Ransomware attacks have become a major crisis in India’s cyber threat landscape. CERT-India, has also constituted the ‘Cyber Swachhta Kendra’ (CSK) to handle the crime due to Ransomware Attacks, as the same is classified under the Malware Infection Domain. The Centre is works in close coordination and collaboration with Internet Service Providers (ISPs), Antivirus companies, Academia and Industry, to assist in Ransomware Infections. CERT-India, due to aspects of confidentiality and also with an aim to uphold reputation of Ransomware victims, do not release any report on the same; yet is equipped to handle the scenario, and is capable of extending assistance to anyone who approach the CERT. CERT-India, has also mandated the reporting of any form of Ransomware Attack, by corporate bodies and entities. CERT-India, mandates service providers, intermediaries, data centres and body corporates (Applicable Entities) to mandatorily report cyber incidents (as defined under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-IN Rules)). The first point of the hierarchy that is responsible for reporting in the case of Govt/Corporate body, is the Chief Information Security Officers (CISOs). In the absence of CISO, the IT head, or their absence the Management/Board will have to adhere to the reporting process. This highlights the critical need for experienced CISO to lead cybersecurity efforts in Indian organizations.
In a recent reporting, specific tot India; Sophos found that 65% of those hit by ransomware were inclined to pay the ransom and negotiate the recovery of the data. The average revenue loss due to the act of negotiations and resolution, by corporates is estimated to be about $1.35 million. The average spending by corporate on self-recovery is pitched at a whopping $1.5 to $2 million (estimated).
Ransomware incidents continue to grow year on year. Attacks across multiple sectors in India, including critical infrastructure, was reported to be 62 in year 2023, in the year the incident till date is 60 and is still counting. Threat actors have modernized their modus-operand through better attack tool kits with high impact strategies. The Ransomware as a Service (RAAS) tool kit, is also evolving with sophisticated enhanced extortion tactics. All these and more are leading to higher probability of monetization and rise in attack campaigns (especially post-covid).
The Evolving Role of a CISO in India
As ransomware attackers increase their spectrum of operations, CISOs in India must adapt quickly, to handle the evolving threat landscape. Many new groups are replicating tactics from established operators, recycling code and resources, on novice victims, to gain fast-money and also to exploit those lesser secure systems. This then, obviates the requirement that; CISOs must be deeply familiar with existing ransomware attacks and also be aware of the strategies while also anticipating new threats.
A Multi-layered Approach for Indian Organizations
Building a strong ransomware defense requires a multi-layered cybersecurity approach tailored to the Indian context. This includes:
- Stringent access controls: Implementing robust access management systems to protect sensitive data.
- Regular system updates and patching: Ensuring timely updates and patches are applied to all systems.
- Robust backup protocols: Establishing comprehensive data backup and recovery procedures.
- Employee cyber awareness: Conducting regular training programs to educate employees about cybersecurity best practices and threats specific to India.
- Industry collaboration: Participating in industry forums and initiatives to share threat intelligence and best practices relevant to the Indian landscape.
- Upskilling teams: Continuously training cybersecurity teams on the latest threats, technologies, and regulations.
- Aligning with evolving regulations: Complying with relevant regulations, such as India’s data protection laws and cybersecurity guidelines.
Incident Response and Crisis Management in the Indian Context
With the rise of new ransomware groups, incident response planning is critical for Indian organizations. Well-defined protocols for rapid detection, containment, and data recovery are essential to minimize operational disruptions, reputational damage, and financial losses. Regular security audits and penetration testing can proactively identify vulnerabilities across the IT supply chain.
CISOs should foster a culture of continuous improvement and rigorous testing to enhance cyber resilience. Simulated attack scenarios can expose weaknesses and ensure preparedness for real-world incidents.
CISOs need to share knowledge and after-action reports among peer-groups and this can inturn optimize defenses among Indian organizations. The exchange of information and knowledge among CISOs of corporates can also enable quicker resilience and also facilitate reciprocal-assistance, cutting across corporate compartments.
Educating and Advising Leadership in Indian Organizations
CISOs must effectively communicate the business impact of ransomware to executives and boards in Indian organizations. With the increasing costs of attacks and the expanding attack surface due to remote work, securing sufficient cybersecurity resources is crucial.
Clear communication about risks and vulnerabilities will help CISOs gain leadership support for robust ransomware defense strategies. As threats evolve, especially with the potential for AI to democratize cybercrime, the CISO’s strategic advice will be vital for organizational resilience and continuity planning in India.
It is also essential for CISOs to identify the pool of expertise, SME, and recovery companies; to perform a quick bounce-back. The inclusion of Ransomware Attack as part of the organization’s Crisis Management Plan (CMP), should be reviewed if not done.
Reporting Channel of a CISO
The aspect of reporting channel of many of the designation CISO in India, is skewed. Many of the Indian CISOs (for that matter even among global enterprises), report to the CIO/ CRO/CFO/IT or IT infrastructure Head. It is but pertinent to understand that the best reporting structure for a CISO is the one that best suits the specific needs and circumstances of the organization. Or, for that matter; CISO reporting, depends on other factors like the organization’s size, industry, risk appetite, and overall structure. The ideal preposition can thus be un-conclusive.
However, in the case where the CISO reports directly to the CEO/MD/ Board of Directors, will certainly has its own pros with respect to Sensitivity, Autonomy, Visibility of the Authorized, Enhanced Visibility and Authority, Increased Independence and Objectivity, Stronger Accountability. Better and Shorter Oversight, Improved Resource Allocation, Strengthened Governance, etc.
Conclusion
In this era of rampant ransomware, CISOs in India must be aware of their evolving responsibilities. They need to possess technical expertise, manage security operations, plan for business continuity, and, crucially, influence decision-makers. Strong leadership from CISOs will determine which Indian organizations can withstand the ongoing cybercrime attacks.