Cybersecurity awareness graphic

Cyber Security

Cyber security is the practice of protecting computers, networks and digital information from unauthorized access, theft and damage. That is the textbook definition, and it is accurate as far as it goes. What it does not capture is how much of real cyber security work has nothing to do with technology at all.

Published August 15, 2021

Cybersecurity awareness workshop photo

Through Selkey Cyber Security Pvt Ltd, I have worked alongside Gujarat Police and CID on more than 70 cybercrime cases. Almost none of them started with a sophisticated exploit. Most began with a phishing message someone clicked, a password reused across five accounts, or a screen-sharing app installed at the request of a caller pretending to be from a bank. The technology behind the attack was rarely advanced. The gap that let it succeed was almost always human.

That is not an argument against firewalls, encryption or multi-factor authentication. Those controls matter, and I recommend all three to every client and every workshop audience I speak to. But they are the second line of defense. The first line is whether a person recognizes a threat in the moment it appears, before any technical control gets a chance to work.

What cyber security actually protects

Cyber security protects three things that matter to almost anyone with a phone or a bank account.

  • Personal data: identity documents, medical records, photos and messages that were never meant to be public.
  • Financial access: bank accounts, UPI apps, credit lines and any system that can move money on your behalf.
  • Operational continuity: the ability of a business, hospital or government office to keep functioning when it comes under attack.

Losing any of these has consequences that outlast the incident itself. A leaked identity document can be reused for fraud years later. A locked-down hospital system can delay patient care. A small business hit by ransomware can lose weeks of revenue before it recovers, if it recovers at all.

Where most Indian cases actually start

Working cybercrime cases in Gujarat has shown me a fairly consistent pattern.

  • Phishing and impersonation: fake bank, courier or government messages designed to extract an OTP or a password.
  • Social engineering calls: a caller posing as tech support, a bank official or a police officer, building urgency until the victim acts without thinking.
  • Weak or reused passwords: a single leaked password used to access multiple accounts belonging to the same person.
  • Unpatched or pirated software: older systems still running known vulnerabilities that were fixed years ago in official updates.

None of these require advanced hacking skill to exploit, which is exactly why they remain so common.

What actually reduces risk

A few habits consistently separate the cases where damage was contained from the ones where it spread.

  • Reporting immediately, through the National Cyber Crime Reporting Portal (cybercrime.gov.in) or the nearest cyber cell, rather than waiting to see if the problem resolves itself. The first hour after a compromise matters more than any tool used afterward.
  • Multi-factor authentication on anything that touches money or identity, so a leaked password alone is not enough to gain access.
  • Basic awareness training, delivered before an attack rather than after one. Most of the seminars I run through Selkey NGO exist because prevention is far cheaper than recovery, in both money and time.
  • Keeping software updated, since a large share of the technical breaches I have seen trace back to a patch that was available but never installed.

Why I keep returning to awareness

I am a Certified Ethical Hacker (CEH Master) and an ISO 27001:2013 Lead Auditor, and I use both skill sets daily in penetration testing and compliance work. But if I had to choose one lever that prevents the most harm at the lowest cost, it would not be a technical certification. It would be teaching someone to pause for ten seconds before clicking a link, entering an OTP, or trusting a caller who says the matter is urgent.

That is the reasoning behind the awareness programs Selkey NGO runs in schools, colleges and organizations across Gujarat, including sessions at Cambay ONGC. The goal is not to turn every attendee into a security expert. It is to give them the same ten-second pause that, in the cases I have worked, has been the actual difference between an attempted fraud and a completed one.