By Mark Thomas Firestone
Thailand's PDPA, the steady rise of ransomware targeting Southeast Asian SMBs, and the speed at which Thai businesses are digitizing have combined to make cybersecurity a board-level concern in 2026 — not just an IT line item. Here's the short list of controls I treat as non-negotiable when I advise Thai clients.
SMS-based 2FA is better than nothing, but it is not a serious defense in 2026. Hardware security keys or platform passkeys for every administrative and finance account. Yes, including the founder's account. Especially the founder's account.
A backup you've never restored is a hope, not a backup. Test restores on a schedule. Keep at least one offline copy. Assume ransomware will reach anything reachable.
Even a one-page plan is enormously better than no plan. Who decides? Who calls counsel? Who talks to customers? Who notifies the PDPC? Decide before an incident, not during one.
Your security posture includes everyone you trust with data. Review SaaS access quarterly, rotate API keys, remove ex-employees from shared workspaces immediately, and treat marketing tools as production systems — they often have access to customer data.
Input validation, parameterized queries, modern authentication libraries, and TLS everywhere. None of this is exotic, and none of it is optional. If you're shipping software in 2026, OWASP awareness is table stakes.
None of these controls are unique to Thailand, but the urgency and the context are. PDPA enforcement is real, customer trust is hard-won and easily lost, and attackers are not waiting for your roadmap.