Even as India’s internet base continues to widen, with the country set to have over 900 internet users by 2025, a parallel rise in cyber threats has become a matter of huge concern.
Experts say that the sudden surge in digital adoption left little time to develop a cybersecurity backbone for the country.
This has put large amounts of data at risk.
According to the government, there were 674,021 cyber-attacks in the country this year until June, which translates to around 3,700 cyber-attacks a day.
India does not even have a central cyber security policy as yet.
Dipesh Kaura, general manager for South Asia at Kaspersky, a global cybersecurity firm, says most Indian technology systems depend on legacy infrastructure with inadequate and incomplete cyber protection: “We continue to have a fragmented and disorganised cyber security infrastructure.”
Cyber incidents have taken place across sectors, from health to finance and insurance to power.
Crucial industries such as electricity distribution, telecom equipment, and banking have suffered attacks from state and non-state actors in recent years.
Vulnerabilities to threats, including data leaks, denial of service, and ransomware, have been on the rise.
Says Kaura, “Phishing is one of the most widespread attack mechanisms in India.
"Emerging technologies like artificial intelligence fuzzing are increasingly being used by fraudsters to control and automate attacks.”
Experts argue that the government’s aim to give citizens digital access to public as well as private sector services requires the infrastructure for cyber security to be urgently beefed up.
This becomes all the more important with the rise in online transactions; the fact that almost every service is now available in the form of an app makes things even more complex from a security standpoint.
According to a recent report by IAMAI-Kantar, rural India is driving the growth of India’s internet usage. In 2021, the number of internet users in rural areas grew to more than 351 million.
While this is good news, experts caution that lack of awareness and understanding of the internet is making users vulnerable to cybercrimes.
Kaura says that the new users need to understand the importance of creating complex passwords to secure their Wi-Fi networks.
“Security awareness campaigns by service providers to share information about widespread phishing campaigns and other cyber threats would go a long way in providing cyber security to rural India,” he reckons.
Rahul De, professor of information systems at IIM Bangalore, points out why rural internet users fall prey to cybercrimes such as confidence frauds.
“People not only do not practice healthy security habits, they just have no idea that it should be done,” he notes.
He adds that there is also a need for awareness campaigns in regional languages.
“A lot of the awareness building is happening only in Hindi and English.
"Also, it has to involve audio, video, and animation.
"If you show the risk, people will respond quickly.”
Pointing out that there is an equal need for awareness building at the enterprise level, De says, “If you look at the total portfolio of threats at the company level, external threats are a small part of it.
"The real damage is done by internal employees. A lot of security frauds happen internally.”
According to a recent report by IBM Security, data breaches cost Indian businesses an average of Rs 17.6 crore in 2022 — a 25 per cent jump over the average cost of data breaches in 2020.
The 2022 Unit 42 Incident Response Report by Palo Alto Networks, a US cybersecurity company, says that a new ransomware victim is posted on leak sites every four hours.
“Today, we have reached a point where cyber-attacks are evolving into market stressors, hurting the economy. Hackers exploit these circumstances to force organisations to pay ransoms, which is further compounded by the cyber skills shortage,” says Viswanath Ramaswamy, vice-president, technology, IBM Technology Sales, IBM India and South Asia.
“This is leading to the creation of a ‘cyber tax’, where businesses can pass some of the costs of a breach on to consumers.”
Indian companies need to work on IT security training and instruction to avoid brand impact and legal implications owing to cybersecurity incidents, says Kaura.
“The only effective way to deal with cyber threats for organisations is the vigilance of individuals.
"We must understand the need to limit sharing of all privileged access across their organisations to individuals.”
Adds Gulshan Rai, former director general of the Indian Computer Emergency Response Team (CERT-In): “The current cyber security policy was prepared and notified in 2013.
"Since then, a lot of innovations in technology, applications, and architecture has happened. It is a generational change.”
Rai reckons that at a time when India is moving to install 5G networks, more bandwidth means more attacks.
“Internet of Things and crypto technology, the deploying artificial intelligence, blockchain, and big data are the norms of the day.
"The country needs another cyber policy to address the challenges emerging from new types of technological innovations.”
“Digitalisation in India is increasing at a fast speed and so is the heterogeneity of networks, applications, and devices. Testing of applications and devices is not able to keep pace with the increased penetration of devices.
"The overall result is that breaches have increased and there are more cyber incidents,” he adds.