The AIBP ASEAN B2B growth podcast is a series of fireside chats with business leaders in Southeast Asia focused on growth in the region. Topics discussed include business strategy, sales and marketing, enterprise, technology and innovation.
Greetings and welcome to the ASEAN B2B growth podcast. In today's episode, we shine the spotlight on cyber
security in Thailand. This conversation took place during the 44th edition of the ASEAN innovation business platform Thailand's Conference and Exhibition held at the Grand Hyatt Erawan with Dr Polawat Witoolkollachit AIBPAdvisory Board Member hosting the discussion, along with Togio, Prakorn Chayanuwat, Group Data Protection Officer and Head of Data Governance, PDPA compliance and DPO privacy office from BDMS Group 2- BNH hospital and Samitivej Hospitals Group, together with Dr Thitipong
Nandhabiwat, Chief Executive Officer from Thonburi Bamrungmuang Hospital , on the current state of cyber security in Thailand.
Well, today we are talking about Cybersecurity in Thailand two of both of our code list form the healthcare business, but I but I think the landscape in Thailand now is a thing is should be the same in every business. Because I think healthcare is that it just not only the hospital or or the clinics, is is everything. Now we're just starting when we wake up, we see everything. Mostly we we have seen all the healthcare business, but we don't know that because they integrate in our
life now. Now we want to move on. What would I want to ask doctor, Dr Thitipong first, about, what do you think about the Thailand's cyber, cyber threat landscape? What's going on? What what you're thinking about? This is a effect to your business, or effect to the match, the whole system of the Thailand?
Okay, in terms of cyber security, landscaping Thailand, I think, like you heard from previous session, there are so many things like phishing, you know, social engineering, or those ransomware. And even, like, you know, something like supply chain, you know, like vulnerabilities, you know, because a lot of our, even every company is, I'm pretty sure, you don't do everything in house, just some some of the services or solution you probably
outsource to other vendors. So supply chain vulnerabilities is also one of the risk that you have to actually make sure that you take a look closely, because many of the data breaches, all those cyber attack also can happen through the vendors. And there have been previous incident in Thailand that also happened to some other manufacturing in just this year, and also even like ransomware, you know, all those phishing mail also happens in every industry, including healthcare
as well. That's pretty normal, but I also would like to maybe think of looking into some other new areas, because currently we have technologies like internet of things, especially in medical healthcare area, we have what we call medical Medical Internet of Things, internet or medical things, IOMT. So that's part of our life. We can actually have some of the equipment at home.
You know, even, like, well, like, for example, simple one is smart watch that you have, but some people even have, like, blood pressure device at home that link to your iPhone, you know, your iPad, your Android devices, and when you actually consult doctor online through telehealth platform. Those devices send data to the doctor through the platform. There could be some weak security in those devices that can be, you
know, a loophole there. And also, another trend that I would see is that there's something like crypto jacking, you know, like where hackers, cyber criminals, target your computer, using your computer resources, and then they just use that to mine cryptocurrency without you knowing it. So that's what we that's currently being seen in Thailand, for sure.
Thank you. We must say that now. The thief or the thief are smarter than before. Yes, they know very well the technique. They know very well how to use the special tool to try to hack or try to educate in your computer or your devices. We I think we have seen a lot about the data breach in the healthcare, in healthcare in Thailand, we have, we had a news big deal last year, or even
currently, we busy. We still have some of the, I think it's still happening in some I want to add to be step back on about this amount is like your DPO of the of the be approved
Before the session. Complex questions, and I need to clarify so I'm responsible for group 2 BDMS, which is a group of eight hospitals and a few secondary companies. BDMS is a very company network, 54 hospital. We do some PR for them, one of the biggest private hospital firms here in Thailand. 72 BMS is just
a small size thing. Nonetheless, today, I am not going into it the way that you have heard previous speakers this morning, from some other conference videos about cyber security and threat scheme and all these data which is happening. But thank you, from doctor, from your point of view, that medical Internet of Things and all these vendors problems we have, I mean, Zoom posts there, what I tell you is an unspoken trend spoken words that we fully are aware but we're talking about
it. But before I answer, can I see some hands? How many people in this room actually in IT management? Okay, that's a whole lot. How many people in here are actually digital marketing responsibility at your organization? You have the one of the biggest risks at your organization. Currently, the threat to your organization is from your digital marketing department, not department.
Digital Marketing Department being one of the most crucial department you need to manage in order to make profit company, right? So you use similar data, and your marketing teams are everywhere, using tools to
customers. So you have customer data management solution, and then you have your data, and it's take a wild guess, you probably have the volume silos not connected, and you probably don't have an actual evidence process that govern them, let alone data access, right management, management, so there's issues right there, not technical, but that issue is exposing you to security risk. So for my first set of answer, I
would say the trend. There's so many trends you heard from elsewhere, but today emphasize the use of data within your organization by your previous, sorry, where your multiple department that previously worked in manual, and now they're transforming from a local servers, local application to cloud that now you're interoperability with some other companies, partner. You got loopholes in there, everywhere.
So this trend you're not really talking about, but thinking about it in terms of the breaches, it happens across all sector, department, but specifically in Hector, we in basically every, every single corner within our environment. So if you take a look and scan up your whole enterprise architecture of yours, everywhere, so there's risk management is needed to start
somewhere, okay, so that, you mean that, uh, when, when the marketing team, or digital marketing team, they want to do the something that we call it? So the data? Yeah, right. Well,
it can happen from different different area of work, very hyper, yeah, so the CEO or Chief Strategy Officer, let's, let's not blame CEO, but let's blame Chief Strategy Officer, Chief Data, inviting these kind of companies who present you AI technology solution for marketing data and invite them a chunk of data. How are you transferring your customer data, your enterprise information system, to your vendors? I've seen in different various manners, Excel, txt file
over email. No, you know full well, you're not supposed to do
doing this. Okay, so we think about this. So a that, but you're couple years ago, we lost and we havee, 2 of the ads that we feel about PDPA and security, right? So it's whether this that mean that all the company Thailand, all the organization, you must do some manner that today, yeah, to prevent the data breach, data Lee, or you have to protect the private evil, even even me, I'm
Doctor, new doctor. And also in the IT, I saw many of the of in some of the marketing, like, like Mr. Bucha, they don't care about the data. They didn't regarding to the law they want to sell. Sell is a because we want to do the sale right, okay? We want to make it alive. So I think that the law and the regulation is one of the we have to concern. I want to the opinion about the launches and legislation now that's a conference.
Happened to be my area of passions, passion work, data protection and privacy. Answer this first say, you cannot have security without privacy and vice versa. Cannot pass privacy without having a proper security you probably could afford. But we need to really reflect on what is privacy management, and if you can't come up with answer, you look straight to personal data. Act Your answer is in there. You look straight to your site. Those from Singapore are much more in depth compared to
us here in Thailand. In fact, we look to folks in Singapore for privacy management. They quite well. I don't know who they learn it from, maybe from Canada, from the Europe, but here in Thailand, Personal Data Protection Act we call GDPR, or
copied too well. So much so that some reality of it make it challenging for us to ensure compliance in terms of practice with provision act now, the challenges with data protection, data management and expectation of law, first of all, big organizations in Thailand across all sectors. And I answer this with no scientific evidence data
to prove you otherwise. But if you go on tv.com, or LinkedIn or any job that is a job recruitment post, you'll see job posting for data protection officer and privacy advisor, Director of Information Security with just that fact, I can tell you that here in Thailand, most organizations still don't have in place an expert on this is number one sought after in the market within IT, When compared to Enterprise Architect, as well as purely director or CISO, that's what you like to call
chief information officer. So the challenge is this a lack of local expertise. You can't hire a lawyer from the UK or European countries. Come over to any other countries in Asia and start telling companies, oh, you need to do this to be compliant of Europe or here in Thailand, to manage privacy and information security. You need to understand your business context. There's always exceptions and loopholes and all of these relationships. You can't lawyer work as management
system specialist. You can make a legal person work as a compliance enforcer as well as a business analyst. So your company need to groom people internally or at regularly, seek someone locally who know business and landscape well. And maybe we can, from a CEO point of view, in terms of recruitment for these rural hospitals?
Well, I should say, before I joined as CEO in the healthcare industry, I was at the financial sector and the very few non medical people to run hospital. That's because my background is in IT, from undergrad to IT and robotics. So it's really important nowadays that all the businesses need to take good care of their IT assets, whatever data asset they have, that we don't want to lay down anything to the customers, right? I mean, to the hackers.
And so with the PDPA and Cyber Security Act, we've been face just recently, only a few years, I think, like 2019 for PDPA, right? 2020 or something, actually, 2020 pa at 2009 Cyber Security Act, and many of the Thai companies, so still lacking in the. You know, expertise just on what and in the really beginning, and I'm pretty sure some other company is still
doing it. I used to be also Data Protection Officer, because we were looking the board was asking, who's the right man internally, has to know a little bit of legal and no business operation and be good in IT background. Something falls under me. So I have to take this DPO well. And I would say at that currently, there are many of the companies that still they do consultation right for for you, and then as DPO for you as well, but you can groom your own
people. That would be best, because you don't want outsiders to know what's going on about your business, because they're not gonna be with you for, I mean, like in 20, years, but your employee probably gonna be like, much longer. So I yeah, I had to maybe, you know, try to you just grow. Yeah, your your people by consultation coming in or send your people to different, various session that we conducted, I think, pretty much almost every month we have something with PDPA, right?
Yeah, every day also, some Yeah, so maybe next to that also, huh?
Okay, I think in because I am also working in the IT and work as a doctor. So the privacy is we have to consider for if I think we can do the business we can do without a without privacy concern. I don't think it's the right way to do the business right now in Thailand or in ASEAN, I want to ask doctor Thitipong about what, how? How do you encourage your colleague, your organization to concerning about
the um, the basic one is to create awareness through, I don't know, like poster, email, newsletters, you know, those one, and also to have Expert coming in to conduct the session, to make the know the current trends of the cyber security and what are the loopholes that are really close to them, because many employees, they still lack of knowledge for like phishing email, or even nowadays, we have business email compromise, you know, where some of those come here looks like
come from. CEO, you know, saying that, hey, we will raise you, give you bonus, something like that, this and that, and yeah, so pretty much you you also need to create something like phishing simulation, you know, in within your company, make it fun, entertaining, gamification, drop quizzes, those kind of thing you need to do that you know, like, I'm very sure twice a year, it's something that you didn't need to do okay
before i i was something like you did I do the phishing about the of the employee, they answer and and about 1% they click the link in the discount. It's really common. If you go into shopping on Shoppee they click. So that's why, I think, because we don't know what the difference between one and the fake one, I must ask how, how to do that, or no, how, how to change this, habit, okay, well, there's
so many ways I want to answer this three hours to talk about this, but before I let my trail on sleep, I want to take on an extension that Dr polo, what make..Last night, before I came
here, I did some homework. So I'm in this group chat, in the live chat with you know different, different organizations, C level management, IT people, data protection, officers, and a question which is, what's the challenge regulations and how do we foster culture of adoption of cybersecurity and risk management, of this theme that we hear today, I got quite very interested from a few C levels and C so within that group line, one of the answer was, citizens are overriding their CO privacy
values. They're the values of advantages that providing them benefit or pricing some additional perks sacrifice. Data
to get those curves. So looking back at challenges with regulation externally from station, the government has something to do to Ernest among citizens, why they worry about their personal data and here in Thailand, back to question the landscape, because so much problem here with all these protocol center calling you and then tricking you into offering them $2 million I could never understand why. Why would someone want $2 million but learning the schemes that these criminal use, you can easily
fall for it. So with that test, the phishing email test, yes. Victim from my boss three years ago, I admit this trick, and you know why I did it? Exact same. Just answer. There was value in it. He said, If you respond within the end of business day today, you will be considered for something in management. So I, as a good employee, I'm not gonna wait for everyone to answer this. I was the first victim. Yeah, if you give to $80
that's fine.
Yeah, they must click. That's true, but, but, uh, an actual answer I want to share with the room today is the mindset of the company is important, and it's cut down, not bottom up. Privacy, security cannot be bottom up. It has to be. And I'm very firm on this. If CEO or management director, I'm not making this as a agenda for your company, it's not going to happen. And I will share with you what we do in our business, hospital, DNS, we find a strategy where it is closest to
all employees. As a healthcare providers, we're not a fan of anything that would cause patient safety issues, anything, whether it is personal data breach or slippery FLOOR and FLOOR, and our aging patients fall down, crack the hips, dirty bathroom, whatsoever, patient safety is very close to everyone's heart, and therefore our quality management team and decided that the culture has to be based on very short words that can stick with everyone. So we came up with this, stop the
line. Stop the line, as in, if that you see there's a risk coming from this thing. Stop doing what you're doing, and then reflect. And then you go into all these process where you have policy and work instruction to reveal the problems, and then curve before it happened. It is such common sense, but we are so busy advancing to do better, so much so that you forget all
these little common sense. So we implement of the line, and it's working very well, so well that my office first ring a bit too often that I need to counter, manage it a to automatically create awareness or give them answer without having them to call my office. So we'll start working on proactive communication. Work with one stop shop, and you know, staff can go and take a look whether or not what they do is reach out the laws or not, get it or not.
These problems have happened before, and can they resolve it with the same way? So, you know things, things are being being done at the moment, but first of all, the mind the company culture.
Thank you. I think the company is is. So what do this? Because if you do something quite Ho, for example, you doing five COVID in your company, the your interview must be realized that email or not. So that's why they have to think. In Thailand, we call it a it's true. It's true that. Why we have, we have to do is like exercise. We call that. I must teach my knowledge if we think about a school. So we will, we will recheck it yourself and recheck the male Ho Lee, checking something that that
could happen. I know, like Mr. Con say that the call center, that they've some, give more than 5 million US to the to the call center. I don't know why, but I know in in the term of it, I am doctor, something I can default liar for the nation they must believe I take wine for to do this. But in that, because we are in the cyber world, so you have the smartphone, the. That mean that you have the back in your in your pocket. So, suka,
do you turn firm? Now, I think they have an elector do this, because I'm firm, more than a 50,000 to do the face shaking before, I think in next few years we do we face about the cyber farm, about to the face shaking. I think because they are so smart. So
I just would like to add a little bit to the creating, you know, those culture and awareness, and also lead by exam from top management. Maybe you also have to consider create awareness for the human top management, and because many of the businesses that you are in, some of the top management or board of directors, they don't see the importance of having cyber security system, you know, to protect the businesses. Some of them think that it's like, oh, we, what we have is already
good. Then we, we seem to have, like, fishing coming in all the time, you know, and that even we create awarenesses, but it's taking, still risky, for our key to to get, like, maybe 100 fishing meals a day. So if you have good cyber security in every area, and then that helped reduce, reducing the risk quite a lot. And I've been trying to educate, you know, a few people, even the board, my board, that, hey, this investment that we make, we have to invest, say, 10, 20 million. You cannot think
of ROI, turn on investment. It's not okay. So
I think return of investment now I cannot get with me with this issue, because when laws you lost the one that lost your name, you lost your your your trust is it is, I think it's uncomfortable for this you ask, for example, to use your your mobile application at the first day, your body wide application, fail and fail, you must you get one stop for this and foreign what? What had you lost? Them already 20 million or 20 million US, or you can just
start for the so. So I think the top, the top manager, or even the I think the middleman also the import for this too. So we are we now be facing with, with the well, what do you think I will do the last agenda of this? About it, what kind of tool or what kind of tackling we want to come first?
Okay, this is actually funny questions too. Is linking from return on investment, and now you're talking about investment. So part of my answer would be, I agree with two gentlemen here that return on investment in cyber is very hard to define. When I speak to mcfo, he sort of tied my hand say, Well, if you can't prove to me that's cost saving or investment, I'm not going to give you budget for it.
So I tell him, I told him that you're indirect or tangible for investment, and having in place an augmented security protocol and solution will save you so much when breach happens, that breach has happened to you, you're going to end up paying for investigative firms to come in and recoup, recover your system for being like a telecommunication provider if They were to be attacked one business day where yours is not being continued will crash your
stock price so fast. So I think that one sentence might see or my CFO pretty quickly. Listen to this
quickly. I usually tell those people saying, then, how can you quantify this? I said, Use return. On reputation, or our ex return experience for your customer. Okay, that's the that's how we for cyber security.
I agree completely. Glad to have Dr tipo on on the stage. I'm not a CEO, so I can't speak those terms, uh, handfully, but hearing this of a CEO to please take note. Second part of the questions was, how do we make a proper investment with with the time that we have? I'll cut it very short, one story to share.
Right answer is, in the framework of cyber security management, i. Everyone is aware, the whole national institute of standard technology from the US, who appeared to be the Godfather cybersecurity management ISO differently, I mean international organization anyway, shortage you have, I did detect, protect, respond, and then recover. Most of the investment is being done the first three so it should be from identify, know your risk, start matching them, detect them, and
then you protect them. Certainly you need to invest in those. And there are so many solutions, the previous vendor on the those solutions so that right there next room, you need to speak to
them. The second part that C level and strategy key organization are not paying so much attention the response, and that's where it's going to start going out really, when you cannot control that internally, and when do business continuity plan in place, not just from business service point, but from your IT point of view, your BCP plan isn't something that's on tabletop and it's a playbook, and you just sit and then you don't Practice and you don't exercise your business
continuity plans, your recovery plan, your response can have to be strong, and one need to consider investment in having those mechanisms. It doesn't, for me, invest in the tech options. Some solution will help. Solution in cyber security market will help you to present threat data proactively so you can know arms has gone, and you'll need technology for that.
But if you don't have an actual BCP plan and mechanisms and a team of people that being called emergency at 2am and you convene your friends say, Hey, we got midnight. I want to be doing now at two in the morning. Hopefully someone on your will unplug everything, first, play the network and then go from there. But if you don't have these kind of actions in place, and those involved are not well at first, you're not unplug that terminal fast math before it's into your
platform. Anything to add? Just,
well, you you have to maybe identify that if you are SMB, you are, you know, enterprise size, then it's a different that's a difference, because, like for SMB, maybe you can't heavily invest, you know, like, all the protection to services even have, like security operation centers, or even, like, I would say, before you consider on anything you first have to be cyber security gap, and on What
currently what you have. Because maybe even, for example, my hospital, I be heavily invested in cyber security, like close to 100 and already, but not enough. Because current cyber security, you know, like all those hackers, they're getting Smarter Every Day, and evolving so fast and the the new kind of, you know, like tricky, tricks seem to come out, and we can't seem to protect we correct what we heard. So you have to do the
assessment. And maybe if you can do it twice a year, it would be good, because then you know that Ho, you still have both calls here. And then you can more on this equipment, these services, which are that's why I always open to hearing more from people with the technology. So it can, yeah, but still cannot ensure 100% securities. I try my best.
I think if there is such a thing, 100% security, protection, they have a job. So that's my CISO as well. I think I was gonna share with you one story. It is very
Thank you. Thank you for sharing us today. I relevant to today. This story to Gene email test, believe it or not, prior to coming here today, I have to go. Someone called me up first. First they call. I didn't answer because number, it looks very local, you know, local four talent, and I don't usually pick up straight your phone number. Then I call. I saw a call coming in from a Singapore number, and that call
knows my credentials. Write off everything correct, first name, last name, my actual nickname. They know exactly what he right now, and you know who they were pretending to be. They were to be the this company asking me for my personal information so that they can serve me a parking here. What I'm telling you is I just. Know victim, but then I learned from the email and exercise years ago to start questioning, because Singapore, but a person speak Thai, they're
questionable. And Fauci, who is a staff on the event management team, really wanted to take care of me and email me like how she has been emailing me all these along, trying to secure my time to come here. So what I'm trying to share with folks in cyber security were focused on risk do still come from humans, and this is how that doctor felt. Tricks. You know, when you're busy, when they call me, you know, I was in a boardroom in a meeting, and I was very busy, so I tried to end
that call quick. What do you need? How can I help you? Oh, you need and then the minute they say, Ah, Mr. I will send you a link on your phone. Just need to click, and then you just submit your car license plate, and then we'll take care of it at the hotel for five star service I know better now. think cyberspace issue is quite important, because we must address often, more frequently, I can say, because think about cyber security, is it different
perception? For example, they must say that, if we just love 1% of security, I think the security is a is difference? For example, if, the doesn't that was one, one door. It is who decides the cyber 200% is not only 1% of the area we lost. So the survivor is all on and law for this, but you must address this before for me to buy me, I practice, I do the prevention for prevention is cheaper. It takes time to take a look of
effort. So I think most to the men on this stage, they believe that this prevention is very important. So where we finish our panel, and we want to have the question from please, please join us.
A few questions from the so I'll help to ask on behalf that they one of the questions other than tabletop exercises. What are some other ways to conduct the BCP test run without disrupting the production, real user experience?
I'll take this one first, then so long. Very good question. Very easy answer is, you do schedule and unscheduled interruption. No way. There's no way about this other. There's no other way to do this schedule and unscheduled or planned and unplanned downtown. In this case, you would do plan cyber security event those managers knows what's up. So in do that, some
other exercises. You know, the old traditional way is you have your management, team managers and whoever take annual tests, but brings small, minimal impact on the BCP. So unplanned tasks, plan and unplanned events served really well on this
that pretty much like that, I prefer unplanned creates lots of crisis. Thank
you very much. I think one last question before this is quite interesting. So they were asking, Are there financial institutions or banks that provide cyber security technology loans or funding to halt the gap in cyber security requirements right now.
It's done, always creation way to buy the car, most of the car you pay in to land for, for about two one or 2% but it need any car you you must try safely and to try to Avoid, to to to to have the accident is the same. So I think for for my experience, for the others, for the party, for the cyber security, for the preferable prevention, I think we must talk to the CEO. We have to educate the CEO about the PC I know. Many of the know that
their BCP, as well as the CEO. I my experience for the BCP is quite tough for for to to educate the CO to understand what need to decide when we're starting the BCG plan, for example, I have one event that our Main Street for about two hours. So I have to try that we, we will be the city, or we we want, or we have to fake it for four hours, because when we start the BCP, the process take nine hours. So that was also money to to dig in. But we have to educate the HO, educate the
body. What does it pretend of the BCP pen? And all the students say that we have to practice often, but I frequently practice to realize them. They educate them for the plan of the end of survival cyber security.
I think every time we practice, we're going to find loopholes in our system, in the technology setting and as well as our employees awareness and their of what needs to be done, step by step. To add on to Dr polovid, tagging on the questions and it may not request from who submitted it, but I want to relate to this room, because the many faces from financial institutions here, kpt is here. I saw some of them this morning. So your T shirts work really well. We know you're from K bank
and Technology Group. I want, I want to share story here in Thailand, set up a pretty, pretty good standard in moving forward with cyber security management and awareness and national standard levels, but it has issues. So bank balance don't control all the banks directly, but they have this guideline set of rules that they
must abide by. All the banks will execute those compliance differently with different technologies, meaning the work breakers and this work instructions that they have to work with other counterparts deal different mechanisms. So in terms of issues that the banking industry in Thailand has take, has taken a much bigger step than many other degrees, inter security and private, and they need to do that, because our
money is with them, right? So the banking industry to get together and do even better. Don't wait just for the Bank of Thailand to tell you what need to be done the bank have, because every day that SMS is coming in, I have to disc my Wi Fi first and then check what's going on off of my data. You know, it really scared me now, with all this cyber security scam from center here in Thailand, is too overwhelming. Personally, I don't think
banking industry enough. Only one bank far came out and say we're not sending you SMS anymore, but, but I still receive SMS from your bank, not from your corporate. It comes from your agent at a local brand reminding me to pay my ho loans. And so far, I can download the app sometime. I'm a little confused, so I don't know if that is still true. So came back. You still need to tell your your branches, send me a personal with a link to be too scary just to share that closing.
Thank you very much all of our panelists. It was a very engaging discussion. I hope you enjoyed it as much as I did, and now I know, yes, reach a certain level for someone who's pretending to be asked and reaching out to you. Thank you very much.
Stay tuned for more insights on the current state of cyber security across the ASEAN region in the coming episodes.
We hope you've enjoyed the episode. For more information about business growth in the ASEAN region, please visit our website, www.IoTbusiness-platform.com
