How to protect your company from a cyber attack

Cyber attacks on Indian SMEs have risen sharply. You don't need to be a large enterprise to be a target — in fact, mid-sized companies are often preferred targets precisely because they have valuable data but weaker security than large enterprises.

The most common attack vectors against Indian SMEs: phishing emails (someone clicks a link and gives credentials), compromised passwords (weak or reused passwords across services), ransomware delivered via email attachments, and insider threats (disgruntled or departing employees).

Your minimum security posture — implementable without a cybersecurity team: Enable multi-factor authentication (MFA) on every cloud service (Google Workspace, Microsoft 365, banking, and HR tools). This single action prevents the majority of account takeover attacks. Use a password manager (1Password or Bitwarden for teams) — this eliminates weak and reused passwords. Back up your data daily to a separate location — if you're hit with ransomware and have yesterday's backup, you have negotiating leverage. Train your team to recognise phishing — do a simulated phishing test; the results will surprise you. Control access: departing employees' accounts should be disabled on their last day, not whenever someone remembers to do it.

Have an incident response plan. If you are attacked, what do you do in the first hour? Who do you call? What do you shut down? Most companies figure this out during the attack, which is the worst time. Write a one-page plan before you need it.

Cyber insurance is increasingly worth considering for companies above ₹5Cr revenue. It covers costs of breach investigation, regulatory notification, and business interruption.