Cybersecurity investment surges in Indian firms, but protection gaps persist

With continuous and widespread digitisation, regulatory mandates, rise of remote work, and the need for business resiliency, Indian companies are witnessing a rising focus on cybersecurity measures. Firms across industries are ramping up their investment for cybersecurity resource allocation. A report by Deloitte in August showed that energy and resources, along with life sciences are the leading sectors when it comes to prioritising cybersecurity investment. Financial services and media and telecommunications follow them. 

The evolution of cybersecurity measures adopted by organisations has been in sync with the advancement of tech infrastructure. Until the mid-2000s, a reactive approach to security was considered enough. But with rapidly advancing digital infrastructure and cyber threats led to adoption of technologies such as intrusion detection systems and encryption, multi-layered security techniques such as safe access controls, frequent security audits, and artificial intelligence (AI) in the current tech landscape. 

“In recent years, India's cybersecurity market has posted a compounded annual growth rate of 25% and is projected to expand further. The investment landscape has seen an influx of venture capital funding into cybersecurity startups in India, an indication of the sector's increasing recognition of its significance,” said Ram Vaidyanathan, IT security evangelist, ManageEngine. “Businesses are now concentrating on complete cybersecurity strategies that involve risk management, incident response planning, and continuous monitoring to stay ahead of increasingly sophisticated threats.”

To be sure, Big Four firm PwC in its Digital Trust Insights report in November 2023 noted that 99% of organisations in India will increase their budgets out of which 50% envisaged an increase between 6% and 15% in the next 12 months.

Vishal Jain, co-founder and joint managing director of Inspira, said that companies of all sizes are expected to have some kind of cybersecurity incident or breach over the next five years, be it big legacy enterprises or new-age startups born in the cloud. “Too this end, on average, all of these organisations are looking at upwards of 10% in terms of increasing their (cybersecurity) budgets, because they're trying to move to different technology areas which is widening the scope of cybersecurity,” he added. 

The emphasis on cybersecurity is expanding beyond the private sector, with public institutions now also ramping up their efforts. Notably, in this year’s Union Budget, the allocation for cybersecurity projects saw about a 90% increase for FY25 amounting to ₹759 crore. 

Is it enough?

Despite increased resource allocation, the cybersecurity efforts just aren’t enough, opine experts. This year, from April to June, there was a 46% increase in cyber-attacks in India, compared to the previous quarter, according to a report by Check Point Software Technologies. Further, an organisation in India faced an average of 3,200 attacks per week in this quarter, as against the global average of 1,636 attacks per week, (during that period) making it one of the most targeted nations worldwide and second highest in APAC, only behind Taiwan.

“Despite increased investments, many companies struggle to keep up with evolving threat landscape. They often rely on isolated tools rather than a comprehensive strategy, leading to protection gaps. Critical areas such as continuous monitoring, AI-driven threat detection, and securing supply chains are frequently overlooked,” said Amit Patil, Senior Director Technology at Publicis Sapient.

ManageEngine’s Vaidyanathan echoes same sentiment. He said that companies lack “comprehensive plans and an insufficient understanding of their specific risk environment”. Further, he added that thorough risk assessment, integrating them into fragmented security measures cohesive security framework, and clear evaluation of return on investment on these investments could help companies to improve. 

Without continuous monitoring, AI-driven threat detection, and a thorough understanding of specific risk environments, increased spending alone may not be enough to protect against sophisticated cyber-attacks. A unified and proactive cybersecurity strategy is essential to close the existing protection gaps and ensure long-term resilience.