As 2024 comes to a close, it is necessary to assess the major cybersecurity breaches that occurred during the year. These include the theft of confidential policyholder health records (Star Health Insurance), theft of profit and loss statements of users of a stockbroking firm (Angel One) and Chinese hackers allegedly hacking Indian immigration data (eMigrate portal).
To put things into perspective, data from the Ministry of Home Affairs states that in the first nine months of 2024, India experienced cyber-fraud losses worth Rs 113.33 billion, while digital arrest frauds led to losses amounting to Rs 16.16 billion. Major reasons for the growth in cyberattacks are the rise in e-payments, rapid need for interconnected devices, greater reliance on virtualised network infrastructure, and transition to cloud-native technologies such as 5G. Cyberattacks can primarily be categorised into two types: those driven by financial motives and those linked to anti-national activities. According to an industry estimate, India is projected to be a target of 17 trillion cyberattacks by 2047.
In addition to the sheer magnitude of the cybersecurity breaches in India, what is also noteworthy is the growing complexity of the cyberattack landscape. In the late 1980s, viruses (malicious software that proliferates upon user interaction) and worms (an independent self-replicating program) infected computers. As companies started investing in antivirus software, firewalls and password management programs amidst the internet boom, emails became the medium for spreading viruses in the early 2000s. Over the years, cybercriminals have come up with more complex forms of cyberattacks ranging from malware (software that can damage computers/pilfer data) and ransomware (a type of malware designed for blocking data access) to advanced persistent threats (a concealed cyberattack on a computer’s network) and denial-of-service (an attempt to disrupt a network, server or website) attacks capable of affecting large nation-states, citizens and enterprises alike. Further, these threats have mutated into multiple new forms. For instance, within malware, Trojan horses (a virus that downloads onto a computer disguised as a legitimate program), adware (unwanted ads), spyware (secretly gathers information about a user or device and sends it to a third party), rootkits (designed for snooping on a computer user) and cryptojacking (uses a device’s computing power to covertly mine cryptocurrency) have emerged as common variants that are posing a significant threat to mobile users and service provider value chains. Additionally, technological advancements such as artificial intelligence (AI), biotechnologies, Internet of Things (IoT) and quantum computing also carry critical new cyber risks such as deepfake exploitation.
Efforts to prevent cybersecurity breaches
According to the United Nations Conference on Trade and Development, 156 countries have enacted cybercrime legislation, with the European Union (EU), Singapore and the US enforcing new cybersecurity laws in 2024. Thus, the EU’s NIS 2 Directive and EU Cyber Resilience Act came into force, while Singapore devised its Operational Technology Cybersecurity Masterplan and the US made advancements to its National Cybersecurity Strategy.
The Indian government, too, has been a frontrunner in terms of establishing a robust cybersecurity strategy as it secured Tier 1 position in the International Telecommunication Union’s Global Cybersecurity Index 2024. With a score of 98.49, India established itself as a role model in global cybersecurity efforts. Some of the major policies that the government has enacted over the years to strengthen its cybersecurity efforts include the Information Technology (Amendment) Act (2008), National Cybersecurity Policy (2013), National Cyber Security Strategy (2020) and Digital Personal Data Protection Act (2023). Further, in November 2024, the Department of Telecommunications mandated telecom companies to report cybersecurity incidents to the government within six hours of becoming aware of these episodes. They must also report additional details on the impact of the incident within 24 hours, as specified under the Telecom Cyber Security Rules, 2024. This entails information such as the number of users affected, the duration and geographical area affected by the security incident, the corrective measures taken, and the degree to which the operations of the telecommunication network or service have been affected. To supplement these efforts, the Reserve Bank of India has mandated Know Your Customer rules as a shield against fraud and identity theft, while the Telecom Regulatory Authority of India has developed initiatives such as message traceability and the blocking of suspicious spam accounts.
Parallelly, the sector is doing its bit to mitigate cyber breach incidents. For instance, zero-trust network architecture (ZTNA) is a security model which assumes that no device or user is trustworthy until it has been verified and authenticated. Some pillars of ZTNA include identity and access management (IAM) through single sign-on solutions and multifactor authentication, network segmentation and micro-segmentation, encrypted network traffic, and continuous data monitoring and analytics. Further, virtual private networks have emerged as a channel to secure networks.
Cloud security, another key solution in this space, enables controlled and constant monitoring and analysis of multiple devices, endpoints and systems. The primary elements of a strong cloud security strategy include IAM to streamline who can access specific cloud-based resources; data loss prevention to automatically discover and classify controlled cloud data; security information and event management for detection and incident response to threats; secure access service edge, which brings together secure web gateways, firewalls, data loss prevention, and ZTNA with software-defined wide area network capabilities; and public key infrastructure to promote encrypted data exchange through digital certificates.
Endpoint security solutions have also gained traction. These include hardware and software programs that shield devices from cyber threats and offer response capabilities. Platforms offering antivirus and antimalware protection, data encryption, firewall protection to control network traffic, and device and application control serve as the first line of control against cyber threats. Major cybersecurity companies offering these solutions include Palo Alto Networks, SentinelOne, Symantec, Sophos, Fortinet, Check Point Software, Microsoft, Trellix, Cloudflare, Citrix Gateway and CrowdStrike.
Challenges
One of the biggest challenges in establishing cybersecurity is that attack technology is outpacing defence technology. The World Economic Forum notes that 55.9 per cent of the respondents surveyed at the Annual Meeting on Cybersecurity believe that generative AI (GenAI) is likely to benefit attackers in the next two years, against just 8.9 per cent in the case of defenders. Further, 46 per cent of the respondents believe that AI could be used to advance adversarial capabilities including phishing, malware and deepfake data leaks, while 20 per cent of the respondents believe that it may lead to data leaks. Data poisoning and model manipulation are other new vulnerabilities. There is also evidence that cybercriminals harvest data with the intent to decrypt it afterwards using quantum computers, suggesting that the attackers may be one step ahead of the defenders.
Another critical gap is the lack of cybersecurity professionals with expertise in novel technologies. According to an estimate, India faces a shortage of 0.8 million cybersecurity professionals and accounts for about one-fifth of the global cybersecurity personnel shortfall. Electronic warfare and AI are expected to propel the demand for cybersecurity professionals further.
Simultaneously, financial resource constraints, especially in the case of small and medium enterprises, also prevent businesses from implementing advanced cybersecurity solutions. Moreover, not all organisations are cognisant of the importance of training their employees in cybersecurity despite the fact that human errors have been known to lead to security compromises.
Outlook
A PwC report has identified cloud-related threats (52 per cent), attacks on connected devices (45 per cent), and hack and lead operations (36 per cent) as the top three cybersecurity threats for organisations in India in 2024. Meanwhile, the Data Security Council of India anticipates AI, infrastructure, financial and identity, and mobile and device threats to appear in 2025. It has also identified Telangana, Tamil Nadu and Delhi as the hotspots of malware detection. Looking ahead, India’s cybersecurity market is poised to grow from $4.7 billion in 2024 to $10.90 billion by 2029, at a compound annual growth rate of 18.33 per cent.
To sum up, India is already on the right path in terms of the measures taken by both the government and the private sector. That said, efforts must be made to ensure that the gap between prevention and defence technologies and cyberattack technologies does not broaden. Enterprises should also engage in making employees aware of what they can do to prevent these attacks, explore ways to increase their cybersecurity budgets and move towards the adoption of mature responses. Moreover, the government must create the right ecosystem to encourage the youth to take cybersecurity courses.
