India’s poor cyber awareness: lack of board-buy in and digital literacy damaging security levels

Over the last few years, India has seen a significant rise in both cyber breach incidents and cybercrime, with many affecting national security and large organisations.

Unfortunately, according to Sophos data, nearly 40% of board members in India have no knowledge on cyber security threats and risks!

"India is experiencing an unprecedented increase in cyber attacks, and it is crucial to take proactive measures to improve our cyber security infrastructure," said Rama Vedashree, CEO of the Data Security Council of India.

According to a report by the Indian Computer Emergency Response Team (CERT-In) cited in the Hindustan Times, there were more than 44,000 cyber attacks in India in 2020. That was a staggering 300% increase from 2019. Unfortunately, cyber crime in India has shown no signs of slowing down. 

In this article, we will explore the current cyber security landscape in India, the cyber threats organisations and governmental bodies face, and the awareness solutions and regulations in place to tackle these issues … as well as how targeted, localised cyber awareness training can maximise your security culture and minimise the ramifications of a cyber attack.

Why is India an attractive target for cyber criminals?

1. India is the ‘New Silicon Valley’

One reason cyber crime has boomed in India is the continued establishment of tech corporations and digital ventures in the Asian superpower. McKinsey Global Institute data labels India as the second-fastest digital adopter among the 17 most digital economies of the world. The country is now home to the 3rd largest population of internet users (iLearnCANA). There are more than 1.15 billion mobile phones in India and over 700 million internet users.

India has even been labelled as the ‘New Silicon Valley’ due to its attractive cheap labour, large population, and financial incentives. Nearly every single industry operating in India has adopted digital technologies and some have become entirely reliant on it. Sectors such as finance, healthcare and, in India’s case, governmental bodies, are the most attractive targets for cyber criminals. As a result, there is a growing demand for cyber security solutions and awareness programmes.

The country’s cyber security industry almost doubled in size from $5 billion in 2019 to $9.5 billion in 2021 (DSCI), and it is showing no signs of slowing down. In fact, Bold News Online reveals that the Indian cyber security industry is expected to reach $35 billion by 2025.

2. Lack of cyber security professionals

Globally, the demand for cyber security professionals far exceeds the actual number of qualified candidates that exist. This is an even greater problem in India, as the country’s shortage of employees with cyber security knowledge is 9% higher than the global average (Express Computer).

And unfortunately for the nation, the cyber security field is ever evolving and ever-expanding, which means cyber professionals need to be constantly up to date with their skills and knowledge. There is an argument that the industry is evolving faster than India can produce security professionals.

3. Low cyber security awareness in population and in organisations

The lack of digital literacy in the country is a worry when it comes to spotting, avoiding, and reporting cyber attacks.

In 2020, Sophos ran a survey on ‘The Future of Cybersecurity in Asia Pacific and Japan’. The survey found that a staggering 93% of Indian companies say they lack cyber security awareness among employees, including board level executives! The report elaborates that only 61% of companies in India believe their board truly understands cyber security.

The concept of cyber awareness is still incredibly new in India and organisations are terribly slow to adopt training and development programmes because the decision-makers simply do not have the knowledge or understanding to take cyber security and awareness seriously. And whilst India hosts 700 million plus internet users, 75% of these users are new and from rural areas (iLearnCANA). This rural section of the user base is not entirely literate with digital tech and have not been raised with technology, like a western Gen Z population, and are therefore naturally vulnerable to cyber threats.

In fact, a recent report by the Digital Empowerment Foundation (DEF) shows that digital literacy is almost non-existent for more than 90% of India’s population. It is quite easy to see cyber criminals are targeting India and their organisations because they think it will be an easy win for them.

4. Political attacks

In recent years, many members of India’s governing party have been mired in controversies surrounding comments made about neighbouring nations and religions. As a result, India has become a major target for hacker groups in politically motivated attacks. A CloudSek report, cited here in Mint, reveals that not only are attacks on government agencies up 95% year-on-year, but India was also the most targeted country in 2022. In fact, attacks on India’s government agencies more than doubled between 2021 and 2022!

India is facing a lot of hacktivism – where a hacker’s motivation is not financial but rather possesses a political agenda – and whilst the cultural/religious debate in India rages on, India’s governmental agencies can expect even more hacktivism.

Ransomware and phishing in India

Ransomware attacks in India

One of the biggest threats and most common cyber attacks we see in India are ransomware attacks. Ransomware is deployed to lock down an organisation’s network or system and demand a ransom in exchange for the release of data.

Indian Express revealed that the average ransom paid by Indian organisations to hackers has hit $1.2 million. In 2020, India ranked 2nd in the world for ransomware attacks, seeing an average of 213 ransomware attacks every single day (SonicWall). Business Standard reports that India has now jumped to 2nd in the world for all types of ransomware attacks, only behind the United States, with a 24% increase in all cyber attacks recorded in 2022!

In 2022, India faced a total of 3950 official ransomware attacks – many are not detected or reported due to a lack of cyber education - with over 22 billion records compromised and $150 million paid in ransom money (Indian Express). These are just the numbers for successful attacks as Indian Express reveals an average of 707 ransom attempts per organisation in the first half of 2022.

Nevertheless, many ransomware attacks against India and Indian organisations were successful. Below is a timeline of the biggest ransomware attacks in India in 2022:

• Jawaharlal Nehru Port: This is India’s only state-owned port and handles half of all containers that pass through India. Due to a ransomware attack in February 2022, the port had to divert ships to other terminals in Mumbai.
• SpiceJet Airline: Indian airline SpiceJet was hit by a ransomware attack in May 2022. The attack crippled the airline’s systems and left many passengers stranded across the country.
• Goa Water Resources Department: In July 2022, a ransomware attack hit Goa’s Water Resources Department which handles the flood monitoring system. In this instance, attackers demanded the ransom be paid in cryptocurrency.
• Tata Power: In October 2022, Tata Power, India’s largest integrated power company was hit with a ransomware attack affecting its IT infrastructure and systems. Hive ransomware group took responsibility. The ransom was never paid with data such as employee information, national ID numbers and salary information all finding their way online.
• All India Institute of Medical Service (AIIMS): Healthcare organisations are optimal targets for attacks as they hold a lot of valuable and confidential data. This is no different in India. In November 2022, a ransomware attack hit AIIMS, and the health organisation did not pay the ransom. As a result, AIIMS had to go manual with all of their processes for over two weeks. In the end, the attack exposed 40 million records with some belonging to the most powerful people in the country.

97% of organisations that have faced a ransomware attack state that it impacted their ability to operate normally with 92% stating they had lost important data and revenue as a result (Sophos State of Ransomware 2022 Report). If you are an organisation or employer in India, you must get your employees ready and aware of ransomware attacks and how to spot/avoid them.

Phishing in India

Another major threat is phishing attacks, where cyber criminals impersonate a trusted entity to trick users into providing sensitive information. In 2020, India was ranked third globally for phishing attacks, with over 1.5 million reported incidents, according to a report by security firm Kaspersky.

During the height of the pandemic, India saw an almost unbelievable 4000% increase in phishing emails (Inc42).

And, whilst the rate of phishing attacks in India has fallen since post-pandemic, The country still saw over 900,000 phishing attacks between 2020 and 2022 (India Times)

Cyber security solutions for India

1. Official steps and regulations in India

Firstly, the Indian government has taken several steps to improve the country's cyber security. Let’s run through a few below:

• In 2000, the Indian government introduced the Information Technology Act. This is the primary legislation governing cyber crime in India. The act details punishments for offenses such as unauthorised access to a computer system, computer-related forgery, and hacking. This is the start of official cyber crime regulation in India.
• In 2013, the government launched the National Cyber Security Policy (NCSP). This policy aimed to create a secure cyber ecosystem and strengthen the country's cyber infrastructure. The policy included initiatives such as setting up cyber crime investigation units, creating cyber emergency response team (CERT-In), and encouraging public-private partnerships in cyber security.
• In 2017, the government launched the Cyber Swachhta Kendra initiative, which provides free tools to Indian citizens to detect and clean malware from their devices.
• In 2018, the government introduced the Personal Data Protection Bill. This bill aimed to regulate the collection, storage, and processing of personal data. The bill also proposed hefty fines for companies that fail to comply with the regulations.
• In 2022, the government set up cyber forensic labs across the country to investigate cybercrime incidents and provide training to law enforcement agencies. This initiative was introduced to increase the conviction rate of cyber crimes.

2. Cyber awareness training

"Cybersecurity is a shared responsibility, and we need to work together to create a secure cyber ecosystem," said Lt. General Rajesh Pant, National Cyber Security Coordinator.

Official steps and regulations are fantastic, as they do work to help protect some individuals and organisations from cyber attacks … however, it is not the sole solution. Indian organisations need to invest in cyber awareness training – at all levels of their business – to ensure they are building a secure workplace culture brimming with safe security behaviours.

TSC offers cyber security awareness and training on a range of cyber threats and risks in multiple languages, including induction processes, security refreshers, role-based training, and targeted materials for high-risk users. Curious about our products and services? Find out more here!

3. Board buy-in

As mentioned at the top of the piece, one of the biggest hurdles Indian organisations and security leaders need to vault is board buy-in. According to Sophos data, 93% of Indian companies see the awareness and education of employees and leadership as their biggest security challenge, with only 61% of Indian board members understanding the importance of cyber security. Therefore, it is paramount that board buy-in be a major part of your cyber awareness plan. The Board or Executive Leadership Team need to understand their responsibilities towards Cyber Security and ensure that the whole organisation has secure processes in place. With stakeholder engagement and training and awareness for all employees, better security practice will follow.

For example, TSC’s board engagement strategies involve contextualising cyber risks with language and examples that board-level executives can understand and empathise with. Instead of bombarding them with numbing statistics, we hit them with case studies, ramifications and how you can avoid the same pitfalls with cyber security awareness. We can support security leaders to get backing from their board before providing them with a long-term strategy to sustain and grow their security culture.

Another way we enlighten board members to security gaps and risks in their organisation is with our Security Awareness and Behaviour Research (SABR) tool which analyses employee behaviours and provides an in-depth analytical report of your organisation’s security maturity. Board members respond to detailed contextualised presentations that speak to the financial and reputational security of their organisation – TSC is attuned to delivering this!

4. Zero trust security model

In a zero-trust security framework, all users who are active on an organisation’s network (both internally and externally), must have their access authorised by authenticating their credentials. Users will have to seek continuous validation to be granted access to an organisation’s data and applications.

The zero-trust security model has exploded in popularity over the last few years as it encapsulates behaviours for local networks, cloud networks and a hybrid work environment. At its core, the zero-trust model seeks to be the modern solution to modern digital issues and could be a viable solution for many Indian organisations who want to build data protection into their network requests.

Conclusion: security leaders of India need to start with board buy-in!

As India's digital infrastructure continues to grow and grow, common cyber security threats will remain a significant concern and emerging cyber threats will continue to pop up.

IBM’s Security Data Breach Report of 2022 shows the average data breach costs in India have reached $2.2 million, up 6.6% from 2021 and up a staggering 25% from 2020!

The government's initiatives, laws, and regulations show a commitment to improving the country's cyber security. However, the only way to become truly cyber resilient is for the government, executive board members, and employees to subscribe to the same cyber awareness values. At the moment, this is not the case!

This is where considered, targeted, and bespoke cyber security training and board buy-in strategies come in. Not only do you make board members aware of financial and reputational risks of lax cyber security, you also show your employees that you care about their training and development, thus gaining respect and mutual care.

In the end, the cost of good cyber security awareness training is pennies when compared to the massive financial and reputational implications of a cyber breach. The sooner board members and organisations realise this, the easier it will be to prevent and combat cyber crime.

If you would like more information about how The Security Company can help your organisation to deliver data protection and privacy training ... or how we can run a behavioural research survey to pinpoint gaps in your security culture ... or how we can support you in board engagement, please contact  Jenny Mandley.