Cybersecurity Digest: February 2026

Cybersecurity Digest — February 2026 Threat Landscape Update: India Q4 2025 The cybersecurity threat landscape for Indian organizations intensified significantly in Q4 2025, with several trends demanding immediate attention: Ransomware surge (+34%): Ransomware attacks targeting Indian enterprises increased 34% quarter-over-quarter. The Conti successor groups and LockBit 4.0 variants dominated, with average ransom demands reaching Rs 4.2 crore for mid-sized organizations. The healthcare and manufacturing sectors were disproportionately targeted. Supply chain attacks (+28%): Compromised software updates and third-party vendor breaches accounted for 28% more incidents than Q3 2025. The trend mirrors global patterns — organizations are only as secure as their weakest vendor. AI-powered phishing: Attackers are using generative AI to craft highly convincing phishing emails in regional Indian languages, bypassing traditional email security filters. Attacks in Hindi, Tamil, and Bengali increased 3x compared to English-only campaigns. Cloud misconfiguration: Exposed S3 buckets, misconfigured Azure AD tenants, and publicly accessible databases continue to be the top initial access vectors, responsible for 41% of data exposure incidents. Action item: Run a Vulnerability Scan on your external-facing assets to identify exposed services and misconfigurations before attackers find them. DPDP Security Requirements: What Section 8(4) Means in Practice DPDP Act Section 8(4) requires "reasonable security safeguards" to prevent data breaches. But what does "reasonable" actually mean? Based on our analysis of international precedent and industry standards, here is a practical interpretation: Security Domain Minimum Expected Controls Best Practice Access Control Role-based access, MFA for admin accounts Zero Trust architecture, PAM for privileged access Encryption TLS 1.2+ for data in transit, AES-256 for sensitive data at rest End-to-end encryption, envelope encryption for cloud data Monitoring Security event logging, basic alerting SIEM with 24/7 SOC, automated threat detection Patch Management Critical patches within 30 days Automated patching, vulnerability prioritization by risk Backup Regular backups with offsite copy Immutable backups, tested recovery procedures, air-gapped copies Incident Response Documented IR plan Tested IR playbooks, tabletop exercises, retainer with IR firm If your organization already has ISO 27001 or SOC 2 certification, you likely meet the "reasonable safeguards" standard. Use our Cybersecurity Framework Alignment research to map your existing controls to DPDP requirements. Not sure where you stand? Start with Complynz's ISO 27001 Gap Assessment to evaluate your security posture. Technical Deep Dive: Zero Trust for Personal Data Protection Zero Trust architecture is particularly well-suited for DPDP compliance because its core principles — "never trust, always verify" and "assume breach" — align with the Act's requirement for reasonable security safeguards. Key implementation steps for Indian organizations: Identity-centric security: Move from network-based trust to identity-based trust. Every access request to personal data stores must be authenticated and authorized, regardless of network location. Implement MFA for all users accessing personal data. Micro-segmentation: Segment your network so that personal data stores are isolated from general-purpose systems. A breach in your marketing platform should not provide access to your customer database. Least-privilege access: Grant minimum necessary permissions for each role. Review access rights quarterly. Implement just-in-time access for sensitive operations. Continuous verification: Monitor user behavior and device health continuously. Anomalous access patterns (unusual time, location, or volume of data access) should trigger step-up authentication or access revocation. Data-centric protection: Apply encryption and access controls at the data level, not just the network or application level. Personal data should be encrypted at rest and tagged with classification labels that enforce access policies automatically. Incident Analysis: Financial Services Data Exposure In November 2025, a mid-sized NBFC discovered that a misconfigured API endpoint had been exposing customer KYC documents (Aadhaar, PAN, bank statements) for approximately 45 days. Key takeaways: Root cause: A developer deployed a new API version without authentication middleware. The staging configuration was accidentally pushed to production. No API security testing was performed before deployment. Detection delay: 45 days — the exposure was discovered by a security researcher, not internal monitoring. The organization had logging enabled but no alerts for unauthenticated API access patterns. DPDP implications: Under Section 8(5), this constitutes a personal data breach requiring notification to the Data Protection Board and affected Data Principals. The organization faces potential p