Dr. Rakshit Tandon, Cyber Security Evangelist
As a technology specialist and cybercrime investigator who has worked closely with Indian law enforcement, I’ve trained officers across state and central police academies in cybersecurity and digital investigations. Over the years, I’ve seen cyber threats evolve rapidly—and 2024 stands out as a pivotal year for data security.
The DPDP Act: A Defining Moment for Indian Businesses
The Digital Personal Data Protection (DPDP) Act has introduced a game-changing legal framework for how Indian businesses handle and secure personal data. With cybercrime rising over 900% in the past four years, the urgency to act is undeniable. Ransomware, phishing, and malware are no longer isolated incidents—they’re systemic threats.
What sets the DPDP Act apart is its enforcement muscle: penalties of ₹50 crore for non-compliance and ₹250 crore for breaches. This signals that data protection is no longer optional. Businesses must now embed ‘security by design’ into every product and process. Crucially, the law differentiates between types of data—personal, sensitive, and critical—requiring tailored protections.
This shift is also redefining leadership roles. The CIO, CTO, and CISO must now work in sync with a new key player: the Data Protection Officer (DPO). Together, they must drive privacy frameworks, ensure compliance, and foster a culture of security from the ground up.
AI: Innovation Meets Threat
Artificial intelligence is transforming business operations—but it’s also equipping cybercriminals with powerful tools. Generative AI is being used to create intelligent phishing campaigns, deepfakes, and malware. Alarmingly, attackers are now targeting AI models themselves through “AI poisoning,” manipulating training data to generate false or biased outcomes.
Businesses must act fast—not only to protect data but to secure the logic and integrity of their AI systems. Robust AI governance, transparency, and ethical usage are now non-negotiables.
Proactive Steps and the Road Ahead
Encouragingly, we’re seeing government-led initiatives: blocking fraudulent SIMs, tagging suspicious calls, and the RBI’s push for uniform domain structures like ‘.bank.in’. These are important steps—but businesses must go further.
Compliance is not a checkbox. It’s a cultural shift. As targeted scams grow more personal and data becomes weaponized, Indian companies must move from awareness to action. The DPDP Act gives us the legal foundation. Now, it’s up to every enterprise to act—urgently, responsibly, and decisively.
