The Cybersecurity Playbook for Indian SMEs

Interview with Dr. Pattathil Dhanya Menon, Director, AVZ Cybersecurity Solutions

As Indian SMEs embrace digital transformation, cybersecurity risks and regulatory requirements have become increasingly critical challenges. Many SMEs struggle due to limited IT resources and legal expertise, leaving them exposed to cyber threats and compliance lapses.

We spoke with Dr. Pattathil Dhanya Menon, a seasoned Cyber Crime Investigator, to explore the common pitfalls SMEs face, practical ways to embed data protection, and how MSMEs can effectively handle legal responsibilities after a cyberattack.

As digital transformation accelerates among SMEs, what are the most common legal and compliance blind spots you observe in their approach to cybersecurity?

One of the most common challenges I see among SMEs is a lack of awareness about important regulations like the Information Technology Act 2000 and the Digital Personal Data Protection Act 2023. Many are also unfamiliar with sector-specific guidelines issued by regulators such as RBI, SEBI, and IRDAI. This often leads to insufficient implementation of what the law calls ‘reasonable security practices’ under Section 43A of the IT Act, leaving sensitive data inadequately protected. Additionally, quite a few SMEs do not have a proper incident response plan in place, which is critical to managing and reporting cybersecurity incidents to agencies like CERT-In within the mandated six-hour window.

On top of that, SMEs frequently overlook the importance of robust data protection and privacy measures, especially in light of the DPDPA’s requirements for protecting digital personal data. This gap becomes even more significant in regulated sectors such as banking, insurance, and telecom, where organizations may fail to meet specific cybersecurity guidelines issued by authorities like RBI, IRDAI, and TRAI, thereby increasing their vulnerability to cyber risks.

In your view, how can Indian SMEs practically integrate data protection best practices into daily business operations, especially when they operate with limited legal and IT support?

The first step for any SME is to understand its data footprint. Many businesses collect extensive personal data from customers and employees alike but often lack clarity on what data they hold, where it’s stored, and who has access. Conducting a simple, even manual, data mapping exercise can provide valuable insights and form the foundation for effective protection.

Next, automating consent and privacy management is critical under regulations like the DPDP Act. Manual consent processes are prone to errors and difficult to maintain for small teams. Using user-friendly platforms to manage consent and clearly communicate privacy policies helps ensure compliance without overwhelming resources.

Creating a culture of security awareness is just as important. Since human error is a leading cause of breaches, SMEs should invest in regular, concise training that covers strong password habits, phishing awareness, and safe data handling. Training should be accessible and engaging, especially for non-technical staff.

On the technical side, SMEs need intelligent, automated security solutions that operate with minimal oversight such as endpoint protection, encrypted cloud backups, and strict access controls. These ‘set-and-forget’ tools leverage AI to detect threats and automate patching, protecting the business without disrupting daily work.

Finally, incident response preparation is key. Having a straightforward plan for identifying, reporting, and containing breaches can greatly reduce damage. Access to rapid response support can help SMEs with limited IT resources respond effectively.

In essence, protecting data is about making informed choices, adopting smart technologies, and fostering a proactive mindset. This approach enables SMEs to meet compliance requirements while building trust and resilience in an increasingly digital landscape.

With cybercrimes becoming more targeted and sophisticated, how can MSMEs better understand their legal responsibilities and rights in the aftermath of a cyberattack?

DPDP Act, 2023 serves as the primary legal framework for MSMEs handling personal data. As ‘Data Fiduciaries’ or ‘Data Processors,’ MSMEs have clear obligations, especially when it comes to personal data breaches. The Act broadly defines a breach as any unauthorized or accidental access, disclosure, or loss of personal data that compromises its confidentiality, integrity or availability. This includes ransomware attacks or even accidental emails to wrong recipients.

One of the most critical responsibilities is timely notification. MSMEs must inform the DPBI and affected individuals, explaining the breach’s nature, data involved, and mitigation steps taken. While notification timelines are still being finalized, compliance is vital to avoid penalties that can be as high as ₹250 crore.

Alongside the DPDP Act, MSMEs must comply with CERT-In directives, which mandate reporting specified cyber incidents within six hours, a demanding but necessary requirement that emphasizes the need for a clear incident response plan. The types of incidents include unauthorized access, ransomware, denial of service attacks, and data breaches. Often, MSMEs face dual reporting duties to both CERT-In and DPBI.

MSMEs also have rights: the ability to conduct forensic investigations to understand and contain breaches, to restore operations using backups, and to seek legal counsel to navigate liabilities and recovery. Cyber insurance is another valuable tool to cover breach-related costs.

Practically, MSMEs should immediately activate a streamlined incident response plan, isolate affected systems without tampering, assess breach impact, notify authorities and affected individuals promptly, and focus on remediation and recovery. Post-incident analysis is essential to identify weaknesses and prevent future breaches.

In today’s environment, cyberattacks are inevitable, making proactive planning and regulatory compliance crucial for MSMEs to respond effectively and emerge resilient.

Do you see a growing awareness among SMEs around data privacy laws like the Digital Personal Data Protection Act (DPDPA)? What steps should they take now to stay compliant and prepared?

Yes, awareness about data privacy laws like the DPDPA is growing among SMEs, but many still overlook practical compliance steps. They should start with a mini data audit to know what personal data they collect and store. Updating privacy policies to clearly outline data practices and consent is crucial. Strengthening consent with explicit opt-ins and easy withdrawal options is essential. SMEs must implement reasonable security measures such as encryption and access controls, establish simple breach response plans, train employees on data handling, and ensure third-party vendors comply with DPDPA requirements.

What role do you believe cyber law education and regulatory literacy play in building a truly secure SME ecosystem in India and where are the biggest awareness gaps today?

In my experience, effective cybersecurity awareness for SMEs comes through well-structured training and workshops on relevant laws and security practices. Utilizing government programs by CERT-In and MeitY can amplify these efforts significantly. Furthermore, fostering a culture where SMEs share resources and threat intelligence creates stronger collective resilience and helps businesses stay ahead of cyber threats.

Dr. Pattathil Dhanya Menon’s insights underscore that cybersecurity and legal compliance are fundamental to the success and sustainability of Indian SMEs. By understanding regulations, mapping their data, automating consent, building security awareness, deploying smart technologies and preparing incident response plans, SMEs can safeguard themselves against evolving threats and regulatory challenges.

In today’s digital economy, proactive cybersecurity and compliance aren’t optional they are business imperatives. Indian SMEs that act now will build trust, resilience and a foundation for future growth.