/
3 mins read

The Hidden Cost of Ignoring Cybersecurity in India’s SME Sector

India’s small and medium enterprises are going digital. Technology is now at the heart of everyday business, from UPI payments and cloud-based accounting systems to online customer engagement and remote collaboration tools. But while digital adoption has surged, cybersecurity preparedness hasn’t always kept up. 

For years, many SMEs thought cybercriminals were only attracted to large corporations, banks, and government institutions. As businesses of all sizes connect to India’s emerging digital economy, they are also becoming potential targets for fraud, ransomware, data theft and business email compromise.

A routine invoice email. An employee clicks. By the time anyone notices, the money is gone. Many small business owners still believe they are too small to attract cybercriminals – until the morning their UPI account shows a transaction they never authorised.

One reason this shift is important is the sheer scale of India’s digital ecosystem. UPI network alone processes over 18 billion transactions every month. “Any business, no matter how small, that accepts digital payments is part of a huge interconnected network. CERT-In reported nearly 29 lakh cyber incidents only in 2025. Many of them were not big companies and most never hit the news.

The Landscape Has Changed

For a long time, the assumption held. Cybercriminals targeted big banks and large enterprises, because that’s where the money was. But that landscape has changed drastically.

The shift is not merely technological. As Indian businesses become increasingly dependent on digital payments, cloud-based operations, and online customer engagement, cybersecurity has emerged as a business resilience issue. A cyber incident today can disrupt operations, damage customer trust, and affect relationships with suppliers, lenders, and larger enterprise clients.

The Numbers Behind UPI Fraud

Fraud attempts have been growing almost stride for stride with the rise of digital transactions. According to figures provided by the Finance Ministry in Parliament, over 12 lakh UPI fraud cases were registered in FY25 with losses worth about ₹981 crores. Complaints had crossed the 10 lakh mark within the first few months of FY26 and reported losses were close to ₹800 crores.

Surveys of Indian SMEs consistently show that the majority have had at least one cybersecurity incident in the past year. The exact figures differ from study to study, but the general pattern is difficult to overlook. For many companies, the problem isn’t just avoiding an event. It’s restoring operations, rebuilding trust and managing the financial fallout when one occurs.”

How a Typical Attack Unfolds?

A compromised email account is one of the most common attack paths. An employee opens an invoice or attachment that seems to be legitimate, giving the attacker access to the organisation’s mailbox. From there, the attack is often more about exploiting routine business processes than sophisticated technology.

In the majority of cases the attacker just waits. In an actual invoice sent to a customer, they alter the payment details and forward it on.” The customer gets an invoice that looks normal, pays it and before anyone notices the money is in the wrong account. It’s very difficult to get it back.

If customer or vendor records were also accessible through that inbox, the business now has two regulatory timers running simultaneously:

  • CERT-In reporting: A report must be filed within six hours of discovering the incident, under directions that have been in force since 2022.
  • DPDP notification: A detailed report to the Data Protection Board is due within 72hours under the Digital Personal Data Protection Rules, 2025.

If the business supplies a larger client, that client’s vendor-risk team will also pick up the incident at the next review.

The Regulatory Environment Is Catching Up

In September 2025, CERT-In released the first cybersecurity baseline for MSMEs, based on 15 Elemental Cyber Defence Controls. Two months later the Digital Personal Data Protection Rules, 2025 were notified. Some requirements, such as grievance redress mechanisms, were applied immediately. Organisations have had up to 18 months to change their systems, gain consent where necessary and meet wider compliance requirements.

With the DPDP Rules being rolled out through 2027, and CERT-In’s MSME-specific framework coming into being less than a year ago, expectations for SME cybersecurity are getting more formalised through regulation, compliance requirements and supply-chain scrutiny.

Practical Steps Matter More Than Large Budgets

Most SMEs do not require enterprise-sized budgets to strengthen their cybersecurity posture. The most common problems in assessments are pretty basic: unsupported systems that were never upgraded, shared user accounts nobody remembers creating, exposed remote access services, or backups that exist on paper but have never actually been tested.

For most small and medium-sized enterprises, getting there is less about buying new technology and more about putting structure around what already exists and closing gaps that nobody had a reason to look for before.

Cybersecurity and Business Growth

The digital economy in India is opening up unparalleled opportunities for SMEs to grow, reach new customers and operate more efficiently. But, at the same time, the digital infrastructure that helps drive growth increases exposure to cyber risks.

As expectations grow from regulators, customers, financial institutions and enterprise partners, cybersecurity is shifting from a technical consideration to a fundamental business requirement. Companies that improve their cyber resilience will be better placed to build trust, maintain continuity and engage confidently in an increasingly connected economy.

For SMEs, the question is no longer if cybersecurity matters, but if they are ready for a business environment where resilience, trust and compliance are increasingly linked to growth.

Sources & further reading:

  • CERT-In, “15 Elemental Cyber Defense Controls for MSMEs” (Sept 2025) : cert-in.org.in
  • CERT-In 2025 activity summary : PIB press release, pib.gov.in
  • Digital Personal Data Protection Rules, 2025 : MeitY notification, summarised by EY India
  • UPI fraud data : Finance Ministry response, Lok Sabha/Rajya Sabha, via cyberpeace.org

Leave a Reply

Your email address will not be published.

Limited-Time Updates! Stay Ahead with Our Exclusive Newsletters.