisonment or fines under the act.
With regard to the implementation of the Personal Data Protection Act, therefore, companies should regularly follow up on all future requirements introduced in relation to personal data protection. A preliminary meeting with the Personal Data Protection Committee at the Ministry of Digital Economy and Society should also be considered, to gain a better understanding of the implementation of the act and guidelines.
Lack of security awareness: The introduction of new technology (eg, smart devices, electronic payment systems, robots, embedded Internet of Things technology, big data, analytics) in businesses within a short timeframe may present major cybersecurity challenges, especially for small companies. Such companies may lack the appropriate security measures and skilled professionals to handle their new technologies, and may underestimate the risk of being targeted by cyber-attacks due to the size of their businesses. According to the Electronic Transactions Development Agency, about 87% of companies in 2015 experienced data or monetary loss due to cyber-attacks, which can debilitate companies’ business security and erode customer trust.
Companies should therefore take cybersecurity into consideration at all stages of their organisational planning, software design and network set-up. Companies, as well as their responsible personnel, must identify and examine potential cyber incidents that may affect their businesses. Appropriate and effective security measures – specified either by the companies themselves or by the cyber statutes – must then be implemented, to prevent and mitigate such incidents, and support the technology transformation of such businesses.
Cloud computing attacks: The increased use of cloud computing is resulting in the increased involvement of both national and international third-party vendors of software and services. In this regard, company data – including that of their customers – may be at risk of unauthorised use, access and disclosure.
Companies should address this issue by strengthening their internal security measures and authentication procedures. The number of personnel who can access data should be limited. In the case of agreements with third-party vendors, companies must ensure that the security measures of such vendors meet the minimum requirements as generally implemented within their business, including any legal requirements.