Foreign firms in Vietnam squeezed by cyber threats and stricter data rules

As Vietnam tightens its legal framework on data protection and cyber threats grow more sophisticated, foreign-invested enterprises (FIEs) are facing mounting pressure on two fronts: safeguarding critical data and complying with increasingly stringent regulations.

These challenges were at the centre of a forum on personal data protection held in Hanoi on April 10.

According to the National Cybersecurity Association, around 52 per cent of businesses in Vietnam experienced cyberattacks in 2025. Even organisations with relatively strong security systems have not been immune.

For FIEs, the risks are particularly acute due to the high-value nature of their data, including R&D materials, technical designs, customer information, and supply chain data. Cross-border data transfers between Vietnamese subsidiaries and parent companies further increase exposure, creating potential vulnerabilities for data breaches.

At the same time, Vietnam’s regulatory environment is becoming more rigorous. Decree No.13/2023/ND-CP and related regulations require companies not only to protect personal data but also to demonstrate full control over how data is collected, processed, and transferred. Violations can lead to fines of up to VND3 billion ($120,000) or 5 per cent of annual revenue.

Experts at the forum highlighted that traditional cybersecurity models, focused primarily on preventing external attacks, are no longer sufficient.

“The internet is like the human immune system,” said Kumagai from Japan's DDS Inc. “Natural antibodies or vaccines can only defend against known viruses, not new variants. Meanwhile, around 120 million new malware strains are created every day. This means perimeter defences such as firewalls and antivirus systems, while necessary, are no longer enough.”

Nguyen Dinh Do Thi from the A05 Department under Vietnam’s Ministry of Public Security

According to Nguyen Dinh Do Thi from the A05 Department under Vietnam’s Ministry of Public Security, the scale of data theft and personal data violations in Vietnam has grown increasingly alarming.

“In recent years, large volumes of Vietnamese citizens’ data have been openly advertised for sale on both public and underground forums,” he said. “In many cases, these datasets are not raw, they are already processed, categorised, and segmented by sectors such as finance, banking, education, and healthcare, making them even more valuable to buyers.”

He noted that some organisations and individuals have gone further, using specialised tools and software to harvest or illegally exploit user data.

“Between 2023 and 2025, authorities uncovered more than 30 cases involving the illegal trading and theft of personal data,” he said. “The volume of compromised data is substantial, around 160 million data files spanning sectors from healthcare and education to banking, finance, energy, insurance, and telecommunications.”

The rapid adoption of smart devices is also adding new layers of risk. Internet-connected devices such as surveillance cameras or smart TVs equipped with cameras can become entry points for cybercriminals if not properly secured.

“These devices are useful for monitoring homes and managing assets, but without adequate protection, they can be exploited to access and steal personal data,” he said. “Once obtained, such data can be used for a wide range of illegal purposes.”

He also highlighted the growing sophistication of cybercrime, noting that attackers are increasingly developing customised software specifically designed to extract data from websites and social media platforms.

“Personal data has effectively become a ‘new gold mine’ for cybercriminals,” he said. “Our investigations show that in many cases, offenders already possess detailed personal information about their targets before carrying out cyberattacks. More than 30 types of high-tech crimes now rely on pre-collected personal data.”

Kumagai from Japan's DDS Inc.

As data becomes a core asset, businesses must adopt a more comprehensive approach by adding a “last line of defence,” controlling and preventing data leakage at the point where data exits the system.

This shift reflects a broader trend seen in more mature markets. “In Japan, companies have moved from a defensive mindset to managing the entire data lifecycle,” Kumagai from Japan's DDS Inc. added. “Attacks today are no longer just about system intrusion, they are about data exfiltration.”

One of the most significant gaps identified among businesses in Vietnam is the lack of control over outbound data flows when information leaves internal systems.

Addressing this issue, some solutions have been introduced at the forum to monitor and control data at the exit point like F-DDH BOX. Unlike traditional security systems that focus on blocking unauthorised access from outside, the solution tracks internal data movement, detects abnormal connections, provides real-time alerts, and can prevent data leakage even if a system has already been compromised.

“Most companies invest heavily in firewalls and antivirus tools to stop external attacks, but lack mechanisms to control data once it is inside the system,” said Nguyen Hung Son, vice chairman of FSI Investment Trading and Technology Development JSC. “This is a critical blind spot that many organisations have yet to fully recognise.”

Experts agreed that as cyber risks intensify and compliance obligations expand, deeper layers of data control are becoming essential rather than optional.

Beyond technology, businesses are being urged to rethink their overall approach, shifting from “preventing attacks” to “comprehensive data governance,” combining technical solutions with internal processes and management frameworks.

In an increasingly complex digital environment, such a transition is seen as critical not only for protecting sensitive information, but also for ensuring operational resilience and long-term sustainability.

Manifesting the first line of defence in cybersecurity Vietnam is undergoing a critical transformation in information security. With the rapid pace of digital transformation, including the expansion of e-government and other aspects, the nation’s attack surface is widening, increasing security risks.

Is our security becoming a battle of AIs? From the battlefield to the data center, artificial intelligence (AI) may become the dominant factor in determining the outcome of any conflict. Jim Richberg, head of Cyber ​​Policy and Global Field CISO, delves into this matter.

Vietnamese businesses step up plans for cybersecurity centres More than 80 per cent of Vietnamese businesses are considering setting up security operations centres (SOCs) to strengthen their cybersecurity capabilities, according to a recent survey by Kaspersky.