Back to Blog
Technology

Cybersecurity for Indian SMEs: What You Are Probably Ignoring

17 May 2026 11 min read Technology
Cybersecurity for Indian SMEs: What You Are Probably Ignoring
Technology

The Uncomfortable Truth

Here is a statistic that should concern every Indian business owner: 43% of cyberattacks globally target small and medium businesses. Not large enterprises with valuable IP — small businesses with limited security budgets. Why? Because attackers know that SMEs are the path of least resistance. No dedicated security team. No formal policies. Often no backups. An SME that gets hit by ransomware is far more likely to pay than a large enterprise with disaster recovery plans.

In India, the situation is particularly acute. The rapid digitisation driven by GST compliance, UPI adoption, and the e-invoicing mandate has moved enormous amounts of sensitive business data online. But the security practices have not kept pace. Most Indian SMEs treat cybersecurity as an IT department concern — and many do not even have an IT department.

This article is not about scaring you. It is about giving you a practical, affordable checklist of things you should be doing right now.

The Threats You Are Actually Facing

Cybersecurity for Indian SMEs: What You Are Probably Ignoring

Ransomware

Ransomware encrypts all your files and demands payment (typically in cryptocurrency) for the decryption key. For an Indian SME, a ransomware attack can mean days or weeks of downtime. If you do not have backups (and most do not — we will get to that), you are choosing between paying the ransom or losing everything.

Ransomware typically enters through email attachments (a fake invoice from a "supplier"), malicious links, or compromised remote desktop connections. The attacks are automated and indiscriminate — they do not specifically target your company, but you get caught in the net.

Business Email Compromise (BEC)

This is increasingly common in Indian B2B transactions. An attacker compromises (or impersonates) a supplier's email address and sends a legitimate-looking invoice with changed bank account details. Your accounts team, recognising the supplier's name and the expected invoice amount, makes the payment to the attacker's account. By the time the real supplier follows up on non-payment, the money is gone.

BEC attacks have cost Indian businesses crores. They are devastatingly simple and do not require any technical sophistication — just a convincing email and good timing.

Phishing

Fake login pages for your email, banking, GST portal, or ERP system. An employee clicks a link in an email that looks legitimate, enters their credentials on a fake page, and the attacker now has access to that system. From there, they can steal data, modify transactions, or launch further attacks within your network.

Insider Threats

Not every threat comes from outside. Disgruntled employees, departing staff who take customer databases with them, or well-meaning employees who accidentally share sensitive files — insider threats account for a significant percentage of data breaches in SMEs.

The Cybersecurity Checklist for Indian SMEs

1. Backups — The Single Most Important Thing You Can Do

If you do nothing else on this list, do this: implement proper backups. The 3-2-1 rule is the gold standard:

  • 3 copies of your data (the original plus two backups)
  • 2 different storage types (e.g., local NAS plus cloud storage)
  • 1 offsite copy (cloud backup or a physical drive stored at a different location)

Critical: your backup must be offline or air-gapped for at least one copy. Ransomware is specifically designed to encrypt connected backup drives. If your only backup is a hard drive permanently connected to your server, it will be encrypted along with everything else.

Test your backups regularly. A backup that cannot be restored is not a backup — it is false confidence. Schedule a quarterly restore test where you actually recover files from your backup and verify they work.

2. Multi-Factor Authentication (MFA) — Everywhere

Enable MFA on every system that supports it. Email (Google Workspace or Microsoft 365), ERP, CRM, banking, cloud storage, domain registrar — everything. MFA means that even if an attacker steals a password, they cannot access the account without the second factor (typically a code on a mobile phone).

This one change blocks over 99% of automated credential-based attacks. It costs nothing (most services include MFA for free) and takes 15 minutes to set up per user. There is no excuse for not having it.

3. Email Security

  • SPF, DKIM, and DMARC: These are email authentication protocols that prevent attackers from sending emails that appear to come from your domain. If you are using Google Workspace or Microsoft 365, configure these properly. Ask your IT person or domain registrar — it takes an hour and prevents your company from being impersonated.
  • Email filtering: Use the built-in phishing and malware protection in your email service. Enable the aggressive filtering options. Some legitimate emails will end up in spam — that is a far better problem than ransomware.
  • Attachment scanning: Configure your email to block executable attachments (.exe, .bat, .cmd, .ps1) entirely. No legitimate business email needs to send executable files.

4. Software Updates — Do Not Delay Them

Most successful cyberattacks exploit known vulnerabilities that have already been patched. The patch exists. The business just has not applied it. Enable automatic updates on all systems — Windows, macOS, Linux, web browsers, antivirus, and business applications. The inconvenience of a reboot is trivial compared to the cost of a breach.

5. Access Control — Who Can Access What?

The principle of least privilege: every user should have access only to the systems and data they need for their specific job. Your receptionist does not need access to financial reports. Your warehouse staff do not need access to the CRM. Your sales team does not need admin access to the ERP.

In SAP Business One, this is implemented through authorisation profiles that control access down to the field level. Every ERP, CRM, and business application has similar capability — but it only works if someone takes the time to configure it properly.

6. Endpoint Protection

Every computer in your business needs antivirus/antimalware protection. Windows Defender (built into Windows 10/11) is adequate for basic protection. For more comprehensive coverage, consider enterprise endpoint protection solutions.

Our partners at Red Piranha provide advanced threat detection and response through their Crystal Eye platform — a unified threat management solution that is particularly well-suited for Indian SMEs that need enterprise-grade security without enterprise-grade budgets. Their platform combines firewall, intrusion detection, network monitoring, and threat intelligence in a single appliance.

7. Network Security Basics

  • Change default passwords: Your Wi-Fi router, your CCTV system, your printers, your servers — if they still have the default admin/admin or admin/password credentials, change them today.
  • Segment your network: Your guest Wi-Fi should not be on the same network as your ERP server. At minimum, have separate VLANs for guest access, employee devices, and servers/business-critical systems.
  • Disable unused services: Remote Desktop Protocol (RDP) exposed to the internet is one of the most common ransomware entry points. If you need remote access, use a VPN — never expose RDP directly.
  • Firewall: A proper firewall (hardware, not just the Windows firewall) between your network and the internet. This does not need to be expensive — a basic UTM (Unified Threat Management) appliance starts at Rs 30,000-50,000.

8. Employee Awareness

Technology cannot protect against every threat — especially social engineering. Train your employees on:

  • How to recognise phishing emails (check the sender's actual email address, hover over links before clicking, be suspicious of urgency)
  • Never sharing passwords, even with IT support (legitimate IT staff never need your password)
  • Verifying payment detail changes through a phone call to a known number (never the number in the email requesting the change)
  • Reporting suspicious activity immediately, without fear of blame

This does not require expensive training programmes. A 30-minute session every quarter, with real examples of phishing emails (you can find plenty online), is more effective than any software.

9. Incident Response Plan

What will you do when (not if) a security incident occurs? Having a basic plan in writing — who to call, what to disconnect, how to communicate with customers — can mean the difference between a contained incident and a business-ending disaster.

At minimum, your plan should cover:

  • Who has the authority to disconnect systems from the network
  • Contact details for your IT support, your legal adviser, and your cyber insurance provider (if you have one)
  • A communication template for notifying customers if their data may be affected
  • The location and access details for your offline backups

What This Costs

Here is the good news: most of these measures cost little or nothing. MFA is free. Software updates are free. Employee training is a few hours of time. SPF/DKIM/DMARC configuration is a one-time setup. A decent backup solution costs Rs 5,000-15,000 per month depending on data volume.

The total cost of implementing this entire checklist for a 50-person company is roughly Rs 2-5 lakh in the first year and Rs 1-2 lakh annually thereafter. Compare that to the average cost of a ransomware attack on an Indian SME (Rs 25-50 lakh in ransom, downtime, and recovery) and the maths is obvious.

Take the First Step Today

You do not need to implement everything at once. Start with backups and MFA this week. Add email security and software updates next week. Schedule an employee awareness session this month. Build from there.

At Indivar, we help our clients think about security as part of their overall technology strategy — not as an afterthought. Whether you are implementing a new ERP or reviewing your existing infrastructure, our team includes security-conscious engineers who build protection into every solution from day one. Through our partnership with Red Piranha, we can also provide enterprise-grade threat detection and network security for businesses that need more than the basics. Talk to us if you want a practical security review of your current setup.

Indivar Software Solutions

SAP Business One consulting and custom software development since 2009. Offices in India, New Zealand, and the USA.

Back to Blog Discuss Your Project
Related Articles

More on Technology

Need Help with SAP Business One?

Whether you need implementation support, custom add-ons, or strategic ERP advice, our team is ready to help. over 17 years of SAP B1 experience across India, New Zealand, and the USA.

Contact Us View Our Products