Updated: May 06, 2026
There is a particular kind of danger in business. Not the danger of knowing your building is on fire and choosing to stay inside. The danger of sitting comfortably in a burning building because nobody told you it was on fire, because the smoke detector hasn't gone off, and because everything on your desk looks perfectly normal.
That is the cybersecurity situation at the majority of Indian enterprises in 2026.
The Data Security Council of India's Cyber Threat Report 2025 contains a finding that should have made front pages. In a maturity survey conducted across organisations of varying sizes and sectors across the country, 73% of Indian organisations said they were unaware of whether they had ever been attacked. Not that they hadn't been attacked. That they didn't know. This does not mean they had not been attacked. It means they could not confirm it either way — a distinction that is, in practice, worse.
A separate study, Cisco's 2025 Cybersecurity Readiness Index, based on 8,000 business leaders across 30 global markets, found that only 7% of Indian organisations have the mature security controls needed to withstand today's threats. Eight out of ten anticipate a significant breach-related disruption within the next two years.
Read those numbers together. A near-certainty of disruption. A three-in-four chance you wouldn't know it had already happened.
This is the false sense of security. It doesn't look like complacency. It looks like a reasonable IT manager who has a firewall, an antivirus subscription, a corporate password policy, and has perhaps recently sat through a cybersecurity awareness session. It looks like a CISO who has filed compliance reports, passed an audit, and has a folder on their desktop labelled "Incident Response Plan." It looks, from the outside, like an organisation that is doing the things organisations are supposed to do.
And it is, in the most operationally dangerous way imaginable, not enough.
73% of Indian organisations cannot confirm whether they have been attacked, according to DSCI's 2025 Cyber Threat Report. Only 7% have achieved mature cybersecurity readiness, per Cisco's 2025 Index. The gap is not about investment — 93% of Indian executives are increasing cybersecurity budgets. The gap is between the controls organisations believe are protecting them and what those controls actually cover. Partial MFA, perimeter-only thinking, compliance-as-security, and inadequate logging are the four operational patterns that explain why Indian enterprises keep getting breached despite spending more. This piece maps the illusions, documents the evidence, and explains what closing the gap actually requires.
Indian organisations are spending more on cybersecurity than ever before, yet 73% cannot confirm whether they have been breached, and only 7% have achieved mature readiness. The gap is not a funding problem. It is an architecture problem. Organisations are investing in controls designed for a threat model that no longer reflects how attacks actually happen. Firewalls protect against perimeter attacks. MFA protects the applications it is deployed on. Compliance audits verify documentation, not operational effectiveness. The result is genuine investment producing genuine protection — but only for a fraction of the actual attack surface.
PwC's 2025 Digital Trust Insights survey found that 93% of Indian executives anticipate increasing their cybersecurity budgets. India's cybersecurity market sits at $5.56 billion in 2025, growing at 18% annually. Boards have woken up to cyber risk — 61% of Indian executives now rank it as their top risk mitigation priority.
Money is going in. Awareness is going up. Breaches keep happening.
According to Cisco's 2025 Cybersecurity Readiness Index, 84% of Indian organisations report that deploying more than ten point security solutions is actively impeding their ability to respond swiftly to threats, a direct consequence of perimeter-based, tool-by-tool security spending that adds layers without closing gaps.
India recorded 2.27 million cybersecurity incidents in 2024, according to CERT-In's annual report. Financial cyber fraud losses reported on the National Cyber Crime Reporting Portal reached Rs.36,450 crore as of February 2025, largely driven by phishing-led UPI fraud, AI-assisted social engineering, SIM swap attacks, and deepfake-enabled scams.
Furthermore, less than 9% of sensitive cloud data in Indian organisations is encrypted, and only a small fraction can detect or remediate breaches within the first hour, according to Check Point Research's 2025 India threat analysis.
These are not statistics about other countries, other industries, or other sizes of company. They are, with mounting frequency, companies that were spending on security, companies that had IT departments, companies that believed they were protected.
The question worth asking is not whether Indian enterprises face cyber risk. They clearly do. The question is why spending more hasn't meant getting breached less — and what the actual gap is between the security controls organisations have deployed and the protection those controls actually provide.
The mental model that most IT security spending is still built around — the network perimeter, the firewall, the intrusion detection system, the DMZ — dates from an era when corporate data lived inside corporate walls, and the threat was someone trying to climb over them.
That era ended when organisations moved to Microsoft 365. When they deployed cloud applications. When they allowed remote work. When they gave third-party vendors access to internal systems. When their employees started connecting from home, from hotels, from personal phones.
The perimeter is no longer a useful concept. It is not that the walls are weakened — it is that there are no walls. There is only a continuously shifting collection of users, devices, applications, and data flows that extends from a server room in Pune to a home internet connection in Bengaluru to a vendor's laptop in Ahmedabad.
In this environment, a firewall is a necessary control that is also categorically insufficient. It protects against a class of attacks that is no longer the dominant attack vector. Identity-based attacks — credential theft, phishing, account compromise — are now the primary entry point for the majority of successful breaches. The attacker doesn't go over the wall. They log in.
The fix is not a better firewall. It is a security model that assumes the perimeter has already been breached and enforces verification at the identity layer, on every access request, regardless of where it originates.
Multi-factor authentication is the single most effective technical control against credential-based attacks. Microsoft's own research suggests it blocks over 99% of automated credential attacks. The problem is not MFA as a concept. The problem is the gap between "having MFA" and "having MFA that covers your actual attack surface."
The DSCI survey found that 57% of Indian organisations lack basic cyber hygiene practices. One of the most common manifestations is partial MFA deployment: Microsoft 365 is protected, but the Cisco VPN is not. Cloud applications have MFA, but the on-premises ERP authenticates against Active Directory with just a username and password. The executive team is enrolled, but contractors and third-party vendors, who often have the broadest access to the most sensitive systems, are not.
An attacker doesn't need to breach your most protected application. They need to find the one that isn't covered. In most Indian enterprise environments, that application is not difficult to find.
There is a second dimension to this illusion that has become the credential attacker's tool of choice: MFA fatigue, also called push bombing. When an attacker has a stolen password, and the target uses push-notification MFA, the attack is straightforward. Send repeated push approval requests at two in the morning. The user gets ten notifications. They approve the eleventh to make it stop. The attacker is in, and the MFA log shows an approved authentication. It looks clean.
This is not a hypothetical. The 2022 Uber breach, a company with a mature security programme, was executed this way. The 2023 MGM Resorts breach, which cost over $100 million in operational disruption, was executed this way. The attack doesn't break MFA. It abuses the specific implementation most Indian organisations have deployed: the basic push notification model that treats user approval as sufficient proof of identity.
The fix is phishing-resistant MFA — specifically, methods that cannot be defeated by push fatigue — deployed across every application and access point, not just the Microsoft perimeter.
Regulatory compliance has a specific and limited relationship with security. It is a floor, not a ceiling. It tells you the minimum controls your sector's regulator considers necessary. It does not tell you whether those controls are implemented correctly, consistently, across your full environment, and in a way that would actually withstand an active attack.
The CERT-In directive requiring organisations to report cybersecurity incidents within six hours is well-intentioned and overdue. Research has found that only 10% of companies currently adhere to this requirement. Compliance with the compliance regime is itself at 10%.
RBI has issued cybersecurity frameworks, inspection guidelines, and penalty frameworks for banks and NBFCs. It issued Rs.54.78 crore in penalties to 353 regulated entities in FY 2024-25 alone. The banks being penalised were not unaware of the frameworks. They had compliance departments. They had filed returns. The gap was between documented controls and actual operational implementation.
DPDP Act compliance creates a similar dynamic. The Act requires "reasonable security safeguards." Every credible legal reading of what that means in 2026 cites MFA, access controls, encryption, and incident response capability as baseline requirements. But the standard is "reasonable" — meaning if a breach occurs, the question will not be "did you have a policy?" It will be "did the policy work, and how do you know?"
An organisation that passes an audit by presenting documentation of its security controls, but where those controls don't cover the full authentication surface, don't generate adequate logs, or don't extend to contractor and third-party access, is not compliant in any meaningful sense. It is compliant on paper, which is a different thing, and a thing that regulators are becoming significantly less patient with.
The fix is treating compliance as a floor, not a ceiling, and supplementing audit documentation with operational monitoring that can detect anomalies in real time.
The assumption that manufacturing companies, mid-market IT services firms, or consumer goods companies are not attractive targets is incorrect. They are attractive precisely because their defences are typically weaker than BFSI, their incident response capability is typically less developed, and their data, customer records, employee information, and operational systems have a ready market on the dark web and significant ransomware leverage potential.
Check Point Research found India faces over 2,000 cyberattacks per organisation per week in 2025. This is not a targeted figure representing attacks on banks and defence establishments. It is an across-the-board average that includes the Pune auto parts manufacturer, the Bengaluru IT services firm, and the Chennai logistics company.
The fix is accepting that the industry vertical is irrelevant to attacker economics. Any organisation with data, operations, or supply chain access that can be monetised is a target.
This is the most uncomfortable illusion because it challenges something fundamental about how organisations understand their own capabilities.
The DSCI finding — 73% of Indian organisations are unaware of whether they have been attacked — does not mean these organisations had no security teams. It means their security teams lacked the visibility, tooling, or logging capability to definitively answer the question. That is different, and in many ways worse. A company that knows it has no security team knows it is unprotected. A company that has a security team and still cannot tell you whether it has been breached has a false sense of protection that shapes resource allocation, board reporting, and risk appetite in actively dangerous ways.
Modern attackers don't announce themselves. The average dwell time — the period between initial compromise and detection — in Indian enterprise environments is measured in weeks or months, not hours. An attacker who compromises credentials through a phishing campaign on a Monday may spend three weeks quietly mapping your network, identifying your backup systems, escalating privileges, and exfiltrating data before you are aware of their presence. The attack that makes the news is the ransomware deployment on a Friday afternoon. The invisible part — the reconnaissance, the access establishment, the data theft — happened in the quiet weeks before.
If your security controls don't generate the logs, if your monitoring systems don't have the coverage, if your identity infrastructure doesn't alert on anomalous authentication patterns, you will not know. And the 73% figure tells you that three-quarters of Indian organisations are in exactly that position. This does not mean they had not been attacked. It means they could not confirm it either way — a distinction that is, in practice, worse.
The fix is centralised logging, real-time anomaly detection on authentication events, and a defined process for answering the question: has anything unusual happened in our environment in the past 30 days?
Abstract statistics are useful for establishing that a problem exists. They are less useful for understanding what the problem looks like in an organisation you could recognise. Here is what the false sense of security looks like in practice across the three sectors where we see it most clearly.
In a mid-market Pune manufacturer: The IT team has deployed Microsoft 365 with MFA for office staff. The shop floor runs a legacy MES system on machines that haven't been patched in years because the vendor no longer supports updates. The Cisco VPN that remote engineers use to access plant systems has a shared password that three contractors also know. The ERP system authenticates via on-premises Active Directory with no second factor.
The firewall logs are reviewed manually, weekly, if there is time. The IT manager is one person managing 40 systems. The last security audit was eighteen months ago. The company has ISO 9001 certification and is proud of its quality management. It has no equivalent for information security. This profile is not unusual — Check Point Research reported that manufacturing was India's second most attacked industry in 2024, averaging over 2,100 attacks per organisation per week.
In a 200-person Bengaluru IT services firm: Security is taken seriously here. There is a part-time CISO. There is an endpoint protection suite. There is a managed SOC subscription. Microsoft 365 has Conditional Access configured by a consultant two years ago and not reviewed since. The company's largest client — a US financial services firm — has recently asked for evidence of SOC 2 Type II compliance.
Three developers have admin rights to the production environment. Two of them have left the company. Their Active Directory accounts were disabled, but their access to the cloud infrastructure repository was not revoked because nobody mapped the two systems. An attacker who phished a current employee's credentials last month has been in the repository for four weeks. The mechanism is not hypothetical — infostealer malware compromised over 44,000 Windows systems in Indian enterprise environments between March and May 2025 alone, harvesting credentials silently before any alert fires.
In a Delhi NCR NBFC: The organisation has filed its RBI cybersecurity framework documentation. It has policies for password complexity, access reviews, and incident response. The policies are three years old. Employee turnover is 30% annually, and access de-provisioning is handled manually. The core banking system sits behind a VPN that requires only a password for internal network users, because "it's already inside the network."
The IT team believes the internal network is trusted. The concept of zero trust security — verify every user, every device, every time, regardless of where the request originates — has been discussed in a board presentation but has not been operationalised. The next RBI inspection is six months away. It may arrive before the breach does, but RBI penalised 353 regulated entities Rs 54.78 crore in FY 2024-25 for cybersecurity and compliance failures, and the firms penalised were not ones without documentation. They were ones whose documentation did not match their operational reality.
Diagnosing the problem at length without direction would be irresponsible. Here is what the research, and 35 years of deploying security infrastructure across Indian enterprises, tells us actually moves the needle.
Identity is the new perimeter, and it must be treated accordingly. The single highest-impact security control for the current threat landscape is comprehensive MFA — not partial MFA on selected applications, but MFA enforced across every application, system, and access point where authentication occurs. This includes the VPN, the ERP, the legacy applications, the infrastructure, and the contractor access. Cisco's 2025 Cybersecurity Readiness Index weights Identity Intelligence at 25% — the highest of its five pillars — for a reason. Identity security is where breaches begin, and where they can most cost-effectively be prevented.
Phishing-resistant MFA is the 2026 standard. This means moving beyond basic push notifications to methods that cannot be defeated by fatigue attacks — Verified Push with real-time number matching, FIDO2 hardware keys, or passkeys. RBI's revised Authentication Directives are pointing Indian financial institutions in exactly this direction.
Device trust must accompany identity security. Knowing who is logging in is necessary but not sufficient. Knowing whether the device they are logging in from meets basic security standards, current OS, encrypted storage, and active endpoint protection, is the second layer. An organisation that enforces strong MFA on all its applications but allows access from an unpatched personal device has closed one door and left another open.
Visibility must be genuine, not documentary. Passing an audit requires documentation. Detecting a breach requires real-time logging, anomaly detection, and someone who is actually looking at the data. The 73% who don't know if they have been attacked are not ignorant — they are under-instrumented. Authentication logs, access logs, endpoint telemetry, and network flow data must be centralised, retained, and monitored. Not reviewed manually on Friday afternoons. Monitored, with alerts that fire when something deviates from normal patterns.
Zero trust security is not a product. It is an operating principle. The zero trust security model — never trust, always verify; assume breach; least-privilege access — is not a technology you purchase. It is an architecture you build. It means that access to every resource is granted based on verified identity, device health, and contextual risk signals, every time, regardless of where the request originates. It means your internal network is not trusted by default. It means contractors don't have access they don't need. It means former employees don't have access at all.
Achieving genuine cyber resilience in India's current threat environment does not require rebuilding everything at once. It requires an honest assessment of where your controls actually stop, and a deliberate plan for closing the distance between your documented posture and your operational one.
The DSCI finding about 73% of organisations not knowing if they've been attacked is not a global average that may not apply to you. It is an India-specific figure drawn from Indian organisations across sectors, including the ones you operate in.
The question it should prompt is straightforward: if your CISO or IT Manager were asked tomorrow — not in a board presentation, not with time to prepare, but right now — whether your organisation has been compromised in the past twelve months, could they give you a definitive answer? Not a confident one. A definitive one, backed by logs and monitoring data to support it.
If the answer is "I'm not sure," or "I believe not, but I can't confirm," or "I'd need to check with the team” — that uncertainty is the false sense of security. Not incompetence. Not negligence. A gap between what the organisation believes its security controls are doing and what they are actually providing.
Closing that gap starts with an honest assessment of your authentication surface, your logging and monitoring capability, and the distance between your documented security posture and your operational one. It is not a comfortable exercise. But it is significantly less uncomfortable than the alternative.
We have been deploying security infrastructure across Indian enterprises for 35 years. In that time, the threat has changed beyond recognition, and the single most consistent pattern we observe is this: the organisations that get breached are not, in most cases, organisations that ignored security. They are organisations that believed — with genuine confidence and reasonable evidence — that they had done what was necessary.
The false sense of security is not born of carelessness. It is born of deploying the right controls for a threat model that no longer reflects the current attack landscape, and not having the visibility to know the difference.
We work with mid-market and enterprise organisations across BFSI, manufacturing, IT/ITeS, and GCC sectors to close the gap between documented security posture and operational reality. That begins with an honest assessment — not a sales conversation, not a product demonstration, but a structured review of your authentication surface, your identity security maturity, and where the gaps are.
If your organisation cannot definitively answer whether it has been compromised in the past year, that is where we start.
Proactive Data Systems has been deploying enterprise IT infrastructure and security solutions across India since 1990. We are a Cisco Preferred Partner — one of fewer than a handful in India to hold the Preferred designation across Security, Networking, Collaboration, Cloud & AI, and Services.
We'll get back to you shortly.
