Corporate Cybersecurity Issues in Vietnam and How to Address Them
Cyber attacks are common around the world and Vietnam is no exception. Here’s how firms can protect themselves against cyber attacks and threats in Vietnam.
In March 2022, the Ronin Blockchain belonging to Vietnamese video game wunderkind Sky Mavis, the makers of COVID-viral video gaming Axie Infinity, was hacked to the tune of US$620 million in cryptocurrency.
The hackers were able to infiltrate the system through a fake job offer, which tricked an employee into downloading a PDF file containing a virus that spread throughout the system.
Unfortunately, this type of attack is not unique to Vietnam and businesses in the country are just as susceptible to cyber attacks, such as phishing emails and distributed denial of service (DDoS) attacks, as anywhere else in the world.
Each year, cybercriminals make millions of dollars finding security vulnerabilities in computer systems to exploit or trick firms into handing over system access. However, there are measures that companies can take to protect themselves against these threats.
Performing cyber risk assessments regularly, ensuring system access is protected by both strong passwords, and multifactor authentication and developing a cybersecurity strategy are all effective ways to keep nefarious actors at bay.
Firms can minimize the impact of cyber attacks by ensuring they regularly back up their critical information and have a clear response plan in the event of a security breach.
Preventing cyber attacks in Vietnam
Perform a cybersecurity risk assessment
This is essential for identifying a firm’s strengths and weaknesses and will inform the development of an overarching strategy for mitigating the risks of cyber attacks in Vietnam.
During a risk assessment, sensitive data such as health records, employees’ personal information, or financial information should be identified. Additionally, data critical to a business’s operations such as intellectual property, operational processes, or industrial design assets should also be identified.
After identifying this data as critical information, a risk assessment will audit who has access to what. It is standard practice for staff in different positions to have access to different data. Understanding this can be crucial to protecting a firm from malicious actors.
Furthermore, a cybersecurity audit will involve reviewing procedures used to access key data, then looking for vulnerabilities and gaps in the methods and measures being taken to protect them. This includes not just scoping out technical measures but also the security measures involving people and processes.
In addition, a comprehensive cybersecurity assessment should also include a mapping of where data is stored, both online and offline. It’s important to note that data stored in different jurisdictions may be subject to different laws and regulations. For example, in Vietnam, personal data is protected by the Personal Data Protection Decree, which is set to be effective from July 1st of this year. It’s crucial to understand these regulations and ensure that data storage and handling practices are in compliance with them.
Use strong passwords and multifactor authentication
A password is often the first line of defense against hackers. This makes a good, sturdy password incredibly important in preventing cyber attacks or cyber thefts.
Vietnam’s New Personal Data Protection Decree: Compliance Requirements
Webinar | Thursday, June 15, 2023 | 3:30 PM Vietnam / 4:30 PM China / 11:30 AM CET
Vietnam’s Personal Data Protection Decree (PDPD, Decree No. 13/2023/ND-CP is a significant step for the country and is expected to have a profound impact on both local and foreign-invested companies doing business in and with Vietnam. In this webinar, Toan Quoc Doan, Manager of IT & Technology Service of Dezan Shira & Associates Vietnam, will explain the fundamentals of complying with the new.
In this light, companies should ensure their staff follow best practices when creating their passwords. This means that they should include both lowercase and uppercase characters, symbols, and numbers and ensure passwords are of a meaningful length. Staff should also ensure that their passwords do not reflect real-world references. For example, a pet’s name or date of birth.
The more complex and difficult a password is to guess, the more secure it will keep corporate data. It is, however, not foolproof, and additional measures should be taken when securing data, like multifactor authentication.
Multifactor authentication (MFA) is the process of authenticating a user through two or more security checks. This usually means a password followed by a secondary security measure, such as a random passcode generated by a soft token sent to a mobile phone in the form of an SMS message or a push notification.
Furthermore, more complex MFA solutions can combine a password and passcode with a series of context checks. Things like geography, the type of device, and the IP address can all be used to determine whether or not a login attempt is genuine. When an abnormal login attempt occurs, these systems can notify an organization so that appropriate action can be taken.
This additional security measure helps to negate problems with user passwords. For example, using the same password across multiple platforms.
In fact, it is common for the same password to be used on both personal accounts – Facebook, Gmail, Instagram, etc.– and corporate accounts. But this can be a bigger problem than it might at first appear.
Users may think that it is safe to use the same password on a forum under the misunderstanding that hackers do not have access to a user’s personal details, like their workplace. However, hacking methods are well advanced, and with a number of tools and frameworks like open-source intelligence (OSINT), it can be relatively easy to locate a user using a range of data like their mobile number, IP address, or email address. In doing so, a user may inadvertently give a hacker access to their corporate digital accounts.
Staff training in cybersecurity and data protection
Hackers will often use phishing emails to lure unsuspecting workers into handing over access to important data. In this light, making sure that staff can identify and deal with cyber threats may be the most critical preventative measure an organization can take for enhanced cybersecurity in Vietnam.
Firms should train staff to avoid opening emails from sources that are unfamiliar and to regularly change their passwords. The potential business impacts of a successful cyber attack should be made clear and staff should be trained as to how to protect their passwords both online and offline.
Limiting the damage of a cyber attack in Vietnam
Unfortunately, there are times when despite having complex and detailed cybersecurity protocols in place, cybercriminals may still find a way to access a firm’s network. This can cost firms hundreds of millions of dollars depending on the scale of the hack. With this in mind, there are a number of measures firms can take to limit the impact of a cyber attack in Vietnam.
Backup data regularly
Both onsite backups and offsite backups are important. After a cyber attack, it can take IT services a long time to find and eliminate a cyber threat. With backups, firms can quickly recover data after threats are contained and mitigated, and continue working.
When the backup strategy is well planned and practiced, firms will easily evaluate the impact and know at which point of data they are able to start working after the recovery process is finished.
It is important, however, to ensure that backups are stored separately to ensure they are not compromised in a data breach. A firm may choose to set up their own private network or they could engage the services of a cloud computing provider. It is common for firms to employ a combination of both.
Have a clearly defined cyber attack response plan
In the event that a cyber attack does occur, firms should have a response strategy prepared. This could include who is in charge of the situation, who should be told about the situation and in what order, and how individuals should respond. For example, immediately changing passwords or surrendering compromised equipment.
A firm could also choose to practice business continuity exercises to ensure that processes and procedures are in place, strictly followed, and well understood. They could also rehearse switching to an alternative system and restoring data using both online and offline backups.
By having a clear response plan, firms can mitigate the damage a cyber attack may inflict and can reduce company downtime as a result.
Cybersecurity in Vietnam: Regulations
There are a number of laws and regulations in place with respect to cyber security. It is important firms understand these requirements and what they need to do to ensure they do not run afoul of these laws.
Law on Cybersecurity
On June 12, Vietnam’s National Assembly passed the Law on Cybersecurity with a huge majority. The law will be coming into effect on January 1, 2019. The major provisions in the law include data localization, government control over online content, and setting up local offices in Vietnam. Although the law has been adopted, there are still some issues that lack clarity, and more changes are expected to be introduced and implemented before it comes into effect.
See also: Vietnam Approves New Law on Cybersecurity
Personal Data Protection Decree
In April 2023, Decree No. 13/2023/ND-CP was issued, which details personal data protections in Vietnam. This Decree outlines the key responsibilities and rights of individuals and organizations engaged in data collection and processing, whether they are data providers or requesters.
See also: Vietnam’s Personal Data Protection Decree: A Quick Guide
Decree 53: Detailing Several Articles of the Cybersecurity Law
Decree 53/2022/ND-CP (Decree 53) mandates that all domestic companies and certain foreign firms providing services in areas like telecommunications, e-commerce, and online payment will need to store specific types of data in Vietnam for a minimum period of 24 months.
See also: How are Foreign Investors Responding to Vietnam’s New Data Localization Regulation
Furthermore, by being prepared for a cyber attack, and having a detailed response plan in place that has been thoroughly rehearsed, firms that do incur a data breach can limit the damage that hackers can do.
That said, thorough audits and high-value, detailed response plans can be tricky to put together. The world of information technology and cyber security can be complex and is prone to change regularly, sometimes by the minute. Firms that want the best protection for their data in Vietnam should contact the IT experts at Dezan Shira and Associates.
Vietnam Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Eurasia, including ASEAN, China, India, Indonesia, Russia & the Silk Road. For editorial matters please contact us here and for a complimentary subscription to our products, please click here.
Dezan Shira & Associates provide business intelligence, due diligence, legal, tax and advisory services throughout the Vietnam and the Asian region. We maintain offices in Hanoi and Ho Chi Minh City, as well as throughout China, South-East Asia, India, and Russia. For assistance with investments into Vietnam please contact us at firstname.lastname@example.org or visit us at www.dezshira.com
- Previous Article Vietnam’s Banking Sector: Opportunities and Risks for Foreign Investors
- Next Article La lenta ripresa dell’industria turistica del Vietnam