Cybersecurity experts say identity and access management has emerged as one of the most common vulnerabilities among Vietnamese organisations, with eight out of ten companies assessed for security showing weaknesses in this area.

The assessment was highlighted in the 2025 cybersecurity report for organisations and enterprises published in mid-January by the National Cybersecurity Association (NCA). The report noted that while there have been positive improvements, defensive capabilities among many organisations in Vietnam still contain worrying gaps.

According to the NCA, around 47.72 percent of organisations still face shortages of cybersecurity personnel. Nearly 28 percent have not implemented any cybersecurity standards internally, while more than 9.3 percent reported having no form of internet access control, such as firewalls, leaving their systems exposed to potential intrusion.

These concerns are further reinforced in the Cybersecurity Report 2025 - Trends Forecast for 2026 recently released by VSEC.

Experts involved in the report noted that although cybersecurity budgets in many Vietnamese organisations increased during 2025, defensive effectiveness has not kept pace with the level of investment.

The issue, they say, is not the lack of technological solutions but the gap between deploying technologies and the actual capability to operate them effectively.

Phan Hoang Giap, deputy chief executive officer and chief technology officer of VSEC, said many organisations have already deployed components such as firewalls, endpoint detection and response systems (EDR), security information and event management systems (SIEM) and security operations centres (SOC).

However, these systems often operate independently, lack contextual integration and rely heavily on manual operations.

“Many organisations possess the necessary tools, but they function separately and depend largely on manual processes. Meanwhile, modern cyberattacks are highly automated, creating a clear imbalance in speed. Attacks occur at machine speed, while defensive operations in many enterprises still move at human speed,” Giap explained.

Security operations centres at many organisations also face limitations in staffing, operational procedures and automation capabilities. Incident handling often depends on individual experience rather than contextual analysis and rapid response mechanisms.

Another weakness lies in incident response and recovery capabilities.

Many organisations have response plans documented on paper but have not conducted sufficient drills. As a result, they often struggle to react effectively when a real incident occurs.

Backup systems are not always immutable, and recovery procedures are rarely tested against complex attack scenarios.

“The consequence is that even when an attack is detected early, organisations still encounter difficulties restoring systems quickly and minimising damage,” Giap said.

Among the most critical vulnerabilities identified in the report is identity and access management, often referred to as IAM.

IAM refers to the framework of technologies, processes and policies designed to ensure that the right individuals or systems gain access to the right resources at the appropriate time and for legitimate purposes.

According to VSEC, the areas most frequently targeted in identity management include access permission control, identity lifecycle management, authentication and authorisation processes, remote access and personal device usage, as well as monitoring and compliance.

For instance, during the initial infiltration stage of a cyberattack, defensive failures often stem from weaknesses in user identity and behaviour control.

These include the absence of phishing-resistant multi-factor authentication, inadequate monitoring of unusual login behaviour, weak verification procedures, password reuse and the use of personal email accounts for work.

Based on these findings, VSEC experts recommend that organisations shift their cybersecurity strategy from a model based primarily on monitoring and reaction to one centred on proactive defence.

This approach should focus on two main pillars: actively assessing whether systems have already been compromised and hunting for hidden attack indicators, and identifying, controlling and reducing the organisation’s attack surface.

At the same time, organisations should move beyond traditional awareness training to implement programmes that actively change user behaviour and build a strong culture of cybersecurity within the workplace.

Experts emphasise that user behaviour ultimately determines the effectiveness of any defensive system, particularly in the face of social engineering, sophisticated phishing schemes and targeted cyberattacks.

For this reason, companies are encouraged to place greater emphasis on cultivating security-conscious behaviour and organisational culture alongside technological investment.

Van Anh