A concerning digital reality is emerging for Indian small and medium enterprises (SMEs). According to recent data from the India SME Forum, CERT-In, and DSCI (2024), 74% of SMEs in India reported facing at least one cyberattack in the past year. Yet, only 13% of these enterprises currently have a formal cybersecurity policy in place.
The vulnerability isn’t just theoretical. The fallout from cyber incidents is increasingly permanent. The CERT-In Annual Report reveals that 60% of SMEs that experienced a breach in 2023 failed to recover fully, with many shutting down within six months of the attack. These disruptions impact not just business continuity, but also trust, customer data protection, and investor confidence.
Ransomware, Phishing, and Cloud Missteps Lead the Threat Landscape
The attack surface is broad and expanding. Ransomware continues to be the top threat vector, encrypting data and demanding exorbitant sums from already financially constrained businesses. Phishing attempts—often via fake vendor emails or misleading payment links—have become more sophisticated, targeting financial departments and sales teams.
Insider threats, particularly from disgruntled or unaware employees, remain a persistent risk. Additionally, as SMEs increasingly shift operations to the cloud, many struggle with misconfigurations that expose sensitive data. These missteps often go unnoticed due to the absence of in-house IT teams or robust security frameworks.
The Critical Need for a Structured Cybersecurity Framework
Industry experts point out that SMEs, unlike large enterprises, rarely have dedicated budgets for cybersecurity. Many rely on ad hoc solutions or generic antivirus software, which offer limited protection against advanced threats. This reactive approach leaves them exposed, especially as threat actors now use AI tools to automate and personalise attacks.
Also read: MSMEs in Small Cities Gain 20% Post-ONDC Entry
A structured, sustainable approach to cybersecurity—tailored to the needs and realities of SMEs—is urgently required. This includes basic yet effective practices like regular employee training, endpoint protection, access controls, backup protocols, and a documented incident response plan. These foundational steps can significantly reduce risk and recovery time after a breach.
Policy support is equally crucial. Several state governments are now evaluating cyber readiness as part of SME incentive programs. Industry bodies such as NASSCOM and DSCI have also launched tailored frameworks for MSMEs, but uptake remains slow due to awareness and cost constraints.
Awareness Isn’t Enough—Execution is Key
The numbers tell a clear story: while Indian SMEs are aware of the rising cyber risks, most have yet to translate that awareness into action. With more digital transformation initiatives underway in sectors like logistics, retail, healthcare, and manufacturing, the risk of cyber incidents will only escalate.
For SMEs to remain resilient and competitive, cybersecurity can no longer be viewed as a luxury or a secondary IT issue. It must be treated as a core pillar of operational sustainability.