Over the last few years, India has seen a significant rise in both cyber breach incidents and cybercrime, with many affecting national security and large organisations.
Unfortunately, according to Sophos data, nearly 40% of board members in India have no knowledge on cyber security threats and risks!
"India is experiencing an unprecedented increase in cyber attacks, and it is crucial to take proactive measures to improve our cyber security infrastructure," said Rama Vedashree, CEO of the Data Security Council of India.
According to a report by the Indian Computer Emergency Response Team (CERT-In) cited in the Hindustan Times, there were more than 44,000 cyber attacks in India in 2020. That was a staggering 300% increase from 2019. Unfortunately, cyber crime in India has shown no signs of slowing down.
In this article, we will explore the current cyber security landscape in India, the cyber threats organisations and governmental bodies face, and the awareness solutions and regulations in place to tackle these issues … as well as how targeted, localised cyber awareness training can maximise your security culture and minimise the ramifications of a cyber attack.
One reason cyber crime has boomed in India is the continued establishment of tech corporations and digital ventures in the Asian superpower. McKinsey Global Institute data labels India as the second-fastest digital adopter among the 17 most digital economies of the world. The country is now home to the 3rd largest population of internet users (iLearnCANA). There are more than 1.15 billion mobile phones in India and over 700 million internet users.
India has even been labelled as the ‘New Silicon Valley’ due to its attractive cheap labour, large population, and financial incentives. Nearly every single industry operating in India has adopted digital technologies and some have become entirely reliant on it. Sectors such as finance, healthcare and, in India’s case, governmental bodies, are the most attractive targets for cyber criminals. As a result, there is a growing demand for cyber security solutions and awareness programmes.
The country’s cyber security industry almost doubled in size from $5 billion in 2019 to $9.5 billion in 2021 (DSCI), and it is showing no signs of slowing down. In fact, Bold News Online reveals that the Indian cyber security industry is expected to reach $35 billion by 2025.
Globally, the demand for cyber security professionals far exceeds the actual number of qualified candidates that exist. This is an even greater problem in India, as the country’s shortage of employees with cyber security knowledge is 9% higher than the global average (Express Computer).
And unfortunately for the nation, the cyber security field is ever evolving and ever-expanding, which means cyber professionals need to be constantly up to date with their skills and knowledge. There is an argument that the industry is evolving faster than India can produce security professionals.
The lack of digital literacy in the country is a worry when it comes to spotting, avoiding, and reporting cyber attacks.
In 2020, Sophos ran a survey on ‘The Future of Cybersecurity in Asia Pacific and Japan’. The survey found that a staggering 93% of Indian companies say they lack cyber security awareness among employees, including board level executives! The report elaborates that only 61% of companies in India believe their board truly understands cyber security.
The concept of cyber awareness is still incredibly new in India and organisations are terribly slow to adopt training and development programmes because the decision-makers simply do not have the knowledge or understanding to take cyber security and awareness seriously. And whilst India hosts 700 million plus internet users, 75% of these users are new and from rural areas (iLearnCANA). This rural section of the user base is not entirely literate with digital tech and have not been raised with technology, like a western Gen Z population, and are therefore naturally vulnerable to cyber threats.
In fact, a recent report by the Digital Empowerment Foundation (DEF) shows that digital literacy is almost non-existent for more than 90% of India’s population. It is quite easy to see cyber criminals are targeting India and their organisations because they think it will be an easy win for them.
In recent years, many members of India’s governing party have been mired in controversies surrounding comments made about neighbouring nations and religions. As a result, India has become a major target for hacker groups in politically motivated attacks. A CloudSek report, cited here in Mint, reveals that not only are attacks on government agencies up 95% year-on-year, but India was also the most targeted country in 2022. In fact, attacks on India’s government agencies more than doubled between 2021 and 2022!
India is facing a lot of hacktivism – where a hacker’s motivation is not financial but rather possesses a political agenda – and whilst the cultural/religious debate in India rages on, India’s governmental agencies can expect even more hacktivism.
One of the biggest threats and most common cyber attacks we see in India are ransomware attacks. Ransomware is deployed to lock down an organisation’s network or system and demand a ransom in exchange for the release of data.
Indian Express revealed that the average ransom paid by Indian organisations to hackers has hit $1.2 million. In 2020, India ranked 2nd in the world for ransomware attacks, seeing an average of 213 ransomware attacks every single day (SonicWall). Business Standard reports that India has now jumped to 2nd in the world for all types of ransomware attacks, only behind the United States, with a 24% increase in all cyber attacks recorded in 2022!
In 2022, India faced a total of 3950 official ransomware attacks – many are not detected or reported due to a lack of cyber education - with over 22 billion records compromised and $150 million paid in ransom money (Indian Express). These are just the numbers for successful attacks as Indian Express reveals an average of 707 ransom attempts per organisation in the first half of 2022.
Nevertheless, many ransomware attacks against India and Indian organisations were successful. Below is a timeline of the biggest ransomware attacks in India in 2022:
97% of organisations that have faced a ransomware attack state that it impacted their ability to operate normally with 92% stating they had lost important data and revenue as a result (Sophos State of Ransomware 2022 Report). If you are an organisation or employer in India, you must get your employees ready and aware of ransomware attacks and how to spot/avoid them.
Another major threat is phishing attacks, where cyber criminals impersonate a trusted entity to trick users into providing sensitive information. In 2020, India was ranked third globally for phishing attacks, with over 1.5 million reported incidents, according to a report by security firm Kaspersky.
During the height of the pandemic, India saw an almost unbelievable 4000% increase in phishing emails (Inc42).
And, whilst the rate of phishing attacks in India has fallen since post-pandemic, The country still saw over 900,000 phishing attacks between 2020 and 2022 (India Times)
Firstly, the Indian government has taken several steps to improve the country's cyber security. Let’s run through a few below:
"Cybersecurity is a shared responsibility, and we need to work together to create a secure cyber ecosystem," said Lt. General Rajesh Pant, National Cyber Security Coordinator.
Official steps and regulations are fantastic, as they do work to help protect some individuals and organisations from cyber attacks … however, it is not the sole solution. Indian organisations need to invest in cyber awareness training – at all levels of their business – to ensure they are building a secure workplace culture brimming with safe security behaviours.
TSC offers cyber security awareness and training on a range of cyber threats and risks in multiple languages, including induction processes, security refreshers, role-based training, and targeted materials for high-risk users. Curious about our products and services? Find out more here!
As mentioned at the top of the piece, one of the biggest hurdles Indian organisations and security leaders need to vault is board buy-in. According to Sophos data, 93% of Indian companies see the awareness and education of employees and leadership as their biggest security challenge, with only 61% of Indian board members understanding the importance of cyber security. Therefore, it is paramount that board buy-in be a major part of your cyber awareness plan. The Board or Executive Leadership Team need to understand their responsibilities towards Cyber Security and ensure that the whole organisation has secure processes in place. With stakeholder engagement and training and awareness for all employees, better security practice will follow.
For example, TSC’s board engagement strategies involve contextualising cyber risks with language and examples that board-level executives can understand and empathise with. Instead of bombarding them with numbing statistics, we hit them with case studies, ramifications and how you can avoid the same pitfalls with cyber security awareness. We can support security leaders to get backing from their board before providing them with a long-term strategy to sustain and grow their security culture.
Another way we enlighten board members to security gaps and risks in their organisation is with our Security Awareness and Behaviour Research (SABR) tool which analyses employee behaviours and provides an in-depth analytical report of your organisation’s security maturity. Board members respond to detailed contextualised presentations that speak to the financial and reputational security of their organisation – TSC is attuned to delivering this!
In a zero-trust security framework, all users who are active on an organisation’s network (both internally and externally), must have their access authorised by authenticating their credentials. Users will have to seek continuous validation to be granted access to an organisation’s data and applications.
The zero-trust security model has exploded in popularity over the last few years as it encapsulates behaviours for local networks, cloud networks and a hybrid work environment. At its core, the zero-trust model seeks to be the modern solution to modern digital issues and could be a viable solution for many Indian organisations who want to build data protection into their network requests.
As India's digital infrastructure continues to grow and grow, common cyber security threats will remain a significant concern and emerging cyber threats will continue to pop up.
IBM’s Security Data Breach Report of 2022 shows the average data breach costs in India have reached $2.2 million, up 6.6% from 2021 and up a staggering 25% from 2020!
The government's initiatives, laws, and regulations show a commitment to improving the country's cyber security. However, the only way to become truly cyber resilient is for the government, executive board members, and employees to subscribe to the same cyber awareness values. At the moment, this is not the case!
This is where considered, targeted, and bespoke cyber security training and board buy-in strategies come in. Not only do you make board members aware of financial and reputational risks of lax cyber security, you also show your employees that you care about their training and development, thus gaining respect and mutual care.
In the end, the cost of good cyber security awareness training is pennies when compared to the massive financial and reputational implications of a cyber breach. The sooner board members and organisations realise this, the easier it will be to prevent and combat cyber crime.
If you would like more information about how The Security Company can help your organisation to deliver data protection and privacy training ... or how we can run a behavioural research survey to pinpoint gaps in your security culture ... or how we can support you in board engagement, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51
