Indian firms get serious about cybersecurity only when ‘attacked’, shows study

Indian firms remain passive in their cybersecurity approach, and in most cases, it takes an attack (or multiple attacks) to change their strategy or mindset, according to a new study.

The recent report by cybersecurity firm Sophos The Future of Cybersecurity in Asia Pacific and Japan, done in collaboration with Tech Research Asia (TRA), said that 43% of Indian companies surveyed haven’t made a change to their cybersecurity approach in the last 12 months, indicating a passive attitude to cybersecurity — something that must be addressed as a priority. 

The security firm observes that since 2019, the only driving factor behind a change in cybersecurity strategy is an attack or breach. But despite a world of change led by the pandemic over in the last two years, things haven’t changed much.

Sophos found that a measly 52% of the respondents saying that they are planning to make changes in the next six months due to experiencing an attack. This calls for a “proactive approach organisations should take to manage their security aspect.”   

“Cybersecurity strategies must move with – or even faster than – the threat landscape and, sadly, that’s not happening at the moment,” said Aaron Bugal, global solutions engineer at Sophos. He added that organisations must constantly be on the front-foot to identify and thwart attacks, and regular and consistent threat hunting is key to this.

Of course, businesses are increasingly prioritising budget for cybersecurity, like the research found, in 2022, 11% of technology budgets across India are dedicated to cybersecurity, but Bugal said, “Even with the additional investment, organisations need to ensure they are not overstating their maturity levels and the implementation of threat hunting solutions, leading to complacency.”

With increased so-called maturity and investment, one would think successful cyberattacks would decline, however, they continue to wreak havoc. Sophos’ State of Ransomware Report reveals 78% of Indian organisations were hit by ransomware in 2021, up from 68% in 2020.

Not just the Sophos study, other recent industry reports also see a dismal state of cybersecurity in India and across the world. According to Verizon Business 2022 Data Breach Investigations Report, published in May 2022, ransomware breaches globally and in India increased by 13% in the past one year, representing a jump greater than the past five years combined.

“The continued explosion of connected devices and widespread digitisation in multiple sectors has increased the likelihood of cyberattacks, especially ransomware,” said Anshuman Sharma, Associate Director CSIRT & Investigative Response, APJ at Verizon, adding that the emergence of “Ransomware as a Service (RaaS), a Software-as-a-Service (SaaS)-based attack vector and the adoption of cryptocurrency” are further contributing to the spikes.

In August, another study done by IBM and Ponemon Research Institute too revealed that Indian firms lost a whopping ₹17.6 crore in 2022 on an average to data breaches, a 25% increase from 2020 which was pegged at ₹140 million, and a 6.6% increase from 2021, at ₹165 million. India’s average per record cost of a data breach in 2022 stood at ₹6,100, a 3.3% increase from ₹5,900 in 2021, a 10.4% increase from ₹5,522 in 2020, the report added.