Are We Really Ready for Cyberwarfare? Despite India's top-tier global ranking, gaps in training, infrastructure, and accountability suggest a different reality

In 2024, India achieved Tier 1 status in the Global Cybersecurity Index (GCI), with a score of 98.49 out of 100—placing it among the world's leading nations for cybersecurity. The index, released by the International Telecommunication Union (ITU), assessed countries across five pillars—legal, technical, organisational, capacity development, and international cooperation.

Yet, this impressive score starkly contrasts with the realities observed on the ground, particularly in government institutions and critical infrastructure.

Inside a INR 146 crore bank heist: a wake-up call

Professor Triveni Singh, former Superintendent of Police (Cyber Crime) and Chairperson at the Future Crime Research Foundation, recalled investigating a major cyberattack on a cooperative bank two years ago.

"Cybercriminals planted a laptop within the bank's internal network, installed a remote access tool and keyloggers, and managed to capture the credentials of both the maker and checker—then transferred INR 146 crore," he said. Forensic analysis revealed that poor physical and digital controls had allowed the breach. The security operations centre (SOC), Singh recalled, was staffed by interns playing cards. "They had no access control protocols, no active surveillance, and the CCTV server had not been updated in nearly a year," he shared at Acronis TRU Security Days - India 2025 event.

Most alarmingly, when asked who the Chief Information Security Officer (CISO) was, a branch manager stepped forward—unaware of what the designation meant. "In government institutions, 99 per cent of those listed as CISOs don't even know they hold the role," Singh said.

Training gaps and paper compliance

According to Singh, superficial training and a lack of institutional understanding are major threats. "In government departments, people attend one-day workshops labelled 'CISO training'. They come for breakfast, lunch, and leave. That's not capacity building," he said.

He emphasised the urgent need for genuine investment in skills and cyber awareness. "You cannot train someone to respond to a cyber crisis with two or three days of orientation. Cybersecurity requires continuous education, not certificates for compliance."

Singh also questioned the visibility and awareness of existing national cyber guidelines. "Ask any government official if they've read the RBI's cybersecurity guidelines, or the latest policy from SEBI or IRDAI. You'll find no one has. How can you ensure compliance when there is no understanding of the rules?"

Data, responsibility, and the civilian risk factor

Prashant Mittal, Deputy Director General at the National Informatics Centre, highlighted the massive amount of data handled by government departments, much of it migrated to the cloud. "Krishi Bhavan alone handles data equivalent to 30 per cent of the global population due to overlaps like one individual being a beneficiary of multiple schemes," he said.

With the Digital Personal Data Protection (DPDP) Act, 2023, now in effect, the stakes are higher. Mittal warned that penalties for breaches can reach up to INR 250 crore. "Many managed service providers (MSPs) do not have the capacity to absorb such losses. They'll soon be held accountable under revised contracts."

On the civilian side, cyber-awareness remains dangerously low. Rajesh Chhabra, General Manager – India & South Asia at Acronis, urged citizens especially students, women, and the elderly in smaller towns—to take basic precautions. "Avoid clicking on unsolicited WhatsApp or SMS links, invest in antivirus protection, and never reuse passwords across platforms," he advised.

He also warned against common scams involving fake customer service numbers found on search engines. "Even SBI has begun issuing alerts about these tactics," Chhabra said. "It's often the lack of awareness that leads to financial fraud."

India's top-tier GCI ranking reflects robust policy frameworks, but cyberwarfare readiness demands more than documentation. As Singh noted, "Cybersecurity cannot be achieved through certificates or slogans. Until we train the right people and build real accountability, the systems will remain vulnerable."