Navigating the Cyber pass

With cyber war becoming the asymmetric weapon of choice for all threat actors, India needs to significantly up its cyber investments to create bespoke solutions to safeguard its interests.

The accelerated pace of cyberattacks the world over is a cause for grave concern. Vigilance is the need of the hour as the cyberthreat landscape witnesses an exponential increase in threat actors with different motivations and varied skill levels.

According to our June 2022 Global Risk Survey - India highlights, nearly 80% of India leaders agree that keeping up with digital and other transformations is a major risk management challenge.1 Data from the Indian Computer Emergency Response Team (CERT-IN) corroborates this as it underlines that in CY 2021, CERT-IN handled about 14 lakh attacks on various Indian entities.2

The rise in the cases of unauthorised network scanning/probing over the past three years has been exponential, with a 280% increase in the number of reported incidents in CY21 over the CY19 numbers. CY 2021 also shows a near doubling of website intrusion and malware propagation/phishing incidents compared to CY 2019.

Cyber issues handled by CERT-IN

Source: CERT-In Annual Report 2021

Ransomware too continues to be a potent threat. PwC’s report Cyber Threats 2021: A Year in Retrospect3 indicates that ransomware will continue to be the most potent threat for organisations across the world, with attacks on supply chains becoming the new normal. The emergence of commercial digital quartermasters – who could be both state sponsored or those driven by pure monetary considerations – compounds the menace, by equipping cyberattackers with high-end tools and capabilities. All these developments have resulted in an increased focus on zero-day vulnerabilities. As the below exhibit indicates, 2,435 ransomware victims were exposed on leaked sites in CY 2021, about double the number for the previous year.

Running total of ransomware leaks in 2021

Running total of ransomware leaks in 2021 - PwC India

Concerns around cybersecurity prompted a joint press conference by the heads of the Federal Bureau of Investigation (FBI), USA, and Military Intelligence, Section 5 (MI5),4 on 6 July 2022. The joint press conference served to underscore the potency of cyberthreats to which nations are exposed. It brought to the fore the issue of a state actor undertaking a coordinated campaign on a grand scale to attain significant advantage over its enemies. The steps that a state actor can take, include:

  • covert theft of technology
  • technology transfer
  • exploiting research and
  • acquiring information through the ‘thousand grains of sand’ strategy.

Cyberattacks, it emphasised, are also a key element of the strategy to inflict damage on other countries.

With geopolitical conflicts and subtle changes in the Power Blocs, India too needs to contend with increasing cyberthreats from various quarters, as cyberwar is now the asymmetric weapon of choice for all threat actors. It is a low-cost-high-yield vector capable of inflicting targeted damage across sectors while enabling easy deniability.

Given this context, it is important to revisit the broad spectrum of cyberthreats, the reasons behind these threats, and the strategies that India needs to adopt in the near and long term to safeguard its interests and those of its citizens. The country’s sheer diversity and complexity demand that a bespoke approach be adopted instead of a one-size-fits-all approach while devising solutions for the Indian ecosystem.

The changing dynamics of the cyberthreat landscape in India

In the Indian context, the broad spectrum of cyberthreats may be classified into those impacting critical infrastructure, businesses and citizens.

Past cyberattacks on critical Indian infrastructure have included attempts on India’s ports, nuclear facilities and power utilities. These attacks have a severe impact given that the critical infrastructure serves large populations. In a recent attack in April 2022, cybersecurity researchers observed hackers penetrating the networks of at least seven Indian State Load Dispatch Centres (SLDCs)5 which are critical for maintaining grid frequency and stability, and access to supervisory control and data acquisition (SCADA) systems across the respective states for grid control and electricity dispatch.

While these attacks were countered, they had the potential to severely disrupt the power system. In the same month, hackers also attacked the headquarters of a large state-owned Indian hydrocarbon company and compromised some of its servers. Similarly, in July 2022, a prominent Indian regulator reported that e-mail accounts of its officials were hacked, and mails were sent from them; however, no loss of data was reported. As regulators possess extremely sensitive data, a data breach can prove very costly.

Threats impacting critical infrastructure

The Indian corporate sector has faced a slew of cyberattacks. The bulk of the attacks on corporate houses have been related primarily to ransomware and data theft. Some of the recent attacks include those on Indian companies in varied sectors, including pharmaceuticals, heavy engineering, online groceries, quick service restaurants, diagnostic labs, start-ups and finance portals. The ambit of the cyberattacks includes various types of incidents such as denial of service attacks, lost and stolen assets, basic web application attacks, privilege misuse, system intrusion, social engineering.

Data from International Data Corporation’s (IDC’s) India Ransomware Survey 20216 indicates that ransomware attacks can have a debilitating impact on companies and a third of the victims take a week or more to recover from such an attack.

Threats impacting businesses and the corporate sector

Source: IDC

A personal data breach can be broadly defined as a security incident that compromises the confidentiality, integrity or availability of personal data. The hackers deploy a range of techniques and tools to extract data from unsuspecting victims. These techniques include use of a fake website, phishing, collection of username and passwords, subscriber identity module (SIM) cloning, extraction of one-time-password (OTP), capturing of biometric data through fake apps, and collection of fake donations.

The data being targeted by hackers is primarily of two types:

  • financial data and
  • personally identifiable information (PII)

While users have some awareness of financial fraud, PII-related data and its potential for misuse is not fully understood by the masses, as there is limited awareness of data privacy as a concept. This results in a fair amount of PII, including biometric information such as fingerprints, iris scans and facial images, being shared without adequate precautions. This information, if compromised, can impede the privacy of citizens all through their lifetime. This serves to underscore the point that while significant investments are being made in Digital India initiatives, proportionate investments are needed to create user awareness and educate the masses.

Threats impacting citizens

Need for investments in the cybersecurity space

The cyber vulnerabilities in the Indian context primarily arise from inadequate investments in cybersecurity, be it in terms of investments in technology, building cybersecurity awareness or investing in strategic initiatives. As per the graph showing the trajectory of the Government of India’s (GoI’s) budget for cybersecurity, it is evident that there is an increasing trend in the budgeted amount. Incidentally, FY22 has been the first year when the actual amount exceeded the budgeted amount.7

This earmarked amount also needs to be viewed in relation to the spending by larger economies like the US, where the Government’s budget for civilian cybersecurity for FY22 was about USD 9.8 billion.

Cybersecurity spend by Government of India

Source: Business Standard

For many Indian businesses cybersecurity remains a non-productive cost centre as investments in cyber defence become rapidly obsolete, as cyberattacks improve in complexity and sophistication. Moreover, many organisations still follow a compliance-oriented approach to cybersecurity that is more of a tick in the box, rather than a risk-based approach. Coupled with the direct and indirect impact of a cyberattack, organisations often hesitate to divulge information related to cyberattacks and share the same with regulators and other institutions or even organisations in the same sector for fear of backlash and negative publicity.

Inadequate investments in cybersecurity and the above approach of businesses to this imminent threat serve to amplify the existing fault lines in the Indian cybersecurity landscape. The following are a few factors that need to be considered:

While India’s literacy rate currently stands at 77.7%,8 the worldwide numbers are several notches higher at 87%.9 Within India too, there are disparities pertaining to literacy that centre around the states, age group and gender. In states which have low literacy levels, cybersecurity awareness levels are correspondingly low. This lack of awareness and alertness regarding cyberthreats makes a large section of the Indian population vulnerable to cyberthreats.

The threat surface area in India is substantial owing to certain peculiarities of the Indian market. These include:

a) Increasing digitisation: Increasing digitisation along with the 5G roll-out, while aligned with the nation’s progress goals, also opens the door to increased cyberattacks with more connected devices, greater interconnectivity, and increased usage of the internet of things (IoT). All these factors expand the threat surface area and hence also result in increased potential for, as well as payoffs from, cybercrime. IoT devices pose risks of misuse, both in terms of malicious use of data and user profiling, resulting in violation of user privacy.

b) Extensive use of pirated software: A substantial proportion of the operating systems10 in use in India are pirated. Due to the lack of stringent enforcement of IP rules, and on account of the high price differential, users prefer to adopt pirated software. The pirated software leaves users vulnerable to malware and cyberattacks.

c) Extensive mobile usage for internet access: India is one of the world’s most dynamic mobile markets, adding 2.5 crore new smartphone users every quarter, with a monthly mobile data consumption rate of 12 gigabytes per user.11 More complex threats are now coming into play as cybercriminals continue to evolve as well as adapt their techniques to exploit the growing reliance on mobiles. India’s extensive mobile usage poses specific vulnerabilities, as 40% of the world’s mobile devices are inherently vulnerable to cyberattacks.

d) Use of hardware/software created and manufactured outside India: As various Indian installations and networks utilise hardware and software that has been created and manufactured outside India, there exists the risk of data leakage, remote surveillance or intentional introduction of a system malfunction through a remote connection. This risk is especially pronounced in sensitive industries such as telecom, power generation and distribution, and internet data centres where any such Trojan horse can have serious consequences. This risk is exacerbated by the fact that most cybersecurity-related hardware/software is also of foreign origin.

e) Third-party vendors who are especially vulnerable and can compromise the overall supply chain: India has a very large base of micro and small and medium enterprises (MSMEs). MSMEs play a critical role in the Indian economy and contribute to about 30% of the GDP and 40% of exports, and provide employment to over 11 crore people.12 Many MSME vendors may have IT systems that are not very robust but form a part of the overall supply chain of larger enterprises. These systems could inject vulnerabilities into the larger ecosystem, as any chain is as strong as its weakest link.

On account of its geography and its political stance, India also faces threats from various state-sponsored actors who have direct or tacit support from their respective governments. These attacks are especially powerful given the extensive machinery of the state and the fact that these hackers have far greater capabilities than rogue hackers.

The motives may be varied and can include espionage, sabotaging critical infrastructure or spreading disinformation. The asymmetry and economic and social disparities in India lead to powerful amplification of any such disinformation campaign. In incident after incident, security agencies have observed that the spread of disinformation in an increasingly interconnected world with real-time digital linkages can hurt sentiments and vitiate the economic landscape through its explosive non-linear spread. Using such actors is especially useful for enemy nation states as, on detection, they can distance themselves from such actors.

Cybersecurity-related disclosures in annual reports are few and far between, indicative of the fact that this aspect may not be receiving appropriate attention from investors and other stakeholders. Currently, the disclosures in annual reports are primarily focused on mentioning cybersecurity risks as a key risk in the Management Discussion and Analysis (MD&A) section, and indicate that these aspects are being discussed by the Risk Management Committee. Even among Nifty 50 Companies, there are a few in which there is no mention of cyber risks. Providing increased disclosures regarding cybersecurity in annual reports and other investor communication can help investors make an informed decision.

In this digital age, a nation’s IT infrastructure and the associated cybersecurity measures are of critical importance. While India faces a unique set of challenges on the cybersecurity front, it also has the intellectual wherewithal to devise creative solutions to address these problems. A PPP model can foster the development of solutions that cater to the whole of society, paving the way for a stronger and more secure India.


Sangram Gayal

Partner, Cyber Security, Mumbai, PwC India

+91 98 1919 7716


Sivarama Krishnan

Leader, APAC Cybersecurity & Privacy, Gurgaon, PwC India


Follow us

Required fields are marked with an asterisk(*)

By submitting your contact information you acknowledge that you have read the privacy statement and that you consent to our processing the data in accordance with that privacy statement including international transfers. If you change your mind at any time about wishing to receive material from us you can send an e-mail to