Nearly 65% Indian enterprises paid ransoms to recover data while dealing with cybersecurity attacks, according to a study by global cybersecurity firm Sophos. The average ransom demand clocked in at $4.8 million (roughly Rs 40 crore), while the median payment came in around $2 million (roughly Rs 17 crore). Moreover, it took an additional $1.35 million (around Rs 11 crore), on an average, to recover the data.
This, cybersecurity experts said, reiterates the state of readiness of Indian enterprises in combating cybersecurity and that nearly 60% of Indian companies will be found functioning under the cybersecurity poverty line.
While there is no textbook definition, the term refers to the preparedness of an enterprise to deal with cybersecurity issues. “The term ‘cybersecurity poverty line’ refers to the level at which an organisation lacks the basic resources and tools necessary to protect itself from cyber threats. Companies below this line cannot afford proper cybersecurity measures like up-to-date software, skilled personnel, cybersecurity partners or advanced technologies. As a result, they are more vulnerable to attacks, leading to higher risks of data breaches or financial losses,” Sunil Sharma, vice president – sales, Sophos India and SAARC explained.
The term cybersecurity poverty line, coined by Cisco’s head of advisory CISOs Wendy Nather in 2013, is once again gathering steam among Indian enterprises as they continue to grapple with the consequences of cyber-attacks.
Pramod Gummaraj, founder and CEO, Aprecomm added that there are multiple parameters that decide where a company stands in terms of the cybersecurity poverty line – the investments made towards protecting the networks, the awareness raised among employees and the culture of an organisation, among others.
“Right now, incidents are primarily driving cybersecurity measures, that is to say once a firm is impacted, they jump into action. This is one of the reasons almost 60% Indian enterprises are under the cybersecurity poverty line,” Chetan Jain, founder and managing director, Inspira Enterprise, a global cybersecurity and data analytics firm, said.
Jain added that at most 4% of the Indian enterprises currently have the requisite cybersecurity structure to ward off potential attacks and protect data.
According to a report by the Reserve Bank of India (RBI) on currency and finance, unauthorised network scanning / probing / vulnerable services have accounted for more than 80% of all security incidents in India, in 2023. It added that the most common attacks in India are phishing (22%), followed by stolen or compromised credentials (16%). The security incidents handled by the Indian Computer Emergency Response Team (CERT-In) have increased from 53,117 in 2017 to around 1.32 million during the period January-October 2023.
While most of the firms falling below the cybersecurity poverty line are small to medium enterprises, bigger firms are also not as prepared for cyber-attacks.
“The high cost of breach indicates bigger organisations are also victim as their loss of breach is way ahead of smaller organisations. This also means that only cybersecurity technology investments cannot help,” Jaydeep Ruparelia, CEO, Infopercept Consulting, mentioned.
Beyond investing in cybersecurity measures, enterprises also need to ramp up awareness drives, and education among employees and partners, the experts said.
“One option is to penalise lax cybersecurity, as is the case in Europe with the stipulations set forth in the General Data Protection Regulation (GDPR). The other is to subsidise cybersecurity products and services,” Gummaraj said.
According to GDPR, in effect in Europe, an enterprise can be fined as much as €20 million, or 4% of its annual turnover (whichever is greater), if found violating data privacy and protection regulations. In 2021, global e-commerce giant Amazon was slapped with a fine of €746 million when found vioating GDPR rules.
Apart from this, a structural change in the way cybersecurity is looked at within enterprises is the need of the hour, Jain said. “If Indian enterprises are to be brought above this poverty line, they have to look at cybersecurity expenses as part of their operational expenditure rather than a one-time capital expenditure. Technology is dynamic and constant investments are required to keep up with security measures,” he added.