Fortinet sees legislation boosting security spending
B10bn in investment possible within year
Enforcement of the Cybersecurity Act (CSA) and the Personal Data Protection Act (PDPA) is expected to increase security investment to 10 billion baht within a year, says a cybersecurity expert.
Both acts were published in the Royal Gazette in May. The PDPA provides a one-year grace period for enforcement of its provisions to give stakeholders time to adjust to the law.
"Government agencies and the business sector are enthusiastic about investment in cybersecurity technologies on the back of global trends which aim at strengthening critical information protection, particularly driven by enforcement of the CSA and the PDPA," said Rattipong Putthacharoen, senior manager for systems engineering at Fortinet Thailand, an information security firm.
Under the CSA, seven sectors need high security protection because cyber-attacks on them could take a heavy toll on the public interest.
These sectors, regarded as critical infrastructure (CI), include national security agencies, key public services, finance/banking, telecom, logistics, energy/utilities and healthcare.
Mr Rattipong said the CSA will stimulate additional security technology spending, mainly for the Security Operation Centre (SOC) set up to monitor security threats.
The SOC needs automated technology to exchange information about threats among security vendors, as well as automate detection tools in the face of a shortage of security experts, he said.
CI will mostly invest in security protection like firewalls, but the SOC will require a minimum investment of 10 million baht, Mr Rattipong said, adding that the CSA alone is expected to spur 500 million-1 billion baht in investment over the next 12 months.
Security protection must be in place to ward off threats to web-based applications, websites and emails, which are vulnerable to attacks, he said. Detection and security protection must also be employed for the Internet of Things (IoT) and cloud computing.
Finance/banking is seen as the most prepared sector in terms of the SOC, while utilities, national security and key public services are in a moderate state of readiness.
Healthcare, particularly public hospitals, and logistics still lag behind other sectors in terms of cybersecurity, Mr Rattipong said.
The PDPA requires data controllers and data processors that handle personal data to step up efforts to prevent leakage of data and obliges them to report leaked data within 72 hours and inform data owners.
The PDPA is modelled on the EU's General Data Protection Regulation (GDPR), which came into force in May 2018.
Mr Rattipong said the PDPA would stimulate demand for information security protection, including data loss prevention, access control, data integrity, data exposure and data encryption.
"Data protection and encryption, as well as identification tech for access control, require high investment," he said. "These technologies could spur up to 10 billion baht in investment over the next 12 months."
Financial services, energy and cloud service providers appear to be the first-movers in compliance with the PDPA.
Under the CSA, the National Cyber Security Committee (NCSC) must be set up within 90 days of the law being published in the Royal Gazette.
But a source at the Digital Economy and Society Ministry said political influence is obstructing the selection of NCSC members.