As cyberattacks expand footprint, firms will need to focus on data security

Renewed focus on the segment comes in the backdrop of the draft DPDP rules being notified last week

Cybersecurity is likely to evolve as of the top agenda items for Indian firms in the backdrop of the Ministry of Electronics and Information Technology (Meity) releasing draft rules for the implementation of the Digital Personal Data Protection Act (DPDP).

The draft bill comes at a time when cyber attackers are increasing their attacks, while camouflaging themselves online to target individuals and businesses. The extent of such breaches not only harms a firm's reputation but also leads to expensive consequences. This means that organisations will now need to focus on strong data protection norms since breach management will be a focus for management. 

“For the first time, security professionals will have a seat in boardrooms, elevating cybersecurity to a CXO-level concern rather than an afterthought. This shift underscores the growing importance of security as a strategic priority,” said Ashok Hariharan, co-founder & CEO, IDfy; an identity verification company. 

Indian residents have lost Rs 485 crore to fraud on the Unified Payments Interface (UPI) across 632,000 reported incidents until September 2024 in the current fiscal, according to data from the Ministry of Finance. 

In 2025, experts believe more damage could come from the misuse of emerging technologies such as artificial intelligence (AI), the use of which enables hackers to mimic voices and could result in peculiar social engineering offences. 

“Once impacted by a cyber attack, individuals realise the need and then spend on security measures. However, the DPDP is a proactive measure, requiring organisations to implement a set of security measures to ensure data privacy for their users,” said Pankit Desai, CEO & co-founder, Sequretek, a cybersecurity firm. 

Meanwhile, protection of personal data will also assume importance among users especially on the back of spams and unwanted sales calls. The implementation of such systems will be a significant capability addition to security systems at firms.

“Companies will be  required to appoint a data guardian or data custodian. You can reach out to the data custodian and exercise your “right to be forgotten”, it basically means they have to scrub all records of your data that they have,” Desai said.

With a proposed change in timeline to report breaches to 72 hours, organisations, including those involved in tech, financial services, health, among others, will have to analyse how attacks have impacted tech systems. 

“From a breach perspective, within 72 hours, a bank will have to know exactly how the breach happened, how and which database got affected and figure out a tech remediation process to mitigate the damage – it cannot be done without tech intervention and companies that can guide industries around consent governance,” Hariharan added. 

Desai explained that the public disclosures to report breaches would add weight to cybersecurity agenda at firms.

“The current norms require the reporting to be done to the government agency. There was no need for a public disclosure. Now, public disclosure is mandatory, and that will put a lot of weight on cybersecurity,” he added. 

Experts added that key trends such as increased regulatory scrutiny, management of shadow risks such as regular third party risk assessments, and continuous monitoring of systems, and increased role of Computer Emergency Response Teams (CERT) will play out in 2025. 

Firms will likely also have to invest in AI systems to process and mitigate impacts from any breaches going forward. This includes analysing documents, detection of abnormal patterns, and elimination of deep-fake videos before they enter a company's electronic systems. 

“When it comes to document verification, AI-powered computer vision models have transformed tampering detection. These models analyze documents pixel by pixel, identifying subtle alterations that might escape human scrutiny, such as mismatched fonts, manipulated signatures, or edited images,” IDfy's Hariharan added.