India’s Top ranked PGP Data Science Institute | Praxis India’s Top ranked PGP Data Science Institute | Praxis
Apply Now

Cyber Security Laws Get Tougher, Yet 73% of Enterprises Are Unaware of Being Targeted

cyber-security-concept-digital-art

Surging global cyber threats are driving massive new investments and stricter regulations. While AI fuels both hyper-sophisticated attacks and critical defenses, a shocking 73% of Indian companies remain unaware of breaches.

  • Escalating Threats & Regulatory Response: Cyber attacks are intensifying globally (India is the 2nd most targeted), driving significant new funding (e.g., EU’s €150B SAFE) and stringent regulations (e.g., India’s IRDAI 6-hour reporting, DPDPA with heavy fines), particularly burdening SMEs.
  • AI: Double-Edged Sword & Awareness Gap: AI powers both sophisticated criminal attacks (hyper-personalized phishing, deepfakes, data-centric ransomware) and essential defenses, yet a critical awareness gap persists – 73% of Indian firms are unaware if they’ve been breached, compounded by poor cyber hygiene (57%).
  • Converging Risks & Market Growth: Geopolitical tensions, complex supply chains, and rapid tech adoption create a volatile risk landscape. Key sectors (Healthcare, Hospitality, Banking) are prime targets, making supply chain vulnerabilities a top concern. This drives the cybersecurity market’s projected surge to $697B by 2035.

Rising geopolitical tensions, fractured supply chains, rapid technological adoptions, and tougher regulations have transformed the cyber security landscape across the world. While the European Union is planning massive investments, almost EUR650 billion,  in this sector as part of its increased defence spending (5% of its GDP), India, which is ranked as the second-most targeted nation is tightening its laws narrowing the reporting timeline window in the event of any cyber incident, and increasing penalties for failure to have suitable defence system, or for missing reporting deadlines. The challenge, however, is that nearly three-quarters of companies are unaware of even being attacked.

The European Union is launching a EUR 150 billion loan instrument – Security Action for Europe (SAFE) – to help member countries invest in key defence areas like missile defence, drones, and cyber security. To enhance cyber security in the insurance sector, the Insurance Regulatory and Development Authority of India (IRDAI) introduced provisions in its ‘Information and Cyber Security Guidelines, 2023’ on 24 March 2025. These provisions address cyber incidents and crisis preparedness for insurance companies and intermediaries in India.

The Insurance Regulatory & Development Authority of India ( IRDAI) has recently tightened cyber security regulations for India’s insurance sector in May 2025. It  requires insurers and intermediaries to report cyber incidents to IRDAI and Indian Computer Emergency Response Team (CERT-In) within 6 hours of any cyber incident. The European Union norms require companies to report within 24 hours as an early warning and within 72 hours for a full incident notification.

Cyber criminals are now empowered with sophisticated AI tools giving them greater ability to penetrate defenses of target organizations. Simultaneously, tougher regulatory requirements around the world are adding a huge compliance burden for organizations specially smaller companies. The scenario is worsened by a widening skills gap making it extremely difficult to address cyber risks.

India was the second most targeted country globally for cyber attacks in 2024, with 95 entities suffering data theft incidents, according to CloudSEK’s ThreatLandscape Report 2024. AI is now a double-edged weapon used by both malicious actors to launch attacks, and by companies to defend themselves.  AI-powered security platforms analyze vast amounts of data to detect threats faster and more accurately than humans alone. Nearly 66% of organizations expect AI to have the most significant impact on cyber security in 2025, according to a World Economic Forum report.

According to cyber security experts, one of the biggest challenges faced by organizations is the increasing complexity of the asset landscape – in other words providing cyber criminals with a far more weak spots to hack into organizations systems to steal data, demand ransom, or in general create major disruption. Weaponization of GenAI tools, adoption of AI Agents, while delivering business value to organizations, also enable these evil actors to automate waves of incessant attacks on the organization’s defenses. AI has also armed the cyber criminals with tools to design hyper-personalized and context-specific lethal attack mechanisms that are nearly impossible to detect and project against.

A robust attack surface discovery systematic process of identifying all possible points—hardware, software, network interfaces, and user interactions—where an attacker could potentially gain unauthorized access to a system or data, has become mission critical for organization.

A Cyber Security Maturity Survey of Indian companies found  that nearly 73% of organizations were unaware if they have ever been attacked and found that 57% lack cyber hygiene practices. GenAI has been weaponized to craft hyper-personalized phishing emails by scraping publicly available data from social media and corporate websites. There has been a surge in fraud cases where AI-simulated voices mimicked executives to authorize fraudulent transactions, showcasing the alarming precision of these tools. Data-centric ransomware represents a strategic shift in attacker priorities: adversaries now use AI to identify and exfiltrate high-value data, threatening public disclosure unless ransoms are paid, rather than merely encrypting information.

The DPDPA (Digital Personal Data Protection Act) mandates stringent safeguards for AI training datasets, requiring explicit consent for data collection and imposing severe penalties. The Act has placed a huge compliance burden on companies specially SMEs. It imposes stringent requirements: explicit consent management, appointment of Data Protection Officers, maintaining detailed audit logs, and robust grievance redressal mechanisms.

According to the Data Security Council of India’s Cyber Threat Report 2025 India faced significant malware activity. In 2024, India recorded 369.01 million malware detections across 8.44 million endpoints, averaging 702 detections per minute. Healthcare was the most targeted sector (21.82% of attacks, up from 15% in 2023), driven by medical data’s high value and healthcare systems’ critical nature, increasing ransom payment likelihood. Hospitality (19.6%) and banking (17.4%) were also heavily targeted due to their handling of large volumes of personal and financial data.

The DPDPA Act, 2023 enforces strict penalties for violations going up to Rs250 crore for failing to implement security safeguards to non-reporting of breaches. It mandates explicit user consent before processing personal data, requiring companies to redesign interfaces for clear, informed consent processes. Organizations must provide simplified notices detailing data usage and storage, and implement mechanisms allowing users to withdraw consent at any time. These are particularly burdensome for small businesses and startups, which may lack the resources and expertise to comply fully.

Leave us a Comment