Mr. Dang Tung Son, Deputy General Director of CMC Telecom, talks about the current state of cyber security in Vietnam.


Cyber security an ongoing issue



■ Public attention has recently been focused on a Vietcombank customer losing VND500 million ($22,125) after following a link to a malicious website. As a software solutions provider, do you think she is solely to blame? 

CMC Telecom recognizes that there are gaps in cyber security, which hackers use in their attacks. These gaps can come from the carelessness of individual customers or from the cyber security at banks. We can’t assign blame but it’s clear that in addition to the customer’s loss the bank also suffered major damage. At the moment I think that assessing the damage is more important than apportioning blame.

The hacker used an international exchange to transfer VND200 million ($8,984) to Malaysia, which Vietcombank cannot retrieve. The amount, however, doesn’t reflect the real damage.

In a hack on Bangladesh’s central bank in February it lost $951 million. This was several months ago but the lessons are never out of date. As well as the money, the central bank also lost the trust of enterprises and the country saw its reputation tarnished. The central bank governor had to resign over the incident. It also affected the Rizal Commercial Banking Corporation (RCBC) in the Philippines, who received an $81 million transfer from the hack to distribute to a foreign currency service company and other organizations. The international banking community and financial institutions then began to ask questions about security and anti-money laundering activities in the Philippines.

In Vietnam this year we have seen similar cases, such as TPBank successfully fighting off hackers attempting to steal $1.3 million in April and the Vietcombank customer’s case in August. Information security has clearly gone beyond borders and become an international issue.

■ What security gaps are there in Vietnam?

According to CMC Telcom’s figures for May, about 90 per cent of officials store their private information and office emails on their smartphone. Smartphones, however, have open source software.

Therefore, hackers can easily penetrate smartphones and attack the private information of users and enterprises. About 30 per cent of these 90 per cent of officials have security software on the smartphones.

Vietnamese users often use apps and software that aren’t copyright versions. These apps and software harbor viruses and malware. This presents the ideal conditions for hackers to penetrate into the information systems of enterprises.

Figures from the IDC Group for 2014 show that enterprises using non-copyright software and apps can lose up to 73 per cent of important information. About 55 per cent of attacked enterprises cannot recover their database after the server is damaged following an attack. Customers of these enterprises may possibly be infected by viruses and malware.

If people use copyright software and apps the security gaps are often fixed by frequent updates and they are better protected from viruses and malware. Vietnamese enterprises also often lack the capacity to train their own IT teams.

■ How would you comment on the security situation at Vietnamese enterprises?

Experts from Kaspersky Lab evaluated that Vietnam is in the group of countries facing the most risk from malware and the use of non-copyright software.

Vietnam is in eleventh place globally in terms of cyber security risk, which is much greater than in regional countries such as Malaysia, Singapore, and Thailand. About 87 per cent of Vietnamese are concerned about cyber security risk but only one-third use information security solutions. And these are at the most basic level.

■ What would you advise Vietnamese enterprises and individuals do to improve information security?

Security is a special area and there is no such thing as absolute safety. No solution can protect 100 per cent of enterprises and organizations from viruses and cyber attacks. The more rapid the development of technology, the more hacker tricks there are.

Enterprises need huge investments in IT human resources, fixing cyber security gaps and updating security solutions to synchronize their security systems. Being equipped with good security tools has to go together with optimizing cost. We suggest leading security solutions from IBM and Microsoft.

Many enterprises in the US, Canada, and Japan use outsourcing for their security services. In doing so they can utilize global systems and be updated with new technology at an optimized cost. I would recommend that Vietnamese enterprises not only strengthen their IT human resources and enhance their basic investment in IT security systems but also use outsourced security solutions.

Regarding the case of a Vietcombank customer losing money due to a hacker, I understand that this incident is still under investigation. Let us wait for the findings. I can comment generally on similar incidents, however. Overall, the cyber threat vectors are increasing. Vietnam is not alone. There were incidents in the region where duplicate ATM cards were created using readers, etc.

The only way to be safe is to maintain security. Hackers will always look for opportunities. One analysis says that 40 per cent of cyber security incidents are due to insider activities or human error. How best we minimize such opportunities is really a matter of data security.

About security gaps among users, from the corporate side I see there is a lack cyber security training for employees and a lack of focus on known vulnerabilities. Users nowadays share too much information on social media, use the same password for multiple accounts, and connect to unsecure wi-fi.

If we are cognizant of these matters we can reduce the number of incidents.

I doubt it is possible to claim anything is 100 per cent secure. Technology is changing rapidly, malicious vectors are changing rapidly and security is also moving faster. In this case, the key matters for companies are: (i) understanding what is the right level of security for your organization; (ii) recognizing how fast can you react to issues; (iii) deciding what data you want to secure. Use a consultative approach to choose and invest; and (iv) there are some pitfalls. Investment in the right area is key. You can buy appropriate products but if there is an absence of skills then requirements won’t be met.

Mr. Ponmurugu Thankappan, Channel Leader - Asia Pacific, IBM Security Services

VN Economic Times