Certified but Still Vulnerable: The Cybersecurity Gap in Indian Firms

Why Indian Businesses Need More Than IT Audits in a Evolving Threat Landscape

In the modern digital landscape of India, a paradox persists: companies are increasingly certified, yet remain perilously vulnerable. As cyberattacks surge in sophistication and impact, the Indian corporate sector faces a stark dilemma—compliance checkmarks are no longer enough. The era where an ISO badge or an IT audit could be paraded as proof of safety is over. It’s time for India Inc. to rethink, retool, and reinforce its approach to digital risks.

The Illusion of Safety: Compliance vs. Security

Over the past decade, India has witnessed an exponential rise in cyberattacks. Whether it’s banking, logistics, retail, manufacturing, or emerging sectors like fintech and healthtech, no industry is immune. In response, businesses have poured resources into certifications—ISO 27001, RBI cybersecurity frameworks, GDPR alignment, and more. But these well-meaning steps, while necessary, have inadvertently fostered a dangerous myth: that compliance is the same as security.

The Reality Check: Compliance frameworks offer structured, repeatable processes to manage data and system risks. They ensure companies have policies, controls, and documentation. Yet they are by design retrospective—they confirm what was true at the last audit, not what’s happening right now. Cybercriminals, meanwhile, exploit precisely those windows of opportunity that compliance leaves unguarded.

Case Studies: When Compliance Fails

Consider the recent attack on the Chinese AI company DeepSeek. Despite robust technical safeguards and multiple layers of compliance, attackers exploited overlooked vulnerabilities—leaked databases, exposed APIs, and even potential supply chain weak points. The episode underscores a sobering fact: technical checklists rarely account for the creativity and persistence of determined adversaries.

Closer to home, the breach at Marks & Spencer, orchestrated by the notorious hacker group Scattered Spider, serves as a warning for Indian enterprises. Using advanced social engineering, the attackers bypassed digital systems that had passed every audit. The fallout was devastating: over €300 million in losses, eroded customer trust, and a blow to brand reputation that extended across continents.

These stories aren’t outliers; they are harbingers. Even the most well-managed, certified, and audited organizations can be blindsided if they rely solely on compliance.

Where Compliance Stops, Threats Begin

Frameworks like ISO 27001, GDPR, or India’s Data Protection and Digital Privacy (DPDP) Act are foundational. They’re essential for establishing a baseline, governing how data is handled, and building a culture of accountability. However, these frameworks are not designed to:

• Detect or respond to zero-day exploits in real time
• Uncover vulnerabilities in third-party and supply chain dependencies
• Identify behavioral anomalies or insider threats
• Keep pace with the evolving tactics of cybercriminals

Too often, companies pass their annual audits, only to have a breach slip through a routine software update from a vendor—a risk no internal control could have foreseen. Traditional IT audits focus on documentation, asset inventories, password policies, firewall settings, and access logs. They’re invaluable for retrospective analysis but ill-equipped for predictive defense.

Why Indian Businesses Can’t Afford Complacency

India’s rapid digitization—fueled by government initiatives, a booming tech sector, and a growing digital population—has made the country a prime target for cyberattacks. Threat actors are getting smarter, leveraging artificial intelligence, automation, and global supply chains to penetrate even the most secure environments.

Despite this, cyber insurance adoption remains stubbornly low, especially among small and midsize enterprises (SMEs). Many harbor misplaced confidence in their IT teams or believe that certifications alone will shield them from harm. Others balk at insurance costs, failing to appreciate that a single breach could cost exponentially more—in legal fees, regulatory fines, operational downtime, and brand damage.

Leadership awareness is another hurdle. Boardrooms often lack a clear understanding of what cyber insurance entails, what it covers, and how it fits into a broader risk management strategy. Past negative experiences with insurance—claim denials, unexpected exclusions, or slow response times—have further fueled skepticism and inaction.

Cyber Insurance: Beyond Financial Safety Nets

In today’s volatile environment, cyber insurance is not a luxury; it is a necessity. But its value extends beyond writing checks after a disaster. Modern cyber policies act as a force multiplier for organizational resilience by:

• Funding post-breach recovery, including legal, regulatory, technical, and reputational costs
• Providing access to forensic experts, legal teams, and incident response specialists
• Driving proactive risk assessments and security improvements before coverage is granted
• Encouraging better vendor management and supply chain security

Take, for instance, a national retail chain in India that suffered a debilitating data breach. Companies that had robust cyber insurance were able to resume operations within weeks, whereas uninsured peers struggled for months—often at a far greater overall cost. Insurance-funded response teams helped contain the damage, restore lost data, and manage stakeholder communications, all while ensuring regulatory compliance.

Why Adoption Lags

The slow uptake of cyber insurance in India can be traced to several factors:

• Overconfidence: A belief that strong IT teams and audits are enough to fend off attacks
• Perceived Cost: A reluctance to invest in insurance, even though the cost of a breach can be catastrophic
• Lack of Awareness: Limited understanding at the leadership level of what cyber policies offer
• Trust Deficit: Lingering doubts from negative insurance experiences in the past

To close this gap, insurers must step up with greater transparency, clarity of coverage, and education campaigns tailored to the realities of the Indian business context.

Building True Cyber Resilience

If Indian companies are to survive and thrive in the next wave of digital threats, a transformative shift is needed—from audit-driven security to integrated, intelligence-led risk management. The elements of this new paradigm include:

• Continuous Threat Monitoring: Deploying real-time detection tools that identify and block emerging threats as they arise
• Red-Teaming and Simulation: Conducting regular exercises to test defenses against real-world attack scenarios
• Vendor and Supply Chain Risk Management: Assessing and monitoring third-party vulnerabilities, from software providers to logistics partners
• Employee Awareness and Training: Implementing ongoing education programs, phishing simulations, and clear reporting paths for security incidents
• Cyber Insurance Integration: Ensuring that insurance is embedded in business continuity and disaster recovery planning, not treated as an afterthought

Resilience is not a static goal; it’s a dynamic capability. It’s about anticipating new attack vectors, responding to incidents with agility, and learning from every engagement.

The Road Ahead: Urgency, Integration, and Action

With the attack surface expanding and threat actors innovating relentlessly, the question facing Indian business is not if but when the next breach will occur. Regulatory compliance remains essential, but it must be viewed as a foundation—not the finish line.

The time has come for India Inc. to modernize its approach to cybersecurity. This means:

• Cultivating a security-first culture at every level of the organization
• Investing in tools and partnerships that provide real-time visibility into threats
• Leveraging cyber insurance as a proactive enabler of resilience, not merely a fallback
• Regularly reviewing and updating security strategies to address evolving risks

In conclusion, certifications are important, but not invulnerable. Cyberattacks are growing smarter, faster, and more punishing. Indian enterprises must look beyond the comfort of compliance, embracing a holistic model of defense that integrates intelligence, preparedness, and financial risk transfer. The future of digital India depends on it.