Post COVID Recovery in Thailand’s Cybersecurity Market

Thailand is the second largest economy in ASEAN region and is rapidly transitioning from industrial economy to digital economy. In view of this, cybersecurity is considered as one of the key factor which is inflicting digital transformation in the country. It is estimated that Thailand’s cybersecurity market to be valued at $215 million in 2023.

Definition / Scope
Market Overview
Key Metrics
Market Risks
Market Drivers
Market Restraints
Industry Challenges
Technology Trends
Other Key Market Trends
Market Size and Forecast
Market Outlook
Technology Roadmap
Competitive Landscape
Competitive Factors
Key Market Players
Strategic Conclusion
References

Definition / Scope

Cybersecurity is the protection of internet connected systems, including hardware, software and data from cyber-attacks. Anything connected to internet is exposed to cyber threats.

Cybersecurity is the need of the hour as of the rising cyber security complexity and proliferation of IoT, mobile networks and cloud-based channels, growing peer-to-peer transactions necessitating users to disclose personal identity as well as increasing adoption of emerging technologies such as robotics, artificial intelligence and quantum computing.

McAfee, a cyber security firm projects that cyber crimes cost annual $450 billion to the global economy. In addition, it is estimated that the financial impact from cyber-attacks is over $2 trillion in the ASEAN region. With digitization and connectivity becoming the norm of the 21st century, people and companies alike are exposed to the increasing risk of cyber threats such as:

Malware is an all-encompassing term for a variety of cyber threats including Trojans viruses and bombs. Malware is simply defined as code with malicious intent that typically steals data or destroy something on computer.

Phishing often pose as a request for data from a trusted third party phishing attacks are sent via email and asked users to click on a link and enter the personal data.

Password attacks refers to an act where a third party try to gain access to user’s system by cracking the user’s password.

DDoS stands for Distributed Denial of Service Ad or staff focuses on disrupting the service of a network. Attackers send high volumes of data or traffic through the network until the network becomes overloaded and can longer function.

By impersonating the endpoint in an online information exchange that is the connection from smartphone to a website the Man In The Middle Attacks (MITM) attacks can obtain information from the end users and entity the users are communicating with. The MITM will receive all the information transferred between both parties which could include sensitive data bank accounts and personal information.

in case of drive-by downloads, through malware on a legitimate website, a program is downloaded to a user’s system just by visiting the site it does not require any type of action by the user to download it.

Maladvertising is a way to compromise your computer with malicious code that is downloaded to the system when you click an affected ad.

Rogue software is basically malware that are masquerading as legitimate and necessary security software that will keep the system safe

In 2020, as per IMD World Competitiveness Center Index, out of 63 countries, Thailand was ranked 39th in the digital competitiveness ranking. Acute talent shortage, immature digital culture and organizational silos are key challenge in the digital transformation drive.

Market Overview

By 2025, Thailand’s cybersecurity market is estimated to reach $500 million. In the Global Cybersecurity Index 2020, Thailand was ranked 20^th amongst the countries in the world.

As per Calameo research, 90% of Thai companies were exposed to cyber-attacks. In similar vein, a report by Palo Networks on the State of Cybersecurity in ASEAN, revealed that 40% of the surveyed companies in Thailand allocated over half of their IT budget to cybersecurity. Nearly 75% of the companies in Thailand increased their cybersecurity budget in 2020 compared to 2019. The reason for this being, increase in sophistication and volume of attacks and the urgency to upgrade infrastructure to incorporate automation and IoT.

In 2021, investment in cybersecurity technology in Thailand has reached 0.06 billion. It is projected that cybersecurity spending as a share of GDP was 6% in 2020 and will increase to 7% by the end of 2025.

Key Market Metrics

Base Year	2020
Market Stage	Growth
Market Revenues (2023, USD)	$215 million
Market Growth Rate (2020-2023, %)	14-15%
Number of Companies in the market	–
Market Concentration (% of market share help by top 3 market players)	–

Top Market Opportunities

Managed Security Services (MSS) Market

Between 2020-2026, Thailand’s managed security services market is estimated to grow at a CAGR of 9%. The market for MSS was $233.36 million in 2020 alone. The swift rise in demand for managed detection and response capabilities will drive the growth of managed security systems market in Thailand. MSS is mostly deployed by Bank and Financial Institution Sector (BFSI) as of the need to protect critical and sensitive data backed by constant monitoring.

The Integration of technologies such as Artificial Intelligence (AI) and Machine Learning (ML) is expected to further amplify the already growing managed security services market. Due to the heavy investment in technology and infrastructure projects, Bangkok holds the biggest share of 32.52% in the region. Bangkok has large urban population and house major players so that it is expected to maintain its market dominance during 2020-2026 forecast period.

Based on Security type, Network Security market lead the market in 2020 as it helps to mitigate the risk concerned with data theft and sabotage all the while securing data from spyware. In 2021, revenue in the security segment in Thailand is estimated to reach $16 million. During 2021-2025, revenue is expected to accelerate at an annual growth rate of 26.21% and reach market volume of $39 million by the end of 2025.

Thailand have set up a security framework known as Secure Access Service Edge (SASE) to support remote work. In 2020, between January to July, cybersecurity spending in Thailand was predominantly concerned with the elements stipulated under the Personal Data Protection Act (PDPA), including e-signatures.

Cloud security

From 2018 to 2025, Cloud services in Thailand is projected to grow by 29% and reach $0.94 billion by the end 2025. The cloud segment dominates the MSS market with a stake of 57.08% due to the expanding switch to cloud platforms for storage and security. Majority of the companies in Thailand are outsourcing cybersecurity measures through cloud deployment.

The most popular cybersecurity solutions in Thailand is Cloud-native security adopted by almost 70% of the enterprises. Whereas, other tools including anti-malware and antivirus software are still one of the predominant tools adopted by 61% of the enterprise. Furthermore, over 60% of the respondents use software-defined wide area networks and 42% implement SaaS application security.

IoT

The IoT market in Thailand is valued to reach $2.19 billion by 2030. In line to its commitment to IoT, Thailand is offering a range of investment incentives and tax-exempt to businesses that develop IoT and related digital technologies, including eligibility to receive up to eight years of corporate tax exemption and non-tax privileges. Thailand had the highest percentage (89%) of enterprises that are exploring and implementing IoT solutions in ASEAN region.

Thailand is one of the prime devisers for 5G amongst the ASEAN countries. With 28% enterprise in Thailand device 5G security for the Internet of Things (IoT). With the integration of 5G technologies, there appears to be shift in cyber-attacks through IoT devices.

Market Drivers

Thailand 4.0

The Thai government aims to create a value-based digital economy through its Thailand 4.0 initiative and transform itself into a developed nation. To realise this, the Thai government plans to increase its R&D spending to GDP to 1.5% by 2021. Along with wealth and sustainability, security is one of the key aspects of Thailand 4.0 initiative. Thailand 4.0 has been the major force towards pairing education, technology with data protection and cybersecurity law. Thai government have directed companies to upgrade their cyber security strategies and deploy more rigorous security measures. In line with this, Thailand is planning to invest $6 million in developing 1000 cyber security specialists within 2021.

Digitization trend in SMEs

SMEs accounts for 85.5% of Thailand’s total workforce and contributes to 43% of total GDP. Digitalization of SMEs in Thailand could add value between $35 billion and $41 billion to its GDP by 2024 which could lead to post covid economic recovery. However, in terms of cybersecurity infrastructure and awareness, Thai SMEs are still struggling and lagging behind its ASEAN counterparts making these enterprises vulnerable to cyber attacks.

Surge in volume and sophistication of attacks

Cyberattacks are increasingly getting more complex and occurring more frequently. One of the primary threats in Thailand are ransomware and social engineering. The threat actors are exploiting these attacks to steal user accounts and other credentials. According to Gartner and Frost & Sullivan, the potential cost of cybercrime to Thailand is assessed to be around $500 million including indirect costs, not just the direct cost of fraud and breaches.

While Thailand is one of the rapidly growing country in terms of internet usage, lack of awareness on the dangers, prevention, and protocols as well as outmoded technologies resulted in increased risk of cyber-attacks. In 2020 alone, Thailand experienced over 20 million cyberattacks, risking 28.4% of the Thai users from online threats. Thailand was ranked 87th in the world relating to the possible risks while surfing the internet. It was also placed 44th globally in mobile malware detection with over 28,000 cases in 2020. As per the data by Kaspersky Security Network (KSN), 2.7 million detections were on consumer products and 856,000 detections were on corporate products in Thailand. Thailand had the 5th highest level of consumer threat detection and 3rd highest level of business threat detection in the ASEAN region.

Thailand is amid the top 25 malware-infected nations in the world according to Microsoft Digital Crimes Unit. Thailand has malware infection rate of 25% that affects over 30% of internet users. It has been reported that 5 million IP addresses are connected to malware infected devices. Thailand is also amongst the top 10 countries that host phishing-based Trojans and downloaders. It belongs to the top 20 countries with the greatest risk of malware infection (33%).

Digital growth in Thailand

The Electronic Transactions Development Agency (ETDA) highlighted that the average time Thai people spend on the Internet is 6.2 hours a day. The smartphone usage in Thailand have also risen significantly to 85.5%. Thai government regarded internet as a basic infrastructure and also is in a bid to lower the cost of internet services.

Additionally, the government plans to provide free access without any service charge for the low-income earners to foster digital equality and help people recover from the repercussion of COVID 19. Thailand needs to ensure cyber security measures to keep up with the rapid adoption of digitization in the country.

Market Restraints

Enactment of Personal Data Protection Act

Data controllers’ companies are provided only a one-year grace period to form or revise their privacy policies and internal systems to comply with the PDPA Act’s requirements. The privacy policies and internal systems which are already adopted will be further revised as per the requirements. Thus, companies should constantly follow up all future requirements and meetings of PDPC at the Ministry of Digital Economy and Society related to PDPA guidelines and act.

Absence of security awareness

Thailand is still focused on primitive measures of security such as anti-virus. it is very important to shift its focus in areas such as network security, data privacy, and securing mobile devices. With the adoption and integration of technologies in people’s lives, there have been rising challenge of managing cybersecurity, especially for SMEs.

In 2015, As per the Electronic Transactions Development Agency, 87% of the enterprise was exposed to data and monetary loss due to cyber-attacks. Therefore, companies should identify and examine potential cyber incidents to mitigate such incidents and back the technology transformation by increasing their cybersecurity spending which was only 0.06% in 2020. Additionally, in 2020, the number of cybersecurity research conducted by Thailand was a mere 7%, one of the lowest amongst the ASEAN countries.

Industry Challenges

With rising connectedness, cybersecurity is becoming one of the primary concerns for Thailand. Adoption of new policies, shortage of skilled professionals, absence of unifying governance system, estimation of risk factors as well as investment drought have led to cybersecurity risk in the country.

Legislation that provides lopsided power to the state

The cybersecurity act which was approved in 2019 grants government the power to control the internet. In the name of avoiding cyber risk, the government of Thailand has the authority to investigate internet traffic, access computer data and networks, make copies of information, remove content or seize computers without accord.

The data protection law, shall apply not just to local companies in Thailand but also transcends to overseas companies which collect, use, or disclose personal data, essentially for advertisements and behavior monitoring.

Businesses in Thailand opposed the law reasoning it has centralized the power to a single regulator and would compromise privacy and rule of law, and impose unnecessary burden related to compliance that discourage foreign players to enter Thailand. The new law was criticized on the grounds that it over emphasizes a vaguely-defined national security agenda, rather than guarding against cyber risks.

Acute Talent crunch

By 2022, it is projected there will be a shortage of 1.8 million cybersecurity professionals globally. Thailand is facing an acute talent crunch of information security professionals, with fewer than 1,000 professionals working in cybersecurity field in 2017. Of the total, only 198 Thais have Certified Information Systems Security Professional (CISSP) qualifications.

To deal with mounting cyber threats that grows by 13% every year, the number of CISSP professionals should be increased to 1,000 by 2022 in Thailand. It is estimated that the talent gap could have adverse impact of $1.8 billion on the technology, media, and telecommunication sector.

Total unrealized output 2030 (US$ billion)	Total Labor deficit (2030)
54.8	1,191,364

In Thailand, The Electronic Transactions Development Agency (ETDA) has a target to increase the country’s cybersecurity workforce to 12,000 by 2021.

In 2020, Thailand’s shortage of skilled labor was approximately 550,000. But the heaviest adverse impact of the short supply of key high-tech skills including; Artificial intelligence, robotics, Internet of Things, cloud computing, and big data analytics was felt in Engineering and Information Technology industry.

Technology Trends

In Thailand, Cybersecurity is crucial to stabilize infrastructure for protecting national security, online privacy, identity, integrity from cyber threats as it has one of the highest penetrations of internet, smartphone and mobile internet users in the ASEAN region. Considering this, technology trends for the foreseeable future include:

	5 year	10 years	15 years
Technology Development	Identity security screening through biometrics	AI based cybersecurity embedded with machine learning capabilities and pattern recognition techniques to understand evolving threats.	Quantum cryptography which encrypts data at physical network layer
Growth trajectory worldwide	The global biometric market is projected to grow at CAGR of 17% from $10 billion in 2016 and hit $ 0.3 trillion by 2025	The global AI-based cybersecurity market is estimated to grow at CAGR 31% from 3.7 billion to 0.03 trillion during 2017-2025	The global quantum cryptography market is estimated to grow at CAGR 37% from 0.09 billion to 0.48 billion by 2023
Growth prospects in Thailand	Thailand is concentrating on Smart Living, Smart City Solution and Info Security to move forward, AI enhanced surveillance systems, biometric identification systems, smart sensors, alarms and access control systems will be in demand to meet such requirements Since 2016, the Thai government started a national e-payment system embedded with biometric identity systems in the country. In Thailand, i-Sprint’s distributor DataOne Asia Thailand has reached a 70% market share in Thailand’s commercial banking sector. DataOne Asia Thailand expects its cybersecurity and identity management revenue to make up 30% annually	Thailand is using AI to monitor traffic and conduct Big Data analysis to detect suspicious user behavior.	Quantum cryptography has garnered interest from many scientific researchers as it holds immense potential in secret communication which is difficult to decode through computational effort
Application	70% of the workplaces are expected to implement biometric authentication for workforce access such as single sign-on service, allowing workers access to vital documents with just a scan	Risk identification with AI-as machines can identify risks based on historical data and system breaches, circumvent obstructive behavior and improve overall security posture	Quantum cryptography encrypt fiber networks end to end. Thus, not requiring any further security measures

Regulatory Trends

Thailand’s crucial legislation and regulations that address cybersecurity include:

Digital Law Book	18 Aug 2019
Computer Crime Act B.E. 2550 (2007)	Amended by the Computer Crime Act (No. 2) B.E. 2560 (2017) (unofficial translations)
Ministerial Regulation	Form for the Seizure of Computer Systems 2008
Ministerial Notification on the Characteristics and the Method of Sending Data Deemed Not Causing a Disturbance to the Recipient B.E. 2560 (2017)	Law Plus 2017
Ministerial Notification on Procedures for the Notice, Suppression of Dissemination and Removal of Computer Data from the Computer System	Law Plus 2017
Ministerial Notification on the Appointment of the Settlement Committee under the Computer Crime Act	Law Plus 2017
Ministerial Notification on the Appointment of the Computer Data Screening Committee under the Computer Crime Act	Law Plus 2017
Ministerial Notification on the Criteria, Duration and Procedure to Stop the Dissemination of Computer Data or the Removal of Computer Data by the Competent Official or the Service Provider	Law Plus 2017
Competent Official or the Service Provider	Law Plus 2017
Announcement of the Ministry of Information Communication Technology on Service Provider Computer Traffic Data Storage Regulations	2007
Regulations on arrest, control, search, investigation and prosecution of offenders	According to the Computer Crime Act 2007
Telecommunications Business Act B.E. 2544 (2001)	Amended by Telecommunications Business Act (No. 2) B.E. 2549 (2006) (unofficial translations)
Cybersecurity Act B.E. 2562	2019; unofficial translation
Constitution of the Kingdom of Thailand	2017 (unofficial translation)
National Justice Administration Development Act B.E. 2549	2006, (unofficial translation)
Thailand Criminal Code B.E. 2499 (1956)	Amended Criminal Code No. 17 B.E. 2547 (2003) (unofficial translation); amended and related texts;
Penal Code Amendment Act (No. 14) B.E. 2540	(1997) (unofficial translation)
Damages for the Injured Person and Compensation and Expense for the Accused in the Criminal Case Act B.E. 2544	(2001) (unofficial translation)
Act Promulgating the Criminal Procedure Code B.E. 2477	(1934) (unofficial translation
Criminal Procedure Code B.E. 2477 (1934)	Amended to Act No. 28 of 2551 (2008) and other amendments
Regulations of Ministry of Interior Issued under Section 5 of Act Promulgating the Criminal Procedure Code B.E. 2477	(pp 169-171)
The Criminal Procedure Code Amendment Act (No. 20) B.E. 2542	(1999) (unofficial translation)
Act Amending the Code of Criminal Procedure (No. 29) B.E. 2551	(2008) (unofficial translation)
Organic Act on Criminal Procedure for Holders of Political Offices B.E. 2542)	(1999) (unofficial translation)
Organic Act on Criminal Procedure for Holders of Political Offices	(Amendment) B.E. 2542 (1999), B.E. 2550 (2007) (unofficial translation)
Electronic Transactions Act B.E. 2544 (2001) and amended by Electronic Transactions Act (No. 2) B.E. 2551	(2008) (unofficial translation)
Electronic Transactions Act;	2019
Announcement of the Electronic Transactions Commission regarding the guidelines for the use of cloud services	2019
Royal Decree Establishing Electronic Transactions Development Agency (public organization) B.E. 2554)	(2011) (unofficial translation)
Emergency Decree on the Specific Purpose Juristic Person for Securitization B.E. 2540	(1997) (unofficial translation)
Special Case Investigation Act B.E. 2547	2004
Payment Systems Act B.E. 2560	2017
National Council for Peace and Order Announcements; Personal Data Protection Act B.E. 2562	2019
Copyright Act B.E. 2537	(1994) (unofficial translation) and Ministerial Regulation B.E.2540
Rules for Intellectual Property and International Trade Cases B.E. 2540	(1997) (unofficial translation)
Act on the Establishment of and Procedure for Intellectual Property and International Trade Court B.E. 2539	(1996) (unofficial translation)
Credit Information Business Act B.E. 2545 (2002) as amended by the Credit Business Act (No. 3) B.E. 2551	2008
Financial Institutions Business Act BE 2551	(2008) (as amended)
Official Information Act BE 2540	1997
Child Protection Act B.E. 2546	2003
National Human Rights Commission Act B.E. 2542	1999
Extradition Act B.E. 2551 (2008) (repealed Extradition Act B.E. 2472	1929
Deportation Act B.E. 2499 (1956) as amended until Act (No. 3) B.E. 2521	1978
Act on Mutual Assistance in Criminal Matters B.E. 2535 Ministerial Regulation B.E. 2537 (1994) issued under the Act on Mutual Assistance in Criminal Matters B.E. 2535	(1992) (unofficial translation)
The procedure for Cooperation between States in the Execution of Penal Sentences Act B.E. 2527	(1984) (unofficial translation
Treaty between Thailand and Australia on the Transfer of Offenders and Co-operation in the Enforcement of Penal Sentences	2002
Treaty between Thailand and Canada on Mutual Assistance in Criminal Matters	1994
Treaty between Thailand and China on Mutual Assistance on Extradition	1993
Treaty between Thailand and Great Britain Respecting the Extradition of Fugitive Criminals	1911
Treaty between Thailand and Korea on Mutual Assistance in Criminal Matters	2003
Treaty between Thailand and USA on Mutual Assistance in Criminal Matters	1986
Treaty between Thailand and USA relating to Extradition	1983
The Act on Extradition between the Government of the Kingdom of Thailand and the Government of the United States of America B.E. 2533	(Unofficial translation)
Statistics Act B.E. 2550	(2007) (Unofficial translation)

The key Statutes that regulate the cybersecurity environment in Thailand consist of:

The government of Thailand introduced Cybersecurity Act, 2019 to impose legal safeguards to prevent cyber threats that might possibly compromise national security, public interest and other Critical Information Infrastructure (CII) services associated to the economy including:

National security
Material public service
Banking and finance
Information technology and telecommunications
Transportation and logistics
Energy and public utilities
Public health; and
Others areas that may be further prescribed by the relevant cybersecurity authority

The CSA categorize Cyber threats on three levels, such as:

Non-critical

Threat that affects the performance of CII Operator’s computer system or services catered by government firms.

Critical

Any computer borne attack that presents significant threat to the national infrastructure, security, economy and other CII related services.

Crisis

Threat superior than critical-level that has widespread impact inviting mass destruction, terrorism or overthrow of the government.

Besides the Cybersecurity Act, other cybersecurity measures are addressed in the Computer Crimes Act (CCA) which point that any import or forward of data digitally that may harm the public security, national economy and public infrastructure would be considered as an offense.

Cybersecurity regulatory authorities:

National Cyber Security Committee (NCSC)

The NCSC is regulated by Prime Minister as the chairman and other directors from government and private sector. The NCSC stipulates general cybersecurity policies and standards which encapsulates government agencies and CII entities associated with the national cybersecurity master plan. The NCSC also governs the level of cybersecurity threats under the Cybersecurity Act and deliver defensive and migratory measures.

Cybersecurity Regulatory Committee

The Cybersecurity Regulatory Committee (CSRC) involve the Minister of the Ministry of Digital Economy and Society as the chairman and other directors from government and private sector. CSRC set code of conduct and minimum standards related to CII cybersecurity issues. It also holds the authority to prevent, mitigate or re-evaluate cyber threats.

Likewise, crisis-level threat is controlled by the National Security Council and when crisis -level threat requires immediate response, CSRC has the authority to perform any act warranted as necessary without judicial permission.

Other regulatory authority includes the Computer Security Coordination Centre and other regulatory bodies which are responsible for monitoring and scrutinizing cyber threats.

Guidance on cybersecurity

Regulatory guidance under the cybersecurity Act mandates the development of security mechanisms to protect CII and prevent national cyber-attacks. It also highlights the need of coordination amongst the public, private and international sectors to curb the cyber issues. NCSC plans on cybersecurity measures must be aligned with this general guidance. To enforce cybersecurity research and local expertise including enrolling effective laws and regulations need to be formulated.

Requirements

Security measures	Under sections 44 and 56 of the CSA, every government and CII entity and regulator must comply with the minimum standards. The cybersecurity risk identification and assessment as well as a cyber threat response plan must be executed by an internal or external independent auditor at least once a year and reported to NCSC within 30 days. Besides this, the CII entities should participate in cybersecurity testing organized by the NCSC.
Notify Cybersecurity incidents	In case of cybersecurity incident relating to CII, the entities must evaluate the cyber threat and notify the NCSC office and regulators on matters related to cybersecurity standards and mitigating measures.
Registration with regulatory authority	Under CSA, there is no specific directive to register with a regulatory authority. The NCSC designates CII operators which is published in the Royal Gazette that may be periodically revised as per the need.
Appointment of a security officer	Under Section 46 of CSA, it is necessary to appoint a security officer. Each government and CII entities along with the regulator must refer names of its personnel at management and practitioner level to the NCSC for managing cybersecurity matters.
Other requirements	Under Section 52 of the CSA, CII operators are required to notify names and contact details of personnel and administrators who have management level control over the entity to the NCSC, competent regulator and Computer Security Coordination Center within 30 days from the date of designation in the Royal Gazette. In case of the change of owner, possessor or administrator, it is necessary to notify the responsible authority at least seven days prior to the change.

Fines and penalties

Failure to report	CII operators that fail to report cybersecurity incidents to the NCSC and competent regulator without reasonable cause	Maximum fine of $3000
Failure to monitor	In the event of critical-level threat, any owner, possessor, user or administrator of a computer system that fails to verify or access the impact of cyber threats as directed by the competent officer	Maximum fine of $9000 with additional fine to $300 until the order is conformed.
Failure to fix defects	In case of failure to eliminate defects, retain any computer system for forensic purposes or access any computer system to prevent a cyber threat as ordered by the competent officer	Subject to imprisonment up to three years with/without a maximum fine of $1800.

Market Size and Forecast

In 2020, the global cybersecurity market was worth $173 billion and is estimated to grow to $270 billion by 2026. Cyber Security market is estimated to be $100 billion in 2017 and to grow to $173 billion in 2022 at a CAGR of 11.6%.

The Asia Pacific Cyber Security market is expected to outperform the global market, as of the rising demand for data safety and cybersecurity management. 60% market share is seized by Security services segment in the region. The market is expected to expand from a $20 billion in 2017 to $40 billion in 2022 at a CAGR of 14.6%.

The market for cyber security services in ASEAN is projected to reach $5.6 billion by 2025. ASEAN region appears to be keen on embracing digital economy.

However, the region’s cyber security is still in early stage and is in short of talents and capabilities along with fragmented vendor relationships all of which is creating operational complexity and vulnerabilities. For continued cybersecurity commitment, it is estimated that between 2017-2025, ASEAN countries need to spend around $171 billion collectively on cybersecurity.

The global cybersecurity market has grown steadily over the years and is estimated to be worth $202 billion by the end of 2021.

The global cybersecurity spending will steadily increase over the years and reach $187 billion by the end of 2021.

Thailand has been gradually increasing its cyber security spending from $310 million to $511 million between 2020 and 2025. Cybersecurity spending is primarily directed at identity and access management, infrastructure protection (content, endpoint, etc.) and network security.

As per Gartner, Thailand spent around 0.06% of its GDP on cybersecurity in 2020, this number is expected to escalate at the rate of 0.35% over the next 8 years. In view of this, Thailand’s cybersecurity spending per capita is expected to increase by more than 3 times to $7.4 by 2025. This is because of the shift to remote work during the Covid-19 pandemic which has increased the instances of cyber-attacks.

Market Outlook

The future outlook of cyber security market:

In 2023, spending on cloud security tools is likely to escalate from $5.6 billion in 2018 to $12.6 billion.
In 2023, spending on cloud security solutions is estimated to be $1.63 billion rising from $636 million in 2020 at a 26.5% CAGR.
In 2023, spending on Infrastructure Protection is estimated to surge from $18.3 billion in 2020 to $24.6 billion, at a 7.68% CAGR.
By 2020, global IT security spending is likely to reach $128 billion, out of which the endpoint security tools comprise 24% of the total IT security spending.
According to IDC, 70% of all breaches appears to originate at endpoints, regardless of the increased IT spending on this threat surface.

Thailand’s economy post COVID

Due to the after effect of COVID 19, Thailand’s GDP reduced by 6.1% making it one of the worst hit countries in ASEAN region. In the first quarter of 2021, Thailand had to grapple through the second wave of COVID 19, leading to the contraction of the economy by 2.6%. Shortly, in April 2021, third wave of COVID infections hit the nation bringing private consumption rate and business environment to a standstill.

Thailand economic recovery appears to be slow and uneven and is not likely to return to the pre-pandemic level until 2022. It is projected that Thailand would experience growth at 2.2% in 2021. The Thai government quick response to Covid adversaries have tamed the unemployment and poverty rates.

World Bank report reveals that government’s relief measures provided impetus to prevent the rise in poverty rate from 6.2% in 2019 to 7.4% in 2020. The poverty rate was restrained down to 7% in 2021. The overall employment rate rose by 2.5%, apart from the agriculture sector that had witnessed 10.9% fall employment rates.

Thailand aims to fully vaccinate 50 million of its citizens, which accounts for 70% of the population by the end of 2021. Thailand’s economy is expected to improve in 2022, growing at 5.1% annually.

Its road to recovery is rested on strong vaccination rates, containment measures, resume of international tourism, export of automotive, electronics, construction and agricultural products and full rollout of THB 500 billion fiscal response package as well as other social assistance measures. Thailand disbursed 3% of its GDP on social assistance in 2020 to the vulnerable informal workers and farmers.

Post COVID cybersecurity risks

According to Pacific Prime, in Thailand, cybercrime number surged in the first quarter of 2020 by about 37% as of the shift to remote working arrangements during that period. Correspondingly, data privacy was also one of the key concerns with initiation of contact tracing through mobile applications deploying Bluetooth or GPS-based technologies for tracking and tracing symptomatic and COVID-19 positive people.

Regardless of the positive strides taken by Thailand with regards to the legislation surrounding PDPA, many enactments such as sharing of health data by the insurance and other related sectors should be implemented soon. all of legislative changes got postponed to 2022 because of the pandemic.

ThaiCERT report disclosed that the top three security risks in Thailand were related to Fraud, Intrusion by the means of Trojan attacks. The most prevalent ICT challenge is fraud prevention/payment security and cloud security. In addition, cloud, business and data security is another area of concern for the ICT sector in Thailand. Besides this, other security issues such as Network security, inconsistent network/internet access, web security, email security, incident detection response and recovery, optimizing and controlling costs along with international data privacy are strategic ICT challenge in Thailand.

Content Management System (CMS) hacking

The expected hackers found a vulnerability on Joomla of one of the websites. Then used the mentioned vulnerability to break into the system to attack other websites. The primary victims are education institutions and government agencies.

Business Email Compromise (BEC)

The major victims were refining companies.

Advanced Persistent Threat and Malware Attack

Mostly, Hotel industry and Ticket industry had to face these attacks by sending fake emails with malware that compromise the hotel information system to access the traveller’s credit card information.

Technology Roadmap

AI in cybersecurity With high rates of intensity and frequency of attacks, AI based security solutions are already being implemented for cybersecurity and authentication processes. AI is increasingly being adopted in object recognition; primarily, face, voice and pattern recognition. Ai based security is being implemented for threat. monitoring, analysis, pattern matching and subsequent quarantining.

Threats in cloud

The use of cloud computing has augmented the involvement of both the national and foreign third-party vendors of software and services, risking the companies’ data from unauthorized use, access and disclosure. In Thailand, security researchers found the customers’ data have been leaked to the public from cloud storage service of the main mobile operation of Thailand. Its victims were cloud-based services and electronic transaction services. Considering this, Thai companies are in the process of consolidating their internal security measures and verification procedures.

Competitive Landscape

As per a report by Fujitsu, majority of the Thai companies prefer a global cybersecurity player (40%), followed by a mix of local/regional/global player (35.2%) whereas, 15.2% prefer a regional player and only 5.6% prefer a local player.

Key Market Players

Cyber Security Players	Revenue	Security Services
Seagate Technology	$10 billion	Founded in 1979 and headquartered in Leinster, Ireland, Seagate offers data storage technologies and solutions. The Company’s principal products are Hard Disk Drives (HDDs). Besides this, it produces solid state hybrid drives, solid state drives, Peripheral Component Interconnect Express (PCIe) cards and Serial Advanced Technology Architecture (SATA) controllers.
Vicon Industries	$27.7 million	Established in 1967, Vicon Industries designs and manufactures integrated IP -based security systems with video and access control.
BCDVideo	$209 billion	Founded in 1999, BCDVideo is an IP video storage solution designed for security integrators. It offers video surveillance storage servers, hybrid hyper converged solution, client viewing stations, networking and professional on-site services.
Dahua Technology	$4.06 billion	Instituted in 2001, Dahua Technologies sells video surveillance products and services. The company has set up a Cybersecurity center to solve cybersecurity issues and provide vulnerability reporting as well as cybersecurity knowledge sharing.
Teledyne FLIR LLC	$3 billion	Instituted in 1978 and headquartered in Wilsonville, Oregon, FLIR designs, manufactures, and markets technology solutions that focus on thermal imaging and infrared camera systems. In January, 2021, FLIR Systems was acquired by Teledyne Technologies for $8 billion.
IDIS Ltd	$21 million	Established in 1997, DIS designs, develops and manufactures surveillance solutions for commercial and public sectors. It offers intelligent Digital Integrated Security by focusing on digital video recording (DVR) technology. The company ensures secure data access and transmission by protecting network through mutual authentication system.
HID Global Corporation	$528.3 million	Founded in 1991, HID Global manufacturers secure identity products. It focuses in providing physical and logical access control, including strong authentication and credential management; visitor management systems; highly secure government and citizen ID as well as identification RFID technologies.
Fujitsu (Thailand)	$35 billion	Incorporated in 1990, it is a Japanese Information and Communication Technology (ICT) company which offers comprehensive information technology development, network and telecommunication solutions, system platforms adjustment, and other services. Fujitsu also produces semiconductors, computers, communication equipment, and other products.

Strategic Conclusion

With increasing diversity and extension in network, cybersecurity is a key area of concern for most firms in Thailand. To curb the threats of attack online, Thailand heavily implements and invests in antivirus/spyware, data privacy, fraud prevention as well as encryption technologies.

The future of cybersecurity in Thailand seem bright primarily in the areas of SIEM, biometrics as well as blockchain verification.

References

Appendix

AI	Artificial Intelligence
AIS	Authority of Information Security
APAC	Asia-Pacific
API	Application Programming Interface
APT	Advanced Persistent Threat
ASEAN	Association of Southeast Asian Nations
BFSI	Bank and Financial Institution Sector
BEC	Business Email Compromise
BOI	Board of Investment
CAGR	Compound Annual Growth Rate
CSRC	Cybersecurity Regulatory Committee
CCA	Computer Crimes Act
CIIs	Critical Information Infrastructures
CISSP	Certified Information Systems Security Professional
CMS	Content Management System
CSA	Cyber Security Act
DDoS	Distributed Denial of Service
ETDA	Electronic Transactions Development Agency
GCI	Global COVID-19 Index
GDP	Gross Domestic Product
IoT	Internet of Things
ICT	Information and Communication Technology
IDC	International Data Corporation
ILO	International Labor Organization
IMD	Institute for Management Development
ISO	International Organization for Standardization
IPR	Intellectual Property Rights
IT	Information Technology
MSS	Managed Security Services
ML	Machine Learning
NCSC	National Cyber Security Committee
PDPA	Personal Data Protection Act
PDPC	Personal Data Protection Commission
R&D	Research and Development
RFID	Radio Frequency Identification
SAAS	Software as a service
SASE	Secure Access Service Edge
SATA	Serial Advanced Technology Architecture
SIEM	Security Information and Event Management
SMEs	Small and Medium Enterprises
UTM	Unified Threat Management