Photo: Unsplash — free to use, no attribution required
Why Hackers Target Small Businesses, Not Just Banks
Between January and June 2025, cyberattacks on Indian small and medium enterprises increased by 60 percent compared to the same period the previous year. That number comes from CERT-In incident reports and third-party threat intelligence firms tracking the Indian threat landscape. If you run a business with 5 to 200 employees, you are now a more attractive target than you were even 12 months ago.
The reasoning behind this shift is straightforward. Large enterprises and banks have invested heavily in security operations centres, dedicated incident response teams, and layered defenses. Breaking into HDFC Bank or Infosys requires sophisticated, sustained effort with a high probability of getting caught. But a 30-person accounting firm in Kochi or a retail chain with four outlets in Thrissur? They hold the same kinds of valuable data — customer payment information, Aadhaar numbers, bank account details, GST records — without anywhere near the same level of protection.
Ransomware operators have figured this out. They know that a small manufacturer in Coimbatore whose production systems are locked will likely pay Rs 5-15 lakhs to resume operations rather than lose Rs 20-30 lakhs in downtime over a week. The attackers run this as a business — they calculate the ransom amount based on what the victim can afford and what their downtime costs. For Indian SMEs, that sweet spot is typically between Rs 5 lakhs and Rs 15 lakhs, low enough that paying feels reasonable, high enough that it is profitable at scale.
There is also the access angle. Attackers increasingly use smaller companies as stepping stones to larger targets. If your business provides services to a bigger company — say you are an IT vendor, a payroll processor, or a logistics partner — compromising your systems may give attackers a pathway into your client's network. This is exactly what happened in several high-profile supply chain attacks over the past two years.
The Top 5 Attack Vectors Hitting Indian SMEs
1. Phishing emails remain the number one entry point. Despite years of awareness campaigns, employees still click. The attacks have become far more convincing — they now reference real invoice numbers, use the names of actual vendors, and arrive during business hours from domains that look almost identical to legitimate ones. A finance team member receives what appears to be a GST invoice from a known supplier. They click the attachment. The payload executes. That one click can compromise the entire network within minutes.
2. Ransomware via exposed remote desktop. When Indian businesses rushed to enable remote work during 2020-21, many exposed their Remote Desktop Protocol (RDP) directly to the internet. Four years later, thousands of Indian SMEs still have RDP open on port 3389 with weak or default credentials. Automated scanners find these exposed services within hours of them going online. Attackers brute-force the login, gain admin access, and deploy ransomware across the network — often at 2 AM on a Saturday when nobody is watching.
3. Supply chain attacks through vendor software. Your billing software, your inventory management system, the plugin your web developer installed — any of these can become the attack vector. When attackers compromise a software vendor's update mechanism, every business using that software gets infected simultaneously. Indian SMEs tend to use shared, sometimes pirated, software with auto-update enabled, making them especially vulnerable to this category of attack.
4. UPI and payment fraud targeting finance staff. This goes beyond simple phishing. Attackers call finance departments posing as bank representatives, vendor contacts, or even senior management. They create urgency — an overdue payment, a tax compliance deadline, a client threatening to pull out — and convince staff to initiate UPI transfers or share OTPs. Some attacks use deepfake voice cloning to impersonate the business owner calling from an unknown number. Losses from business email compromise and payment fraud in India crossed Rs 1,200 crores in 2025.
5. WhatsApp business account hijacking. This is increasingly common and particularly devastating for Indian businesses that rely on WhatsApp for customer communication. Attackers gain access to the WhatsApp Business account through SIM swapping, social engineering the telecom provider, or exploiting linked devices. Once in control, they message existing customers with payment requests, send malware links, or simply hold the account hostage. For a business whose primary customer channel is WhatsApp, losing that account means losing direct access to their entire customer base.
The Rs 0 Security Upgrade Every Business Should Do Today
Before spending a single rupee on security products, there are immediate steps that eliminate the majority of common attack paths. These require two to three hours of focused work and zero financial investment.
Enable two-factor authentication on every account that supports it. Start with email — Google Workspace and Microsoft 365 both support 2FA. Then move to banking portals, hosting accounts, domain registrars, social media accounts, and any SaaS tools your team uses. Use authenticator apps (Google Authenticator, Microsoft Authenticator) rather than SMS-based OTPs where possible, as SIM swapping can bypass SMS verification.
Audit admin access across all your systems. Open the admin panels of every tool your business uses and review who has access. Remove former employees immediately — this is the single most overlooked vulnerability in Indian SMEs. A disgruntled ex-employee with active admin credentials is a breach waiting to happen. Also review whether current employees need the access level they have. Your marketing intern does not need admin access to your cloud infrastructure.
Update all software on every device. Operating systems, browsers, office suites, accounting software, antivirus — update everything. Most successful attacks exploit known vulnerabilities that already have patches available. The attacker is not using some secret zero-day exploit; they are walking through a door you left unlocked by skipping the Windows update notification for three months.
Change default passwords on all network equipment. Your Wi-Fi router, network printer, CCTV system, and any IoT devices — if they still have the factory-set admin/admin or admin/password credentials, change them now. Automated scanners specifically look for default credentials on devices connected to Indian IP ranges.
Start weekly backups to an external drive. Buy a simple external hard drive. Every Friday, back up your critical business data — financial records, customer databases, project files. Keep this drive disconnected from your network when not actively backing up. This alone can save your business if ransomware strikes, because the attackers cannot encrypt what they cannot reach.
These five steps, done properly, prevent approximately 70 percent of the attacks that successfully hit Indian small businesses. They cost nothing except time.
Affordable Security Stack for SMEs
Once the free measures are in place, here is what a practical paid security setup looks like for a 10-person company. These are real products at real Indian pricing — not enterprise solutions scaled down.
Endpoint protection: Rs 1,500-3,000 per device per year. This replaces the free antivirus your team is probably using. Business-grade endpoint protection from vendors like Seqrite (Quick Heal's enterprise arm), Kaspersky Small Office Security, or Bitdefender GravityZone provides centralized management, ransomware rollback, and web filtering. For 10 devices, budget Rs 15,000-30,000 annually.
Email security filtering: Rs 500-1,500 per user per month. If you are on Google Workspace or Microsoft 365, their built-in filters catch most spam. But for advanced phishing protection, consider adding a dedicated email security layer. Solutions like Barracuda Email Gateway or Mimecast filter out sophisticated phishing attempts, impersonation attacks, and malicious attachments before they reach your employees' inboxes.
Cloud backup: Rs 500-2,000 per month. Automated daily backups of your critical data to a cloud provider — separate from your primary systems. Services like Acronis, Veeam, or even a properly configured AWS S3 bucket with versioning enabled. The key is automation and separation. Manual backups get forgotten. Backups on the same network get encrypted alongside everything else.
Password manager: Rs 200-500 per user per month. Bitwarden Business, 1Password Business, or LastPass Teams. When your team shares passwords through WhatsApp messages and sticky notes, you have no visibility into who has access to what. A password manager creates unique, strong passwords for every account and logs who accessed what and when.
Basic firewall configuration: Rs 5,000-15,000 one-time. If your business has an office network, get a proper firewall appliance — even a mid-range device from Sophos or Fortinet — configured by someone who knows what they are doing. This controls what traffic enters and leaves your network and blocks known malicious connections.
Total monthly cost for a 10-person company: approximately Rs 5,000-15,000. That is less than the salary of one part-time employee. Compare that to the cost of a single ransomware incident — Rs 5-25 lakhs in ransom, downtime, data recovery, and reputation damage — and the math becomes obvious.
Ransomware: What Happens When They Lock Your Data
Let me walk you through what actually happens during a ransomware attack, because most business owners have a vague idea but do not understand the operational reality.
It is Monday morning. Your accounts manager arrives at the office and turns on her computer. Instead of the Windows desktop, she sees a red screen with a message: "Your files have been encrypted. Pay 0.15 BTC (approximately Rs 10 lakhs) to the following wallet address within 72 hours or your data will be permanently deleted and published on our leak site." She calls the IT person. His computer shows the same message. Every computer in the office — same screen.
You check the shared drive where all your project files, client data, invoices, and employee records are stored. Everything is encrypted — file names changed to random strings with a .locked extension. The accounting software database? Encrypted. The CRM with five years of customer history? Encrypted. The backup folder on the NAS drive connected to your network? Also encrypted, because it was always connected and the ransomware spread to every accessible network share.
Now you face a decision. Pay Rs 10 lakhs with no guarantee the attacker will actually provide the decryption key — roughly 30 percent of paying victims never get their data back. Or refuse to pay and try to recover, knowing that rebuilding five years of business data from scratch may take months and cost far more than the ransom.
This scenario plays out at Indian businesses every single day. The ones that recover quickly all have one thing in common: they followed the 3-2-1 backup rule.
3 copies of your data (the original plus two backups). 2 different storage types (for example, a local external drive and a cloud service). 1 copy stored offsite (physically separate from your office or in a different cloud region). When you have a clean, recent backup that the ransomware could not reach, recovery becomes a matter of hours instead of months. You wipe the infected machines, reinstall from clean images, restore data from backup, and you are operational again — without paying a single rupee to the attacker.
India's DPDP Act: What SMEs Must Do Now
The Digital Personal Data Protection Act 2023 is no longer a future concern — it is current law with enforcement mechanisms. Most Indian SMEs I speak with either do not know it applies to them or assume it is only for large tech companies. Both assumptions are wrong.
If your business collects any personal data from customers in digital form — names, phone numbers, email addresses, purchase history, payment information — you are classified as a "Data Fiduciary" under the Act. That includes data collected through your website contact form, your WhatsApp Business account, your billing software, your employee HRMS, and your customer relationship management system.
Here is what the Act requires from your business:
Consent management. You must obtain clear, informed consent before collecting personal data. Your privacy policy cannot be buried in a 40-page terms document nobody reads. Consent must be specific to the purpose — if you collected someone's email for order updates, you cannot use it for marketing without separate consent.
Data minimization. Collect only the data you actually need for the stated purpose. If you are a restaurant taking online orders, you need the customer's name, phone number, and delivery address. You do not need their date of birth, Aadhaar number, or employer details.
Purpose limitation. Data collected for one purpose cannot be repurposed without additional consent. Customer data from your billing system cannot be exported to a marketing agency without explicit permission from each customer.
Breach notification. If personal data is compromised, you must notify the Data Protection Board of India and affected individuals within 72 hours. Not having a breach response plan is itself a compliance failure, because when you discover a breach at 11 PM on a Friday, you do not have time to figure out who to call and what to report.
Data processing agreements. If you use third-party services that handle your customer data — cloud hosting, CRM platforms, email marketing tools, payment gateways — you need written agreements specifying how they protect and process that data.
Penalties under the DPDP Act go up to Rs 250 crores for significant breaches. While enforcement against small businesses may be gradual, the first penalties against non-compliant companies will set precedents. Getting compliant now is significantly cheaper than scrambling after an enforcement action.
The Virtual CISO: Enterprise Security at SME Prices
A full-time Chief Information Security Officer in India commands a salary of Rs 15-25 lakhs per year for someone competent. For a 20-person company, that is an impossible expense. But the security decisions that a CISO makes — which risks to prioritize, how to allocate the security budget, what to do when an incident occurs — are exactly the decisions that determine whether your business survives an attack.
A virtual CISO provides this expertise on a fractional basis. Instead of a full-time hire, you get a seasoned cybersecurity professional for a fixed number of hours per month, typically at Rs 25,000-50,000 per month depending on scope.
Here is what a virtual CISO engagement typically covers:
Quarterly security audits. A thorough review of your systems, access controls, software patches, network configuration, and backup procedures. The auditor identifies vulnerabilities, ranks them by risk, and provides a prioritized remediation plan your team can execute.
Security policy creation. Written policies for acceptable use, password management, incident response, data handling, and vendor assessment. These documents are not just bureaucratic exercises — they establish the baseline expectations that protect you legally and operationally.
Incident response planning. A documented, tested plan that answers: Who do we call first? How do we contain the breach? Who communicates with customers? What are our legal obligations? When the attack happens at 2 AM, nobody thinks clearly. A pre-built response plan removes the need for clear thinking under pressure.
Employee security training. Quarterly sessions teaching your team to recognize phishing emails, handle sensitive data properly, report suspicious activity, and follow security procedures. Most breaches start with a human mistake — training reduces that risk significantly.
Compliance monitoring. Ongoing verification that your business remains compliant with the DPDP Act, industry-specific regulations, and contractual security requirements from your clients. This is especially important if you serve larger companies that require their vendors to maintain specific security standards.
For a 10 to 50 person company, a virtual CISO is the most cost-effective way to get genuine security leadership without the overhead of a full-time senior hire. It bridges the gap between doing nothing and building an in-house security team.
Frequently Asked Questions
How much does cybersecurity cost for a small business in India?
For a 10-person company, a practical security stack costs between Rs 5,000 and Rs 15,000 per month. This covers endpoint protection at Rs 1,500-3,000 per device annually, email filtering, cloud backup at Rs 500-2,000 monthly, and a password manager at Rs 200-500 per user per month. Adding a virtual CISO for quarterly audits and incident response planning runs Rs 25,000-50,000 per month. Most businesses should start with the free measures — enabling two-factor authentication, auditing admin access, updating all software, and establishing offline backups — which cost nothing and prevent the majority of common attacks.
What should I do if my business is hit by ransomware?
Disconnect all affected machines from the network immediately to stop the ransomware from spreading. Do not shut down the computers, as forensic data in memory can help with recovery and investigation. Contact CERT-In and file a report with your local cyber crime cell. Check whether your backups are intact and stored on a separate, unconnected system. Engage a cybersecurity incident response professional before making any decisions about negotiating or paying. In most cases, paying is not recommended — roughly 30 percent of paying victims never receive a working decryption key, and payment directly funds the next attack on another business.
Does the DPDP Act apply to small businesses?
Yes. The Digital Personal Data Protection Act 2023 applies to any entity that processes digital personal data of individuals in India, regardless of company size. If you collect customer names, phone numbers, email addresses, or payment details through a website, app, billing software, or even WhatsApp, you are a data fiduciary under the Act. While the government may issue exemptions for certain categories of small businesses in future notifications, no such exemptions have been published yet. Every SME should begin implementing consent management, data minimization, and breach notification processes now rather than waiting for enforcement actions to begin.
Is cyber insurance worth it for SMEs in India?
For businesses handling customer data or processing online payments, yes. Premiums for small businesses typically range from Rs 15,000 to Rs 75,000 per year depending on coverage limits. A single ransomware incident can cost Rs 5-25 lakhs when you account for downtime, data recovery, legal fees, and customer notification. Good policies cover incident response costs, business interruption, legal defense, regulatory fines, and customer notification expenses. Read the exclusions carefully — many policies exclude losses from unpatched known vulnerabilities or incidents where employees lacked documented security training. The insurance is not a substitute for actual security measures; it is a financial safety net for when those measures fail.
How often should a small business do security audits?
Conduct a comprehensive security audit at least once a year. Quarterly vulnerability scans are recommended if your business handles financial transactions or stores sensitive customer data. After any major infrastructure change — migrating to a new cloud provider, deploying a new application, onboarding a new third-party vendor — run a focused assessment of the changed components. Monthly internal reviews of access logs, admin accounts, and software update status catch many issues before they escalate and can be handled without external help. If your business is subject to DPDP Act obligations or serves clients with specific security requirements, your audit frequency may need to increase to meet those standards.