India ranked among the top three targets for ransomware attacks in Asia-Pacific in the first half of 2025, logging 21 incidents, trailing only Taiwan and Singapore, according to Cyble’s recent report. Information technology, banking, financial services and insurance (BFSI), and manufacturing were the most affected sectors.
Shadow AI: The silent breach multiplier
While ransomware may be grabbing headlines, the deeper systemic vulnerabilities within organisations run wider. IBM’s recent report pegged the average cost of a data breach in India at ₹22 crore—up 13% from ₹19.5 crore in 2024. Companies that deployed AI and security automation were able to cut breach costs by over half. Yet, 73% of organisations reported limited or no use of these technologies.
A key reason is the rise of “Shadow AI”—the use of AI tools by employees without IT or compliance oversight. IBM identified Shadow AI as one of the top three cost drivers of breaches in India, adding ₹1.8 crore per incident on average. Still, fewer than half the organisations surveyed had any policy in place to manage or detect it.
Governance continues to lag. Nearly 60% of organisations either lack an AI governance policy or are still drafting one. Of those that have policies, only a third have implemented enforcement technologies, the IBM report noted.
The real cost of poor visibility
But the threat extends beyond just AI. Indian companies also struggle with visibility into their overall cybersecurity exposures—misconfigurations, unpatched systems, unprotected custom applications, and even human error. A report by cybersecurity firm Infopercept found that 84% of chief information security officers (CISOs) admitted they lacked full visibility into these vulnerabilities.
“Exposures are not attacks, but they are open doors for attackers. And most companies are leaving those doors wide open,” the report stated.
The broader issue, experts say, is the disconnect between cybersecurity operations and business impact.
“You may have over 5,000 vulnerabilities in your environment, but in reality, only 50 of them matter most from a business risk point of view. The real gap is a lack of business context in cybersecurity decision-making,” said Purvang Raval, AVP, product marketing, Infopercept.
Raval added that organisations also lack a unified approach to cybersecurity categorisation—especially when it comes to AI. “There are two distinct concerns—security with AI and security for AI. Most companies are failing at both.”
He also flagged another blind spot: employee awareness. “We’re not talking about basic awareness programmes. Gen Z employees, in particular, need to be educated—really educated—on AI risks and digital accountability.”
