Cybersecurity for Indian SME Businesses 2026: CERT-In, DPDPA, UPI Fraud, and What to Actually Do

Photo: Unsplash — free to use, no attribution required

Most Indian SME owners think of cybersecurity as something enterprises worry about. That assumption has become increasingly expensive. Ransomware groups now explicitly target Indian small and medium businesses because those businesses hold valuable data — customer records, GST filings, banking credentials, supplier contracts — while spending far less on defences than the corporations that share the same threat landscape. India also has two legal frameworks — CERT-In's 2022 mandatory reporting directions and the Digital Personal Data Protection Act 2023 — that create real liability for businesses that experience a breach and fail to respond correctly. This guide covers the practical, India-specific steps that matter most, without padding the list with generic advice that belongs in a Western enterprise security handbook.

CERT-In Mandatory Reporting: The 6-Hour Rule Almost No SME Knows About

India's Computer Emergency Response Team (CERT-In) issued mandatory directions in April 2022 that created a legal obligation to report cybersecurity incidents within 6 hours of detection. This is not a guideline — it is a direction under the Information Technology Act, and non-compliance carries a penalty of up to ₹1 crore per violation.

The directions apply far more broadly than most business owners realise. While the focus in press coverage was on large ISPs, cloud providers, and data centres, the reporting obligation extends to any organisation handling significant personal or financial data — which in practice includes most businesses that run a CRM, process UPI payments, or store customer records. The reportable incident categories cover ransomware infections, data breaches, unauthorised access to any system containing personal data, malicious code infections, identity theft, phishing attacks, and denial-of-service attacks affecting business operations.

The 6-hour clock starts when you become aware of the incident — not when your investigation concludes. This means you need to report while still actively responding. CERT-In has clarified that initial reports can be brief and supplemented with follow-up details, but the initial notification cannot be skipped while waiting for a forensics report. The reporting portal is at cert-in.org.in, and CERT-In also accepts reports at incident@cert-in.org.in.

Practical implication for Indian SMEs: keep a one-page incident response card in your IT setup that lists the CERT-In reporting URL, the categories of reportable events, and the name of the person in your organisation responsible for making the report. That preparation takes 30 minutes and eliminates the confused scramble that costs businesses the 6-hour window.

DPDPA 2023 and the Data Fiduciary Obligations That Apply to Every Indian Business

India's Digital Personal Data Protection Act 2023 introduced a term most Indian SME owners had not encountered before: Data Fiduciary. Under the Act, any organisation that collects personal data from Indian individuals — even something as simple as a name, phone number, and email address on a contact form — becomes a Data Fiduciary with mandatory security obligations. Company size is not a qualifying threshold; the obligations attach to the act of collecting personal data, not the scale of the organisation.

The Act requires Data Fiduciaries to implement "reasonable security safeguards" to protect personal data. While the Act deliberately avoids prescribing specific technical standards, the reasonable safeguards threshold for an Indian SME is generally understood to require:

• Encryption at rest: Customer data stored in databases, cloud accounts, or spreadsheets must be encrypted. Using Google Workspace or Microsoft 365 for storing customer data satisfies this requirement by default — both platforms encrypt stored data. Keeping customer records in an unencrypted local spreadsheet on a shared Windows PC does not.
• Access controls: Personal data should only be accessible to staff who need it for their specific role. Sharing GST portal credentials or CRM logins broadly within a team — especially over WhatsApp or email in plaintext — is a direct DPDPA liability.
• A breach notification process: The Act requires notifying the Data Protection Board of India when a personal data breach occurs. This works in conjunction with the CERT-In 6-hour reporting requirement — a breach involving personal data typically triggers both obligations simultaneously.
• Data retention limits: You cannot keep personal data indefinitely without a stated purpose. Customer enquiry data collected for a sales conversation cannot be retained for five years without a legitimate business reason.

For most Indian SMEs, the path to basic DPDPA compliance runs through two decisions: choosing a cloud-based platform for customer data (where encryption and access controls are built-in) rather than local files, and documenting who in the organisation is responsible for data protection decisions. Neither requires expensive consulting — but both require deliberate action before a breach makes them urgent.

India-Specific Attack Vectors: What Is Actually Targeting Your Business

Generic cybersecurity content describes phishing, malware, and ransomware in terms designed for a global audience. Indian SMEs face a more specific threat profile that Western guides rarely address in useful detail.

UPI Fraud Targeting Businesses

UPI's near-universal adoption in India has created an attack surface that attackers have exploited extensively. The most common business-facing UPI fraud patterns in 2026 are: fake UPI QR codes sent via WhatsApp or email, impersonating clients or suppliers, designed to collect payment to an attacker-controlled account; and credential phishing targeting the UPI PIN and OTP that authorises transfers. A particularly damaging variant involves attackers registering a UPI ID that closely resembles your business's official ID (by swapping a letter or adding a digit) and then sending payment requests to your customers while impersonating your business.

Defence: verify any new or changed payment details by calling the supplier directly on a known phone number — never by responding to the email or message that contains the new details. Train all staff who handle payments to treat any payment instruction that arrives via WhatsApp or email as requiring verbal confirmation before execution.

GST Portal Credential Theft

Phishing emails mimicking the GSTN portal are among the most professionally crafted phishing attempts targeting Indian businesses. The emails typically warn of a GST filing discrepancy, a pending notice, or a cancelled registration — language designed to create urgency that overrides scepticism. The links resolve to near-perfect copies of the GST portal login page that harvest credentials. Once attackers have your GSTN credentials, they can file false returns, view your complete tax filing history and supplier relationships, and in some cases initiate fraudulent refund claims.

Defence: bookmark the actual GSTN portal (gst.gov.in) and never click a GST-related link from email. Enable two-factor authentication on the GST portal — it is now mandatory for high-turnover businesses and available for all filers. Never store your GST portal password in a browser on a shared computer.

Fake Authority Emails and WhatsApp Messages

Emails and WhatsApp messages threatening immediate action from TRAI, the Income Tax Department, or GST authorities are a persistent Indian attack vector. These messages claim your business will face service suspension, licence cancellation, or arrest warrants unless you click a link or call a number immediately. The link installs malware or redirects to a credential harvesting page; the phone number connects to a social engineering script designed to extract OTPs or payment. TRAI, the IT Department, and GST authorities communicate through official portals and registered post — not unsolicited WhatsApp messages or emails with urgent payment demands.

WhatsApp Business Account Takeover via SIM Swap

For many Indian small businesses, WhatsApp Business is the primary customer communication channel — which makes account takeover uniquely damaging. An attacker who takes over your WhatsApp Business account gains access to your entire customer conversation history, can send messages to every contact impersonating your business, and can use the trust your customers have built with that number to execute further frauds. SIM swap attacks work by convincing your mobile operator's customer service team that the attacker is you, and transferring your number to their SIM card. Once the number is on their SIM, they receive the WhatsApp registration OTP and complete the takeover. The defence — enabling WhatsApp's two-step verification PIN — is simple and stops this specific attack vector. Go to Settings > Account > Two-step verification and enable it now if you have not already done so.

Ransomware and the 3-2-1 Backup Rule for Indian SMEs

Indian SMEs are disproportionately represented in ransomware attack statistics. Groups like LockBit and their successors have explicitly targeted Indian manufacturing, healthcare, and IT firms — not because Indian businesses are easier to attack technically, but because they typically lack the incident response capabilities that enterprises deploy and are more likely to pay a ransom rather than restore from backup.

The average ransom demand targeting an Indian SME in 2026 ranges from ₹5 lakh to ₹50 lakh, payable in cryptocurrency, with no guarantee of data recovery even after payment. The more important number is what a ransomware attack costs in operational disruption: businesses without adequate backups report downtime of 2–6 weeks while rebuilding systems from scratch, with total losses that frequently exceed ₹10 lakh when staff time, lost business, and emergency recovery costs are included.

The 3-2-1 backup rule is the single most effective ransomware defence available to an Indian SME:

• 3 copies of your data — the live working copy plus two backups
• 2 different storage media types — not two USB drives or two folders on the same laptop; the point is redundancy against hardware failure
• 1 copy stored offsite — physically or geographically separate from your primary location

For an Indian SME, a minimum viable 3-2-1 implementation costs almost nothing: an automatic daily backup to Google Drive or Microsoft OneDrive (both included in Workspace/365 subscriptions most businesses already pay for), plus a weekly backup to an external hard drive that stays at a different location — a home, a second office, or a bank locker. The external drive should be disconnected from any computer when not in use, because ransomware that reaches a connected external drive will encrypt it along with everything else.

The critical test most Indian SMEs skip: actually restoring from the backup. A backup you have never tested is not a backup — it is a hope. Schedule a quarterly restore test to confirm that your backup files are intact, readable, and complete.

Password Hygiene and MFA: The Highest-ROI Basics

Two patterns recur in almost every Indian SME security incident investigation: shared credentials passed around via WhatsApp, and reused passwords across multiple services. When your GST portal password is the same as your Google account password and both are stored in a WhatsApp chat with your accountant, a single phishing success gives an attacker access to your entire business infrastructure.

Password managers solve both problems at a cost well within any SME's budget. Bitwarden offers a fully functional free tier for individual use and a team plan at approximately ₹1,200/year per user — making it the most affordable enterprise-grade option for Indian SMEs. 1Password Teams costs approximately ₹2,400/year per user and adds more polished team management and business features. Both generate unique, strong passwords for every service, store them encrypted, and eliminate the need to share credentials over WhatsApp.

Multi-factor authentication (MFA) should be treated as non-negotiable on four categories of account:

• GST portal: Mandatory for businesses with annual turnover above ₹20 crore; strongly recommended for all filers regardless of turnover. The GST portal supports both OTP-based and authenticator app MFA.
• Google Workspace or Microsoft 365 accounts: These accounts are the keys to your entire business — email, documents, contacts, calendar. A compromised Workspace account gives an attacker everything. Enable MFA in the admin console and enforce it for all users.
• Net banking and payment platforms: Most Indian banks enforce OTP-based MFA for transactions. Ensure that the registered mobile number for banking OTPs is on a SIM card that you hold physically and that has SIM swap protections enabled with your operator.
• Any remote access tool: If your team uses TeamViewer, AnyDesk, or a VPN for remote work, MFA on those access points is critical. Unprotected remote access tools are one of the primary entry points for ransomware groups.

Google Workspace vs Microsoft 365 for Indian SME Security

Indian businesses choosing a productivity and email platform in 2026 face a genuinely competitive choice. Google Workspace Business Starter is priced at approximately ₹130/user/month in India (billed annually), while Microsoft 365 Business Basic comes in at approximately ₹125/user/month — meaning both offer enterprise-grade email security, built-in MFA, and data encryption at rest and in transit at nearly identical INR pricing.

From a security standpoint, both platforms are well-defended against common attack vectors. Gmail's spam and phishing filters have a strong track record in blocking the GSTN phishing emails and fake TRAI messages described earlier. Microsoft 365's Defender for Business add-on (available at higher tiers) provides endpoint detection and response capabilities that extend protection beyond email to devices. For most Indian SMEs choosing between the two purely on security grounds, the decision should hinge on your team's existing familiarity and your integration needs rather than a meaningful security gap between the platforms.

One important exception: BFSI-regulated companies (banks, NBFCs, insurance intermediaries) should note that RBI circulars specifically reference Microsoft as having compliant data centre infrastructure in India for regulated data. If your business operates under RBI or IRDAI oversight and stores regulated financial data in your productivity suite, engage Microsoft's compliance team before committing to either platform. This distinction does not apply to most Indian SMEs, but it matters critically for those it does apply to.

VPN Considerations for Indian Businesses

VPNs serve a legitimate and important purpose for Indian businesses with remote workers — encrypting traffic on public Wi-Fi, securing access to internal systems, and protecting sensitive communications. However, India's VPN regulatory environment changed significantly in 2022 when CERT-In issued directions requiring VPN service providers operating in India to collect and retain user data — including names, IP addresses, and usage logs — for a minimum of five years.

Several international VPN providers chose to remove their Indian servers rather than comply with the data retention mandate, effectively exiting the Indian market for consumer VPN services. For business VPN selection, the practical implications are: consumer VPN services marketed on privacy grounds are not reliable for Indian business use, as the regulatory landscape may force further changes. Business-grade VPN solutions that run on your own infrastructure — WireGuard deployed on an Indian cloud server, or self-hosted OpenVPN — give you control over the data and sidestep the third-party data retention issue. For teams needing a managed solution, NordLayer (the business-facing product from NordVPN's corporate arm) offers dedicated server options that keep your organisation's traffic separate from shared consumer infrastructure.

The core rule for Indian business VPN selection in 2026: prioritise solutions where your organisation, not the VPN provider, controls the data logs. Self-hosted WireGuard on an AWS Mumbai or Azure India server achieves this and costs ₹600–1,200/month in compute, far less than any commercial managed VPN subscription at team scale.

Social Engineering: The Attack Vector Employee Training Addresses Directly

Technical controls — antivirus, firewalls, MFA — stop automated attacks efficiently. Social engineering attacks work by bypassing technical controls entirely and targeting human decision-making. In the Indian SME context, three social engineering patterns consistently succeed against otherwise reasonably defended businesses:

Fake vendor payment requests: An attacker who has observed your business operations (via a compromised email account or public social media) contacts your finance staff by phone or email, impersonating a known supplier with an urgent request to update bank or UPI payment details. The request arrives during a busy period — end of financial year, festival season, a busy order cycle — when the target is least likely to pause and verify. The new account details belong to the attacker. Businesses lose between ₹50,000 and ₹30 lakh per incident in these attacks.

WhatsApp CEO fraud: A message from a number claiming to be the managing director or owner, sent to a finance employee or manager: "I'm in a meeting and can't talk — please transfer ₹50,000 to this account urgently, I'll explain later." The message exploits the authority of the sender, the urgency framing, and the employee's reluctance to delay or question the boss. The defending process is simple: establish a firm policy that no payment of any amount is authorised based solely on a WhatsApp message, regardless of who appears to have sent it — all payments require verbal confirmation on a known number.

Malware via job application PDFs: HR teams at Indian SMEs that post job listings receive hundreds of applications, and attackers exploit this volume by sending applications with PDF CVs that contain embedded malware. Opening the PDF on an unprotected Windows machine executes the payload. The defence has two parts: a dedicated email address for job applications that is opened on an isolated device or sandboxed environment, and Endpoint Detection and Response (EDR) software on all Windows machines used by HR and finance staff.

Employee awareness training is, per rupee spent, the highest-return cybersecurity investment available to Indian SMEs. A half-day in-person workshop covering these three scenarios, conducted once a year, costs ₹10,000–30,000 for a team of 10–30 people and reduces successful social engineering attacks more effectively than most technical controls costing ten times as much.

Cybersecurity Cost Tiers for Indian SMEs: What ₹5,000 vs ₹1 Lakh Actually Buys

Cybersecurity spending for Indian SMEs does not need to be an all-or-nothing decision. There is a meaningful difference in protection between the basic tier and the advanced tier — and the basic tier is affordable enough that there is no justification for being below it.

Basic Tier: ₹5,000–15,000/Year

This tier covers the controls that address the majority of attacks targeting Indian SMEs without requiring any specialist expertise:

• Quality endpoint antivirus — Kaspersky Small Office Security or Bitdefender GravityZone Small Business Security, both available in India at ₹1,500–3,000/device/year
• Cloud backup using Google Drive or Microsoft OneDrive (included in existing Workspace/365 subscriptions) plus a quarterly test that verifies the backups restore correctly
• Password manager — Bitwarden free tier for individuals, or the team plan at ₹1,200/user/year
• MFA enabled on GST portal, Google/Microsoft accounts, and net banking
• WhatsApp two-step verification enabled on all business numbers

Intermediate Tier: ₹20,000–50,000/Year

This tier adds detection and response capabilities beyond basic prevention:

• Endpoint Detection and Response (EDR) — Malwarebytes for Teams or Microsoft Defender for Business (included in Microsoft 365 Business Premium at ₹375/user/month), covering all Windows devices used by finance, HR, and management
• Email security gateway — Microsoft Defender for Office 365 Plan 1 or Google Workspace's built-in Advanced Protection Programme
• Annual employee awareness training session covering India-specific social engineering scenarios
• Documented incident response process and CERT-In reporting procedure

Advanced Tier: ₹1,00,000+/Year

This tier is appropriate for Indian IT companies handling client data, healthcare businesses, financial services intermediaries, or any SME that has assessed its data sensitivity and concluded that a breach would have material regulatory or reputational consequences:

• Security Operations Centre (SOC) monitoring — available from Indian MSSPs (Managed Security Service Providers) starting at ₹40,000–80,000/month for SME-scale deployments
• Annual penetration testing — a qualified ethical hacker systematically tests your systems for exploitable vulnerabilities; typical cost from an Indian security firm is ₹40,000–1,50,000 for an SME-scope engagement
• ISO 27001 readiness assessment and eventual certification (see next section)
• Cyber insurance — Indian insurers including HDFC Ergo, ICICI Lombard, and Tata AIG now offer SME cyber insurance policies starting at ₹8,000–15,000/year for coverage up to ₹25 lakh

ISO 27001 and SOC 2 for Indian IT Companies Serving International Clients

If your business is an Indian IT company, software firm, or IT services provider bidding on contracts with US, UK, or EU enterprises, the security compliance conversation has changed materially over the past two years. Enterprise procurement teams in these markets now routinely include a security questionnaire or require third-party certification as part of vendor qualification — and for many contracts, ISO 27001 or SOC 2 Type II has moved from a nice-to-have to a qualifying threshold that gates whether your proposal is read at all.

ISO 27001 is the more globally recognised certification for Indian IT companies to pursue. It establishes an Information Security Management System (ISMS) across your organisation and is audited by accredited third-party certification bodies. SOC 2 Type II is an alternative that is particularly recognised in the US market and focuses on specific trust service criteria rather than the broad management system approach of ISO 27001. For Indian companies primarily targeting the US market, both are credible; for UK and EU contracts, ISO 27001 is generally the stronger recognition.

Realistic 2026 cost of ISO 27001 implementation and initial certification in India:

• Implementation consultant fees: ₹1.5–4 lakh — a consultant builds your risk register, writes your ISMS policies, conducts the mandatory internal audit, and prepares you for the certification audit. Fees vary significantly; solo consultants charge less than consulting firms but require you to have an internal champion who can own the implementation.
• Certification audit fees (Stage 1 + Stage 2): ₹1–3 lakh depending on your organisation's size and scope. STQC (Standardization Testing and Quality Certification), operated under India's Ministry of Electronics and IT, is a credible and price-competitive certification body that international clients now routinely accept. STQC fees are typically 30–50% below equivalent international auditors.
• Technology gaps: ₹50,000–2 lakh to close identified gaps — typically adding EDR, formalising backup procedures, or implementing privileged access management for critical systems.
• Annual surveillance audits: ₹60,000–1.5 lakh/year to maintain certification.

Total first-year investment: ₹3–8 lakh. For an IT company winning a single US contract that required the certification, the return on that investment is typically recovered within the first year of the engagement.

A secure IT infrastructure also connects directly to your ability to build and scale other business capabilities. If you are evaluating cloud migration options in India, the security architecture decisions made during migration directly determine your DPDPA compliance posture. Similarly, if you are implementing CRM software for your Indian business, the access controls and data encryption on that platform are DPDPA obligations, not optional features. And for Indian software companies serving international clients, the security infrastructure discussed here connects directly to the mobile app development and deployment decisions that touch customer data at scale.

"The Indian SMEs I have seen recover from a ransomware attack quickly all had one thing in common — not expensive security software, not a SOC, not even a full-time IT person. They had tested backups on separate storage that the ransomware could not reach. The businesses that took months to recover were the ones that discovered their Google Drive backup had not been running for six weeks, or that their external drive was plugged into the same laptop that got encrypted. Test your backups this week. That single action is worth more than most other cybersecurity spending you can do at the SME level."

Frequently Asked Questions: Cybersecurity for Indian SME Businesses