The Digital Economy and Society (DES) Ministry wants to improve government cybersecurity by obliging all state agencies to adopt multi-factor authentication (MFA) when logging in to their systems.
MFA is a multi-step account login process, requiring users to enter more information than just a password to access an account or application.
This process makes it more difficult for unauthorised individuals to gain access to their accounts.
The ministry instructed the National Cyber Security Agency (NCSA) to propose this MFA obligation for cabinet approval.
Why do state agencies have to adopt MFA?
AVM Amorn Chomchoey, secretary-general of NCSA, said many state units operate using account login processes he deems "easy to be hacked", in terms of their access, use of organisations' websites or a service system.
Leaks of state and public agency accounts mean people's data can be leaked, which could have a wide impact, said AVM Amorn.
NCSA needs all state units and public services to adopt more complex ways to access their websites and service systems to reduce possible threats from hacker intrusion, he said.
"A simple password is not enough," said AVM Amorn.
For several hacked websites, the hack was attributed to vulnerabilities related to the use of pirated software.
He said there have been many major cyberthreats to state agencies over the past several months, especially concerning the sale of users' accounts on the dark web by hackers.
The greatest threat is hackers selling system administrators' accounts, which could result in serious damage to the country's key information and communication technology infrastructure, said AVM Amorn.
DES Minister Prasert Jantararuangtong said an NCSA probe found stolen or leaked data includes several million individual email addresses, and the websites and passwords for accessing state agencies' systems.
Mr Prasert said based on the government prioritising cybersecurity, the ministry asked NCSA to seek a cabinet resolution to oblige all state agencies to adopt MFA to access their systems, mitigating risk from hackers or illegal access of their systems by criminals.
How will the MFA policy be implemented?
AVM Amorn said once the cabinet approves the adoption of MFA by state agencies, NCSA will join with the Interior Ministry to educate the state agencies.
He said the MFA measure will take effect following cabinet approval.
"NCSA will propose a guideline to drive its use together with the Interior Ministry, monitoring the data and enforcement results," said AVM Amorn.
He said all state agencies have to adopt a more practical way to access operational websites, such as more complicated passwords, though this is not the most sustainable way to prevent web intrusion.
AVM Amorn said there are several ways to reinforce security for state agency operations, such as the use of one-time passwords, or using Microsoft Authenticator or Google Authenticator to log in.
Another option is to adopt the Interior Ministry's ThaID app, which lets users verify their identities to use certain state agency websites or apps via QR code scanning.
Using the ThaID app for web access does not require additional funding. The app allows Thais to verify their identities free of charge and has 17 million users.
All state agencies, especially those operating critical national IT infrastructure, must strictly follow the law and regulations to prevent potential cyber-risks and effectively respond to cyberthreats, said AVM Amorn.
Recently NCSA identified leaks comprising 5 million usernames and passwords this year in Thailand, an astronomical spike from just 80,000 last year, attributed to the use of pirated software by individuals and organisations.
The use of illegal software exposes organisations and individuals to cyber-attacks and the theft of individual digital currency accounts.
The agency said organisations should use certified open-source software or apply MFA when logging in to all IT systems.
Has Thailand pursued any other cybersecurity moves?
The national cybersecurity committee recently approved a memorandum of collaboration between NCSA and related parties to upgrade personnel skills and expand the network of national cybersecurity.
Among the parties are the permanent defence secretary, the Digital Economy Promotion Agency, the Small And Medium Enterprise Development Bank of Thailand, and cybersecurity firm Palo Alto Networks (Thailand).
NCSA forged a strategic collaboration with Palo Alto Networks to strengthen Thailand's Cloud First policy framework by bolstering cybersecurity capabilities across government agencies.
This partnership aims to support the implementation of the country's national cloud security framework and help government agencies transition to cloud platforms.
AVM Amorn said earlier Thai holders of the Certified Information Systems Security Professional (CISSP) certification now total 431, up from 385 in 2024, reflecting the focus on training for high-quality cybersecurity systems.
CISSP is a globally recognised certification offered by the International Information System Security Certification Consortium.
The exam tests an individual's knowledge and experience in designing, implementing, and managing a cybersecurity system.
Recently the Thailand National Cyber Academy under NCSA completed phase 2 of the Intensive Cybersecurity Capacity Building Program.
The target group of the project is personnel of organisations that operate critical information infrastructure, regulators, the government and private agencies.
The courses had more than 13,000 participants for the project, exceeding the original target of 6,650.
The project aims to systematically upgrade the capabilities of cybersecurity personnel, covering the operational level, technical personnel and the executive level.
What is the status of Thailand's cybersecurity readiness?
According to Cisco's 2025 Cybersecurity Readiness Index, only 7% of organisations in Thailand have achieved a mature level of readiness required to effectively withstand current cybersecurity threats.
This is a slight decline from last year's index, in which 9% of organisations in Thailand were designated as mature.
The index indicates cybersecurity preparedness remains low as hyperconnectivity and artificial intelligence (AI) introduce new complexities for security practitioners, according to the report.
AI is revolutionising security and escalating threat levels, with 91% of organisations facing AI-related security incidents last year, according to Cisco.
However, only 57% of respondents are confident their employees fully understand AI-related threats, and only 47% believe their teams fully grasp how malicious actors are using AI to execute sophisticated attacks.
This awareness gap leaves organisations critically exposed, noted Cisco.