09:55 (GMT +7) - Wednesday 20/02/2019

Banking & Finance

Plugging the gaps

Released at: 09:34, 25/07/2014

Plugging the gaps

Investment in information security systems by local organisations and companies requires greater attention and awareness among Vietnamese users about information security needs to improve.

by Do Huong, Hoang Thu

    Dangerous counterfeit software and applications that place viruses into mobile phones will continue to be a major threat for years to come as malware attacks on Vietnamese users occur with increasing frequency. Viruses are being implanted by counterfeit versions of popular apps like Instagram, Angry Birds and anti-virus software, and browsers like Firefox and Google Chrome. With a low level of awareness among users regarding information security protection, connecting smartphones and computers is no longer safe as the risk of a virus moving between devices is high, according to local security solutions provider Bkav.

    Mobile e-banking services provided by both local and foreign banks have become hugely popular in Vietnam and provide a great deal of convenience to customers, but come with information security threats and potential financial losses for banks and customers. The more advanced technologies banks have introduced into their operating systems, the more cyber hackers consider attacking it a challenge. According to the Internet Security Threat Report 2014 (ISTR19) released by the Symantec Corporation, banking and finance, trade, industry and manufacturing are the most vulnerable sectors in Vietnam. Vietnam now ranks 12th on the list of countries facing maximum cyber attacks. “Vietnam has jumped nine points compared to 2012 as the rapidly increasing number of internet subscribers and users who lack good cyber security skills lead to cyber systems being hacked,” said Mr Raymond Goh, Director for Systems Engineering, Asia South Region, at Symantec.

    The Information Security Index prepared by the Vietnam Information Security Association (VNISA) and the Vietnam Computer Emergency Response Team (VNICERT) under the Ministry of Information and Communications in 2013 found results similar to the Symantec report. Last year saw Vietnam face a high risk of information security attacks with the goal of stealing information from organisations and companies, including transaction providers. The core of the problem is loopholes in websites’ systems, with many enterprises fixing their system after being subject to a spyware attack. “But most enterprises aren’t even aware they’ve been attacked and had important information stolen, and hackers just watch and wait until it’s the right time to attack,” said Mr Nguyen Minh Duc, Security Manager at the FPT Corporation’s Information and Technology Department.  

    Two major types of cyber attacks face enterprises and organisations in Vietnam: distributed denial of service (DDoS) and theft of sensitive or secret information of individuals and businesses. Many enterprises were the victims of DDoS attacks in 2011 and 2012. The favourite means of hackers is for them to forge an email from a person in the targeted company and send files as attachments. Recipients unwittingly open these files, allowing malicious codes to exploit holes in the Windows operation system to install spyware onto users’ computers. Hackers are then able to collect information and conduct destructive activities, like intervening in transactions with banking and finance institutions or e-commerce providers.

    According to Dr Nguyen Chi Thanh, Director of the Institute of Information Security Technology under VNISA, hackers target victims primarily for financial reasons and the instances of leaders such as CEOs being hacked to collect secret company information is increasing. “IT and security staff at major companies have also been victims,” said Mr Duc from FPT. ICT enterprises like FPT are also primary targets of hackers, as well as financial and banking institutions. Aware of the need to invest in information security, FPT has built a comprehensive system covering servers, network infrastructure, equipment, security software, and security policies. “Most enterprises only fix loopholes in their systems after an attack has taken place, because they lack a professional security system,” said Mr Ngo Tuan Anh, Vice President - CSO at Bkav Security (Bkis). “Enterprises haven’t been proactive in quickly detecting and preventing cyber attacks.”

    The Symantec report showed that Vietnam ranks 6th in malicious code attacks, accounting for 2.8 per cent of the global total. Its position in regards to spam has also risen, from tenth in 2012 to seventh in 2013, accounting for 5 per cent of the total global spam compared to 2.6 per cent in 2012. In terms of the volume of IPs joining botnet networks (which includes zombie computers hacked first and then attacking other computers), Vietnam jumped 17 spots in 2013 compared to its 23rd position in 2012. Bkav cyber security experts conducted research on measuring and assessing risks from website loopholes from July last year to February this year on 516 websites in 25 countries, including Vietnam. Vietnam was found to be among countries with security systems at the middle level in the region but at the low level globally. The proportion of vulnerable websites due to existing loopholes stands at 40 per cent in Vietnam, higher than in Asia as a whole, with 36 per cent, 33 per cent in Africa, 15 per cent in Europe, and 5 per cent in the Americas. “The results reflect the level of technological development and ICT applications in each region in the world,” said Mr Tuan Anh from Bkis.

    In recent years the government has paid greater attention to building policies on information security, such as proposals approving the Law on Information Security, a project supporting organisations and enterprises in applying standards such as CMMI and ISO 27000, and a project training and developing human resources in information security by 2020. VNISA said that Vietnam’s information security index has improved significantly, general cyber safety standing at 37.5 per cent in 2013 against 26 per cent of 2012. However, as cyber attack technologies are becoming more advanced, the risks and potential losses from high-tech hackers are immense. “The effect of attacks is immeasurable in terms of finance and brand, especially for large-scale organisations and companies, and the cost of these attacks could amount to more than ten-fold the initial investment in a security system,” said Mr Duc. “But the number of companies reorganising their security and determining how vulnerable they are is small.” The VNISA and VNICERT report showed that only 21.5 per cent of those surveyed could determine potential losses due to hacking attacks in 2013, much lower than that in 2012 and 2011, when it stood at 45.8 per cent and 33 per cent, respectively.

    Investment by local enterprises in information security falls well short of its importance. “This investment is a challenge for local enterprises given the economic difficulties,” Mr Duc said. “CEOs don’t see the immediate efficiency of such investment, so reject it.” Twenty-nine per cent of those in the VNISA survey said they increased investment in information security in 2013, compared to 43 per cent in 2011. The number of enterprises investing in training information security staff and employees fell from 57 per cent to 31 per cent between 2011 and 2013. Thirty-eight per cent of enterprises have no or not enough information security staff, and 56 per cent have no information security department. The number of those who are aware of when they are being attacked is falling, at 26 per cent in 2013, down from 40 per cent in 2012 and 42 per cent in 2011. The incidence of action plans being in place against cyber attacks is rising but remains low, at 37 per cent in 2013, 25 per cent in 2012 and 19 per cent in 2011. Seventy-eight per cent don’t have or are not aware of standard operating procedures to deal with cyber attacks, and 48 per cent do not report incidents to relevant agencies such as VNICERT.

    Mr Tuan Anh from Bkis said that local enterprises and organisations have spent more money on information security in recent years but mostly on purchasing anti-virus software for personal computers while ignoring comprehensive solutions that allow them to keep a close watch over the health of the entire system and identify holes and know when their network is being attacked by spyware. In general, enterprises have been reluctant in the past to acknowledge any security issues. Admitting to being a victim of attacks, VNG, which specialises in e-commerce and online games, told VET that attacks to 123pay.vn, a payment portal, are less than in its other business fields. Mr Nguyen Hoanh Tien, VNG’s Deputy General Director, said that information security is a major issue not only for the payment portal but for all its business fields. “We invest in equipment and security solutions, focus on cyber security human resources, and build standard operation procedures like ISO:27001 and PCI DSS, to ensure the best possible response to attacks,” he said.

    According to Mr Nguyen Hai Nam from the Cyber Security Department at the BaoViet Group, which has comprehensively invested in IT systems and information security, the department regularly reviews and identifies weaknesses at its member units and fixes any issues before the system can be attacked. “We also have updated information on new malware and spyware from international security solutions companies and receive warnings from VNICERT,” he said. “Communicating these warnings to leaders and staff is an important task because anyone can be a victim.”

    Analysts forecast that chief security officers and security staff at companies will face more challenges in the future, as when more advanced security solutions become available there are even greater risks and threats from hackers. “Hackers will target product and service providers that have large numbers of users, attacking them in complex ways under a long-term hacking strategy,” said Mr Duc. Besides being proactive in protecting their security systems, Mr Thanh from VNISA said that enterprises also should support customers in protecting their personal information, such as insisting on stronger passwords, urging them to update their security software, and warning them of the need to only download data files from guaranteed sources, because “the individual is the most important link and the weakness in an information system,” he said.

“We do not currently conduct online payments. Our hotel mainly uses three forms of payment: cash, bank transfers and credit cards. Our partners and customers usually pay with their credit cards at our Point of Sale (POS). We see no demand for an online payment system in the near future.”
Ms Nguyen Do Thuy Anh - Brand & Public Relations Manager, Mövenpick Hotel Hanoi

“As technology continues to advance, vendor’s protection measures must also advance so that customers remain protected from the security and privacy challenges created by innovation. At BlackBerry, we implement layers of protection into every device and service to help ensure customers receive a unique level of security and privacy that they can depend upon every day. With malicious and privacy-infringing third-party apps increasing in number every year, BlackBerry is proactively developing and evaluating additional measures and techniques to provide comprehensive protection for customers and their data.”
Mr Quan Dinh - Territory Manager, BlackBerry Vietnam

“Due to regulations on security systems adopted by Sofitel and Accor Global, our hotel only uses online payments on the website of Sofitel Global and reputable online booking websites such as Agoda.com and Booking.com. If we received approval to conduct online payment services in Vietnam, we would choose service provider partners based on their security capacity.”
Ms Le Phuong Ly - Assistant Marketing & Communications Manager, Metrople Hanoi


User comment (0)

Send comment