Most state agencies have experienced cyber-attacks, reflecting an urgent need to build a workforce equipped with digital skills to deal with such incidents, according to a joint survey on digital IT readiness and cybersecurity in 2023 conducted by the National Statistical Office and the National Cyber Security Agency (NCSA).
Around 75% of state organisations still lack plans for preventing and responding to incidents.
The survey was conducted between Aug 15 and Nov 14 last year. A total of 306 organisations were approached, of which 194 responded.
Of the organisations taking part, 128 were government agencies, 22 state enterprises, 41 public agencies or organisations, while three were companies in the private sector.
"Of the total, 149 had a chief information officer [CIO] while only 10 had a chief information security officer [CISO]," said AVM Amorn Chomchoey, secretary-general of the NCSA.
According to the survey, 88.4% of respondents had experienced a cyber-attack while the remainder said they had never experienced an attack.
In terms of prevention and response of cybersecurity, 25% of the state agencies have prevention plans, while 75% of them have no plan. All of the private organisations have such plans.
The survey found three cybersecurity functions that are often overlooked -- cybersecurity management, security information and management engineering, and IT audit.
According to the survey, 97.1% of the organisations required upskilling in the area of cybersecurity.
The number of personnel in the field of information technology in most government agencies ranged from 1 to 15, while those in the private sector ranged from 101 to 500.
In organisations that have personnel primarily responsible for cybersecurity, they are involved in functions such as those carried out by the operation and maintenance group, protection and defence, and security provision.
Of total respondent agencies, 161 organisations had IT security/cybersecurity staff, with the average number being 1-5, while the others plan to recruit a small number of people in this area.
The top five courses organisations require for upskilling staff are communication and network security, security and risk management, security assessment and testing, security operations and software security.
Meanwhile, the top five basic certifications they are interested in having are: CompTIA Security+, CompTIA A+, Certified Information Systems Security Professional (CISSP), CompTIA Cybersecurity Analyst (CySA+) and Certified Ethical Hacker (CEH).
AVM Amorn said the NCSA is collaborating with cybersecurity tech company Fortinet to train people who need to switch careers to oversee organisations which use Fortinet products. This will also increase the number of skilled cybersecurity people in the workforce.
Pakthapa Chatkomes, Fortinet's country manager for Thailand, said demand for cybersecurity staff in Thailand is in line with global trends.
Fortinet's 2023 Cybersecurity Skills Gap found there is demand for 4 million cybersecurity staff worldwide and nearly 70% leaders of organisations say they faced cybersecurity risks amid the dearth of skilled staff.
This is why Fortinet focuses on training a skilled workforce in three areas -- cloud security, security operation centre, and next generation firewall. These three aspects are highly important for cybersecurity workforce.
In a related matter, according to NCSA's Thailand Computer Emergency Response Team, the top three cyberthreat incidents in 2023 were embedded gambling web links, web defacement and fake websites.