Blog ·
Seven cybersecurity blind spots Japanese companies in Thailand miss — why local subsidiaries become the target

"We have a solid security policy at our Japan HQ" — that's how many Japanese companies operating in Thailand frame the security of their local subsidiary. Attackers see it the opposite way. A lightly defended local subsidiary is often the shortest route to the HQ network.
Thailand's threat environment has worsened sharply in recent years. According to Check Point Software, organisations in Thailand averaged around 3,200 cyber attacks per week in the first half of 2025 — over 160% above the global average. In Q1 2026, Thailand entered the global top 10 most-targeted countries for ransomware for the first time. Thailand's NCSA recorded over 1,000 incidents between January and May 2025 alone.
This article is for those responsible for running a Thai subsidiary, or for selecting partners and vendors there. It organises seven commonly overlooked "blind spots", relevant to both manufacturing and non-manufacturing businesses. Read it against your own situation.
Why local subsidiaries become the target
First, a mental shift. Your local subsidiary is not a "scaled-down version" of HQ. To an attacker, it's an entry point into HQ.
When the whole group shares one AD domain, VPN, or core system, a single compromised account at the subsidiary becomes a path into Japan HQ and other sites. Attackers enter at the weakest point and move laterally toward the prize — this is the classic ransomware playbook.
The stubborn myth here is "we're too small to be targeted." In reality, most recent ransomware victims are organisations with under 500 employees. Attackers pick targets by ease of intrusion, not by size. No dedicated security staff, ageing systems, unpatched servers — those conditions get you hit, regardless of headcount. Japanese manufacturers in Thailand have already appeared on ransomware leak sites.
So "small subsidiary" is not a reason to feel safe — it's a risk factor. Below, the blind spots in three areas.
Area A — Organisation & governance blind spots
Blind spot ① | The HQ–subsidiary control gap
The most common and most overlooked.
Even an excellent HQ security policy doesn't necessarily get enforced at the subsidiary. In many cases, the subsidiary runs IT on its own — often haphazardly — with very little reach from HQ governance. The HQ IT team often doesn't have an accurate picture of the subsidiary's network, devices in use, or cloud services consumed.
A policy that just "exists" doesn't function. It needs to be applied at the subsidiary, regularly audited, and made visible back to HQ — all three.
Ask yourself: Can your Japan HQ pull up a current asset inventory and network diagram for the Thai subsidiary, right now?
Blind spot ② | "One-person IT" dependence
At a typical Japanese subsidiary in Thailand, IT is run by 1–2 people. That person handles PC procurement, network, servers, vendor management, and security — all at once. Subsidiaries with a dedicated security role are the exception.
Two problems. First, security becomes a side task and slides down the priority list. Second, all knowledge becomes personal. Thailand has high job mobility — when that IT person leaves, the passwords, configurations and vendor history walk out the door. We have seen many subsidiaries left in a "nobody knows the whole picture" state after a single handover.
An entire site's security depending on whether one person is still at the company is an organisational risk you can't ignore.
Blind spot ③ | No incident response plan
"In the first hour after an attack, who does what?" — few subsidiaries can answer this immediately.
Speed of initial response decides incident outcomes. But most Thai subsidiaries have no IR plan tailored to local conditions. Reporting lines to HQ are vague, time zones add hours of delay, reports come in Thai or English that HQ can't immediately parse — and the response slides backwards from there.
You also need pre-existing relationships with outside specialists and local authorities. Searching for who to call after an incident wastes the precious initial hour. Response capability is built in peacetime.
Area B — Compliance blind spots
Blind spot ④ | Failing to comply with Thailand's PDPA
This is the most important section if you're responsible for legal compliance or vendor selection.
Thailand's PDPA took full effect in June 2022. The initial period was educational, but that has changed. On 1 August 2025 the Thai Personal Data Protection Committee (PDPC) announced 8 administrative penalties across 5 cases at once — total fines around THB 21.5 million. The largest was THB 7 million, imposed on a company that failed to appoint a Data Protection Officer (DPO) and failed to report a breach. Penalties hit not only data controllers but data processors (your vendors) as well.
Two common Japanese-company misconceptions:
Misconception 1: "Our HQ APPI compliance is enough."
PDPA is a separate law from APPI and from the GDPR your HQ has already addressed. It has its own requirements — DPO appointment, consent capture, cross-border data transfer rules (effective March 2024). If you process personal data of Thailand residents, PDPA applies regardless of where your HQ sits.
Misconception 2: "PDPA compliance is paperwork."
The 2025 penalties show the PDPC enforces PDPA as a governance framework covering security controls, vendor management, and incident response. The repeated reasons in penalty notices were: no DPO, failure to report breaches within 72 hours, insufficient security controls, and weak vendor contracts (DPAs). Privacy policy and consent forms alone are not enough.
An emergency decree on technology crime, effective 13 April 2025, added criminal liability — up to 5 years imprisonment and THB 500,000 fine for unauthorised sale or disclosure of personal data. PDPA is no longer just a legal/compliance issue — it's a management risk that involves executives, IT, and procurement.
Ask yourself: Is your Thai subsidiary's DPO appointed? Is the procedure for reporting a breach to PDPC within 72 hours documented?
Area C — Operational & technical blind spots
Blind spot ⑤ | Factory / OT environment security
If you have a manufacturing site in Thailand, weight this blind spot heavily.
Ransomware concentrates on manufacturing. Multiple surveys report manufacturing as the most-targeted sector in 2025. The reason is simple: downtime cost is extreme, and attackers exploit that.
The factory-specific risk is the OT (operational technology) environment: ageing equipment built for long-duration runs, end-of-life OS versions, and insufficient segmentation between IT and OT networks — all create a fertile ground for intrusion and lateral spread. In manufacturing, ransomware encryption is not just "data loss" — it stops lines, delays shipments, and propagates across the supply chain. It hits business continuity directly.
Office IT controls and factory OT controls must be designed as separate disciplines.
Blind spot ⑥ | Intrusion via suppliers and partners
Even if your own perimeter is solid, an insecure partner becomes the entry point.
In Thailand, you exchange orders, drawings and data daily with local SME suppliers. If one of them is weakly defended, attackers traverse them into your network. Supply-chain compromise is now one of the dominant attack vectors.
The same applies to "hands-off outsourcing" to a local IT vendor. If you can't see their quality or response capability, the vendor itself becomes your risk. PDPC penalties hit data processors too — vendor management failures are your liability. Vendor and partner selection should include security evaluation.
Blind spot ⑦ | Shadow IT — LINE and personal cloud at work
In Thailand, LINE is the de facto standard for business communication. Convenient — but order data, personal data, and internal files now flow through tools the company doesn't control. That's shadow IT.
It's not just LINE. Personal cloud storage, free file-conversion services, personal phones and PCs used for work — all are "invisible territory" IT can neither see nor manage. What you can't see, you can't protect, and you can't trace after a leak.
The first move is not prohibition but visibility. Find out what the team is actually using, then replace work-critical tools with safer managed alternatives. That order is realistic.
Self-check your blind spots
The 7 blind spots, distilled into a self-check. Works for both manufacturing and non-manufacturing. Any "no" or "don't know" is one of your blind spots.
- Does your Japan HQ have an accurate inventory and network diagram of the Thai subsidiary?
- Is the HQ security policy actually applied and audited at the subsidiary?
- Is the subsidiary's security not dependent on one person?
- Is there a real handover mechanism for configs and passwords when IT staff leave?
- Is the initial-response procedure and reporting line to HQ documented?
- Under Thai PDPA, is a DPO appointed and a 72-hour breach reporting process in place?
- Are appropriate Data Protection Agreements (DPAs) in place with partners and vendors?
- (Manufacturing) Are IT and OT networks segmented? Are the risks of legacy equipment known?
- Have you assessed the security posture of major partners and local IT vendors?
- Can the company see what tools (LINE, cloud apps) are actually being used at work?
Summary: a blind spot is "what you don't notice"
A cybersecurity blind spot is, more than a technical flaw, simply "what isn't recognised as a risk." HQ has a policy so we're fine, we're too small to be targeted, PDPA is paperwork — these assumptions form the biggest blind spots of all.
Put another way, noticing is the first move. If the self-check above turned up a "don't know," that's not a failure — it's the starting line for improvement. The threat landscape in Thailand is unmistakably getting harder. The security of your local subsidiary needs to be reframed: not as an "extension of Japan HQ," but as a discipline rooted in local realities.
On this blog we'll continue to publish on the security challenges Japanese companies face in Thailand, from the perspective of operating on the ground here. Deeper articles on each blind spot will follow. We hope this is a useful starting point for reviewing your subsidiary's posture.
For security assessment, PDPA support, or local IT governance work, reach us via the contact form.
Statistics and legal/penalty figures in this article are based on publicly available information as of May 2026 (Check Point Software, GuidePoint Security, Thailand's NCSA, the Thai PDPC, and others). Consult a qualified specialist for specific legal-compliance work.


