The State of Identity Security in Indian Enterprises
India's enterprises are not as protected
as they think they are.
The 2026 Report on Identity Security in Indian Enterprises
India recorded 2.27 million cybersecurity incidents in 2024, according to CERT-In’s Annual Report. Seventy-three percent of Indian organisations are unaware of whether they have been attacked, according to DSCI’s India Cyber Threat Report 2025. Four regulatory frameworks: SEBI CSCRF, CERT-In CISG-2025-02, RBI Authentication Directions 2025, and DPDPA 2023, now require identity security controls for Indian enterprises, with three already in force. Seven percent of Indian organisations have reached mature cybersecurity readiness. The gap between current posture and what regulators, attackers, and clients now expect is the subject of this report.
2.27 million cybersecurity incidents in a single year. Four regulatory frameworks now in force. And 73% of Indian organisations unaware of whether they have ever been attacked.
This report maps where the gaps actually are, by sector, by attack type, and by the specific controls that are missing. It is built from CERT-In, DSCI, Cisco, and Proactive deployment data across IT/ITeS, BFSI, Manufacturing, and Healthcare in India. It does not make comfortable reading.
Published by Proactive Data Systems Pvt Ltd, a Cisco Preferred Security Partner holding Preferred designation across Security, Networking, Collaboration, Cloud and AI, and Services. One of the few partners in India to hold this designation across all five portfolios. Proactive has deployed enterprise infrastructure across Indian organisations since 1991.
Key Findings
India recorded 2.27 million cybersecurity incidents in 2024, the fourth consecutive year of rising volume, with credential compromise as the primary attack vector across sectors. (CERT-In Annual Report 2024)
73% of Indian organisations are unaware of whether they have ever been attacked, making visibility, not technology, the primary gap. (DSCI India Cyber Threat Report 2025)
57% of Indian organisations lack basic cyber hygiene, which includes MFA for privileged access, documented access reviews, and individual account accountability. (DSCI India Cyber Threat Report 2025)
Only 7% of Indian organisations have reached mature cybersecurity readiness — the level required to withstand the current threat environment. (Cisco 2025 Cybersecurity Readiness Index)
Four regulatory frameworks now require identity security controls for Indian enterprises. Three are already in force. DPDPA full enforcement arrives 13 May 2027, with penalties up to ₹250 crore per breach instance.
In every Proactive deployment, the credential audit conducted before MFA configuration finds accounts that should not exist. The number varies by engagement. The finding does not.
In Indian BFSI environments, the most significant identity security gap is not the absence of MFA but its coverage: internet banking is typically protected; the core banking terminal typically is not.
What the Report Found by Sector
IT / ITeS
Key Finding
IT / ITeS & GCCs
Developer access to client production environments is the most under-examined identity security surface, covered by MFA policy on paper, unprotected in practice when access runs through separate tunnels and client-provisioned accounts the IT services firm does not control.
BFSI
The most significant gap is coverage, not absence. Internet banking is protected. Core banking terminals, treasury systems, and vendor remote access typically are not. The attacker does not need to defeat the protected applications. They need the one the MFA policy never reached.
Manufacturing
Vendor access registers in Indian manufacturing environments consistently contain between 8 and 20 accounts from closed engagements that remain active, based on Proactive’s deployment experience. Each is a potential OT network entry point.
Healthcare
Shared accounts on clinical systems are the norm rather than the exception. The authentication architecture of most Indian hospital information systems was designed for clinical usability, not security accountability.
What This Report Covers
The threat picture: What is happening to Indian enterprises, in numbers, by sector.
The regulatory gap: What four frameworks now require and how far most organisations are from meeting them.
The identity layer: Why credential compromise is the primary attack vector and why most current defences are inadequate.
Sector breakdowns: Specific findings for IT/ITeS, BFSI, Manufacturing, and Healthcare — original cross-sector analysis.
Deployment evidence: What Proactive’s credential audits consistently find across Indian enterprise environments, presented as practitioner evidence.
Data sources: CERT-In Annual Report 2024 · DSCI India Cyber Threat Report 2025 · Cisco 2025 Cybersecurity Readiness Index · National Cyber Crime Reporting Portal · RBI Annual Report FY 2024-25 · Proactive deployment data
Frequently Asked Questions
Quick answers to common questions about this resource.
India recorded 2.27 million cybersecurity incidents in 2024. 73% of Indian organisations are unaware of whether they have been attacked, and only 7% have reached mature cybersecurity readiness. Four regulatory frameworks now require identity security controls, with three already in force. The primary attack vector is credential compromise: attackers are logging in with stolen credentials, not breaking through perimeter defences. The identity layer is the gap.
CERT-In’s Comprehensive Cyber Security Audit Policy Guidelines (CISG-2025-02), effective 25 July 2025, require MFA for all remote access connections, 180-day authentication log retention stored in India, and annual cybersecurity audits for all Indian organisations operating digital systems. Auditors examine whether MFA is enforced, not merely whether a policy exists.
SEBI CSCRF (compliance window closed January–April 2025), CERT-In CISG-2025-02 (in force since 25 July 2025), RBI Authentication Mechanisms Directions 2025 (effective 1 April 2026), and DPDPA 2023 (full enforcement deadline 13 May 2027). All four require, in different language, that organisations know who accessed their systems and can prove it.
Seven percent, according to the Cisco 2025 Cybersecurity Readiness Index (a vendor-commissioned study). Mature readiness, in this framework, requires fundamental identity controls including MFA across the full authentication surface, individual accountability for every access event, and privileged access management with documented reviews. The floor, not a high bar.
The vendor access register. In Indian manufacturing environments, deployment teams consistently find between 8 and 20 vendor accounts from closed engagements that remain active, according to Proactive’s deployment experience. As OT and IT have converged, these accounts can reach SCADA systems, manufacturing execution platforms, and production networks. The credential audit — before any MFA configuration — is the required first step.
The Digital Personal Data Protection Act 2023 requires data fiduciaries to implement ‘reasonable security safeguards’ for personal data. Full enforcement arrives 13 May 2027. The penalty for failure to implement security safeguards is up to ₹250 crore per instance (DPDPA 2023, Schedule 1 Item 4). Unlike RBI or SEBI penalties, DPDPA penalties are triggered by breach events, not examination cycles.
