Cybersecurity Checklist for Indian Startups and SMBs 2026

ഈ ഗൈഡ് ഇന്ത്യൻ സ്റ്റാർട്ടപ്പുകൾക്കും SMB-കൾക്കും ഉള്ള 25 സൈബർ സുരക്ഷ നിയന്ത്രണങ്ങൾ വിശദമാക്കുന്നു — DPDP ആക്ട് 2023 അനുസരണം, ക്ലൗഡ് സുരക്ഷ, API സംരക്ഷണം, ജീവനക്കാരുടെ പരിശീലനം, ഇൻസിഡന്റ് റെസ്പോൺസ് എന്നിവ ഉൾക്കൊള്ളുന്നു. കൊച്ചിയിലെ ഒരു SaaS കമ്പനിക്ക് 2025 ഒക്ടോബറിൽ ഡേറ്റ ബ്രീച്ച് ഉണ്ടായപ്പോൾ 8,000 ഉപഭോക്തൃ രേഖകൾ ചോർന്നു; ₹18 ലക്ഷം ചെലവഴിച്ച് വീണ്ടെടുക്കൽ നടത്തേണ്ടി വന്നു.

In October 2025, a Kochi SaaS company suffered a breach exposing 8,000 customer records. The DPDP Act was in force. A UK client terminated the contract. Recovery cost ₹18 lakhs. The post-mortem found four basic security controls had been skipped. This 25-point checklist covers those four controls and twenty-one others every Indian startup and SMB must implement in 2026.

India's DPDP Act 2023 and What It Demands from Businesses

India's Digital Personal Data Protection Act 2023 — the DPDP Act — creates formal obligations for any organisation processing personal data of Indian residents. The Act designates such organisations "data fiduciaries" and mandates they implement "reasonable security safeguards" to prevent data breaches. Penalties for non-compliance can reach ₹250 crores for significant violations. Critically, the Act does not specify exact technical controls — it uses the word "reasonable," which means courts and the Data Protection Board will look at what was technically feasible and what the industry norm was at the time of a breach.

This ambiguity creates both risk and opportunity. A business with documented security controls — even basic ones — is in a substantially stronger legal position than one that implemented nothing. The 25 controls in this guide represent the current industry baseline for Indian startups and SMBs. Implementing all 25 and documenting the effort constitutes a defensible "reasonable safeguards" posture under the DPDP Act.

Category 1 — Identity and Access Management

Every breach investigation in the Indian startup ecosystem in 2024-25 traced the initial compromise either to stolen credentials or to overly permissive access. These five controls address both vectors.

  1. MFA on all admin accounts without exception. Google Workspace, AWS IAM, Azure Active Directory, GitHub, Vercel, Cloudflare — every admin panel gets MFA enabled. NCSC UK data shows MFA prevents 99.9% of credential-based account takeovers. This is non-negotiable for any startup serving enterprise clients.
  2. Principle of least privilege enforced at all levels. Developers working in staging environments must not have access to production databases. Customer support staff must not have access to the raw database — only a sanitised read view. Junior engineers must not have IAM administrator rights. Audit access levels every quarter and revoke anything that is not actively required.
  3. Service account credentials rotated every 90 days; no hardcoded secrets in code. Hardcoded API keys and passwords in source code repositories are the single most common cause of cloud account compromise in Indian startups. Move all secrets to AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault. GitHub's secret scanning alerts (free on public repositories) help catch accidental commits.
  4. Single Sign-On (SSO) for all SaaS tools. Every SaaS tool your team uses — Slack, Notion, Jira, Figma, Loom — should authenticate through your central identity provider (Google Workspace or Okta). This means a departing employee's access to all tools is revoked by disabling one account, not by individually revoking 15 separate tool accounts.
  5. Offboarding checklist with 24-hour revocation requirement. Employee departures, especially involuntary ones, are the most common cause of insider threat incidents. Create a formal offboarding checklist: revoke email access, SSO account, VPN, physical access, shared passwords, and any personally-held MFA devices within 24 hours of departure confirmation.

Category 2 — Data Protection

DPDP Act compliance begins with knowing where your personal data lives and ensuring it is encrypted everywhere. These five controls form the foundation of a defensible data protection posture.

  1. Encryption at rest for all databases. PostgreSQL supports encryption through pgcrypto extensions and Transparent Data Encryption on managed services (AWS RDS, Google Cloud SQL). MySQL supports InnoDB tablespace encryption. Enable it — there is no performance-meaningful overhead for typical startup workloads, but it makes a stolen database backup unreadable without the key.
  2. Encryption in transit: TLS 1.2 minimum everywhere. All APIs must serve HTTPS only — never mixed content. Enable HSTS (HTTP Strict Transport Security) headers with a minimum 1-year max-age. Disable TLS 1.0 and 1.1 on all servers. Test with SSL Labs to confirm your TLS configuration achieves an A rating.
  3. Data classification: map which data is personal, which is sensitive. DPDP creates different obligations for "personal data" (name, email, phone) versus "sensitive personal data" (financial data, health data, biometric data). Build a simple data map — a spreadsheet listing each database table, which columns contain personal or sensitive personal data, and who has access. This is the first document the Data Protection Board would request in an audit.
  4. Backup encryption and cross-region storage. Backups are routinely overlooked as a security control. Encrypt all database backups with a key separate from the production key. Store backups cross-region — AWS S3 in ap-south-1 (Mumbai) with Glacier lifecycle and a secondary copy in ap-southeast-1 (Singapore). An encrypted backup in a second region protects against ransomware and catastrophic data centre failure simultaneously.
  5. Data retention policies aligned with DPDP consent periods. The DPDP Act requires that personal data be deleted or anonymised when the purpose for which it was collected has been fulfilled. Define retention periods for each data category: active user data retained while the account is live, inactive user data reviewed after 2 years, deleted account data purged within 90 days. Document these policies and implement automated deletion jobs.

Category 3 — Application Security

Indian startups that have shipped software quickly — and nearly all have — accumulate security debt in their codebases. These five controls address the most exploited vulnerability categories in Indian SaaS applications.

  1. SAST on every pull request. Static Application Security Testing tools scan source code for common vulnerabilities before they reach production. Semgrep (open source, free for teams under 10) and SonarQube Community Edition both integrate with GitHub, GitLab, and Bitbucket. Configure as a required check — a PR with high-severity findings cannot be merged.
  2. Dependency scanning for vulnerable packages. npm, PyPI, and Maven packages are updated constantly as vulnerabilities are discovered. Snyk (free tier for open source projects) and GitHub Dependabot (free for GitHub repositories) automatically scan your dependencies against the CVE database and open pull requests to upgrade affected packages. Enable one of these today — the setup takes under 30 minutes.
  3. OWASP Top 10 review on every new API endpoint. Before shipping a new API, have a senior developer review it against the OWASP Top 10 for APIs: broken object-level authorisation, SQL injection, SSRF (server-side request forgery), broken authentication, and improper inventory management (undocumented endpoints). This review should be a formal ticket, not an informal check.
  4. API rate limiting and DDoS protection at minimum Cloudflare free tier. Every public-facing API must have rate limiting — without it, a single script can exhaust your database connection pool in minutes. Cloudflare's free tier provides basic DDoS protection and rate limiting sufficient for early-stage startups. Paid tiers add WAF rules and bot management for production SaaS products.
  5. Annual penetration test by a CERT-In empanelled auditor. CERT-In (Indian Computer Emergency Response Team) empanels security audit firms that meet government-approved standards. An annual penetration test by one of these firms is required for ITIS companies seeking government contracts and is increasingly demanded by enterprise clients. Budget ₹80,000-2,50,000 depending on application scope and number of API endpoints.

Category 4 — Infrastructure Security

Misconfigured cloud infrastructure causes more Indian startup breaches than sophisticated attacks. These five controls address the most common cloud security misconfigurations seen in Kerala IT companies.

  1. Cloud Security Posture Management enabled. AWS Security Hub, GCP Security Command Center, and Azure Security Center continuously scan your cloud configuration against security best practices and compliance frameworks. They flag publicly exposed S3 buckets, overpermissive IAM roles, and unencrypted resources automatically. Enable the relevant service for your cloud — AWS Security Hub costs approximately ₹2,000-4,000/month for a typical startup workload.
  2. Web Application Firewall in front of all production APIs. A WAF inspects HTTP traffic and blocks common attack patterns — SQLi, XSS, malicious bots — before they reach your application. AWS WAF, Cloudflare WAF, and GCP Cloud Armor are the primary options. Even the basic Cloudflare managed ruleset blocks the majority of automated attack traffic.
  3. VPC with private subnets for databases — no direct internet exposure. Your RDS instance, Cloud SQL database, or ElasticSearch cluster must never be directly reachable from the public internet. Place all databases in private subnets within a VPC (Virtual Private Cloud). Applications connect through a NAT gateway or VPC peering. This single architectural decision would have prevented a significant percentage of Indian startup database breaches.
  4. Security groups and firewall rules reviewed quarterly. Security groups accumulate overly permissive rules over time — a developer opens port 22 to 0.0.0.0/0 for a debugging session and the rule never gets removed. Schedule a quarterly review of all security group rules. Use AWS Config or GCP Org Policy to alert on port 22/3389 open to the internet.
  5. Log aggregation with anomaly alerting. Logs that nobody reads are security theatre. Aggregate application and infrastructure logs into CloudWatch Logs (AWS), Cloud Logging (GCP), or a centralised Grafana Loki instance. Create alerts for: failed login attempts exceeding 10 per minute, unusual IAM activity outside business hours, and API error rates spiking above baseline. These three alerts catch the majority of active attacks in progress.

Category 5 — Process and Compliance

Technical controls fail without supporting processes. These five controls address the organisational and procedural requirements that the DPDP Act and enterprise clients increasingly scrutinise during vendor assessments.

  1. Written security incident response plan with defined breach notification timelines. The DPDP Act requires notification to the Data Protection Board within 72 hours of becoming aware of a personal data breach. Your incident response plan must define: who decides whether a breach is reportable, who drafts the regulatory notification, who communicates with affected customers, and who manages external PR. This plan must be written, rehearsed annually, and accessible to key personnel offline.
  2. Annual phishing simulation and security awareness training. Over 80% of Indian startup breaches originate with a phishing email — a fake invoice, a fake Google login page, a fake urgent message from the CEO. KnowBe4 and Proofpoint both offer free phishing simulation tools. Run one simulated phishing campaign per quarter. Track click rates and mandate training for staff who click.
  3. Vendor security assessment for all data processors. The DPDP Act extends security obligations to "data processors" — vendors and contractors who process personal data on your behalf. Every cloud service provider, analytics platform, and third-party integration that receives your customer data needs a security assessment. For major vendors, review their SOC 2 Type II report. For smaller vendors, send a short security questionnaire covering MFA, encryption, and breach notification commitments.
  4. Penetration test finding remediation tracked to closure. A penetration test report filed in a shared drive and never acted upon is worse than no test — it creates documentary evidence that you knew about vulnerabilities and failed to fix them. Every finding from a pen test must be tracked in JIRA, Linear, or a similar project management tool with assigned owners, severity-based SLAs (critical: 7 days, high: 30 days, medium: 90 days), and sign-off from the CTO when closed.
  5. Designate a security-responsible person for DPDP grievance redressal. The DPDP Act requires significant data fiduciaries to appoint a formal Data Protection Officer. For smaller Kerala IT companies below this threshold, the practical equivalent is designating a named person — typically the CTO or a senior engineer — as the security and privacy contact. This person's details must be published on your privacy policy page and be reachable for DPDP-mandated grievance redressal within 30 days.

Kerala IT Exports and International Contract Requirements

These 25 controls are not just about DPDP compliance — they are increasingly a prerequisite for Kerala IT companies competing for international contracts. UK NHS Digital supplier onboarding now requires evidence of Cyber Essentials Plus equivalent controls. Australian government ICT contracts since 2025 reference the Australian Cyber Security Centre's Essential Eight framework. Both frameworks align closely with the controls listed here.

Kerala IT companies at Technopark, Infopark, and Cyberpark that have implemented documented security controls are reporting materially shorter enterprise sales cycles — security questionnaires that previously took 4-6 weeks now complete in under a week when all documentation is prepared. For practical guidance on securing your cloud infrastructure alongside these controls, see the cloud migration guide for Indian SMEs. For a broader view of your security posture, the cybersecurity consulting service covers full security assessments aligned to DPDP requirements.

Frequently Asked Questions

Is a small Kerala IT company required to appoint a Data Protection Officer under India's DPDP Act?

Under India's Digital Personal Data Protection Act 2023, the formal Data Protection Officer requirement applies to "significant data fiduciaries" — a category to be defined by the central government based on volume and sensitivity of data processed. As of 2026, formal DPO appointment is mandatory for large tech companies and those processing sensitive personal data at scale. However, even smaller Kerala IT companies that process personal data of Indian residents (customer names, emails, phone numbers, payment information) must implement "reasonable security safeguards" and designate a contact person for grievance redressal. The practical approach for Kerala SMEs: designate an internal security contact (CTO or senior developer), implement the basic 25 controls listed in this guide, and document your security measures — this constitutes a defensible compliance posture without formal DPO appointment cost.

What is the most critical cybersecurity control for a Kerala SaaS startup serving UK or Australian clients?

Multi-factor authentication on all administrative accounts is consistently identified as the single most impactful cybersecurity control for Indian startups serving international clients. NCSC UK research shows that MFA alone prevents 99.9% of account compromise attacks. UK Cyber Essentials Plus certification (often required for NHS Digital contracts) and Australian Essential Eight both list MFA as a foundational control. For a Kerala SaaS startup prioritising UK/Australia contracts: implement MFA first (Google Workspace, AWS IAM, GitHub), enforce it for all team members, then work through the other controls. The second most critical for export software companies is dependency scanning — vulnerable open-source packages are the most common initial compromise vector in supply chain attacks targeting Indian IT companies.

How much does it cost to implement basic cybersecurity controls for a 15-person Kerala startup?

Implementing the 25 essential cybersecurity controls for a 15-person Kerala startup costs approximately ₹1.5-3 lakhs for initial setup plus ₹50,000-1,20,000 annually for ongoing tools and services. Major cost components: MFA via Google Workspace or Microsoft 365 (already included in productivity suite costs), Snyk free tier for dependency scanning (₹0 for open source projects), Cloudflare free tier for DDoS protection and WAF (₹0 basic level), AWS Security Hub (~₹3,000/month on AWS), and an annual penetration test by a CERT-In empanelled firm (₹80,000-2,50,000 depending on scope). The largest single investment is the annual penetration test — necessary for government contracts and enterprise clients. Total annual security budget of ₹1.5-2.5 lakhs is appropriate for a 15-person Kerala IT company with client data obligations.