Basic Cyber Compliance Guide for Small Businesses in India

Basic Cyber Compliance Guide for Small Businesses in India

MSMEs contribute about 30% of India’s GDP and are increasingly targeted by cyber‑criminals because they sit on valuable data but have relatively weaker defenses than large enterprises. With most MSMEs using cloud tools, digital payments and application programming interfaces (APIs), a single ransomware attack or data leak can cripple operations, trigger regulatory penalties, and permanently erode customer trust. Recognising this, Indian Computer Emergency Response Team (CERT‑In) and the Digital Personal Date Protection framework, when read together convert cyber hygiene from a “good to have” into a legal and business obligation for small enterprises.

It is imperative to draw attention to Section 70B of the Information Technology Act, 2000 which empowers CERT‑In to issue binding directions for cyber incident reporting and security practices for all entities, including Micros, Small and Medium sized businesses. The CERT‑In directions dated 01.09.2025, titled as “15 Elemental Cyber Defense Controls for Micro, Small and Medium Enterprises (MSMEs)” form a structured checklist of 45 recommendations that every MSME using IT infrastructure must adopt.

As we already know, any MSME that collects or uses digital personal data (customer numbers, email IDs, KYC details, HR data) becomes a “data fiduciary” and must provide notices, obtain valid consent where required, ensure security safeguards, and delete data once the purpose is met. There is no automatic exemption just because the entity is small. In fact, technology focused enterprises, such as Fintech, health‑tech, ed‑tech and telecom‑linked MSMEs are likely to also face RBI, IRDAI, SEBI or TRAI cyber and outsourcing guidelines, on top of CERT‑In and DPDP.

In practice, this means even a two‑partner SaaS start‑up or local logistics firm with a simple CRM must now think about breach reporting timelines, log retention, consent records and third‑party vendor responsibilities.

Let’s look at the CERT-In guidelines. From 1.09.2025, all Indian MSMEs using IT systems and/or processing customer data must undergo an annual cybersecurity audit by a CERT‑In empanelled auditor, evaluated against 15 elemental controls mapped to 45 specific recommendations. These controls are designed to be technology‑neutral and scalable for both micro and small units. Illustratively, the 15 control domains cover the following:

1. Effective asset management: Maintain an up‑to‑date inventory of all hardware, software and critical information assets, including cloud services and SaaS tools.
2. Network and email security: Protect routers, Wi‑Fi, firewalls and email systems against unauthorised access, phishing and malware, including secure configurations and spam controls.
3. Endpoint security and secure configuration: Enforce antivirus/EDR, disable unnecessary services, and standardise hardened configurations on laptops, desktops and servers.
4. Identity and access management: Strong passwords, multi‑factor authentication, role‑based access, periodic access reviews and immediate de‑provisioning of exiting staff.
5. Patch and vulnerability management: Regular updates and security patches for operating systems, applications, firewalls and network devices on a defined schedule.
6. Backup and recovery: Periodic, tested backups of critical systems and data, stored securely and, ideally, offline or in immutable form.
7. Logging and monitoring: Maintain and retain security logs for at least 180 days, and regularly monitor them to detect suspicious activity and incidents.
8. Incident response and reporting: Documented playbooks, clear escalation matrix, and alignment with CERT‑In’s incident reporting requirements.
9. Governance and policy: Appointment of a security lead, documented information security policy, user awareness and periodic training for staff.

As mentioned above, the annual CERT‑In audit is no longer a voluntary maturity exercise. MSMEs must demonstrate implementation of these controls and close gaps identified in the audit report.

Cyber security controls focus on protecting systems. The DPDP framework focuses on how MSMEs collect, use, share and retain personal data. Even a small clinic, coaching centre, online boutique or local restaurant that stores phone numbers or order history could typically be a “data fiduciary”.

Now what I have been asked multiple times, what are the key DPDP obligations relevant for MSMEs. So, here are the key obligations which are being listed as follows:

1. Lawful basis and consent: Provide clear, simple notices explaining what data is collected, for what purpose and with whom it is shared, and obtain valid consent where required, especially for marketing or non‑essential processing.
2. Purpose limitation and data minimisation: Collect only what is necessary for the stated purpose and avoid using the same data for unrelated purposes without fresh consent.
3. Security safeguards: Implement “reasonable security practices”, which, in practice, will heavily overlap with CERT‑In’s elemental controls for MSMEs.
4. Data subject rights: Put in place basic processes to handle access, correction, grievance and withdrawal of consent requests from customers and employees within defined timelines.
5. Retention and erasure: Periodically review retention, and delete or anonymise data once the purpose has been achieved or consent is withdrawn, subject to legal retention requirements.

Although penalties under the DPDP Act can technically reach hundreds of crores, regulators have indicated they will likely focus on significant negligence or wilful non‑compliance, not inadvertent first‑time errors by micro‑enterprises. Nevertheless, MSMEs that can show documented policies, consent records, and basic security controls will be in a far stronger position in any investigation or client audit. Needless to say, this will also help them engage with larger enterprises which are serious about these compliances.

Now, let’s address the elephant in the room, which is where should MSMEs start with limited budgets and manpower. The requirement is staged roadmap that helps convert regulatory mandates into manageable action points and the same is indicated in the list below:

1. Classify your MSME and map digital assets

1. Confirm whether you qualify as Micro, Small or Medium under the MSME Ministry’s investment/turnover thresholds, as the CERT‑In MSME framework is tied to this classification.
2. Prepare a simple but complete inventory of IT assets (laptops, mobiles, servers, routers), cloud subscriptions (email, CRM, accounting, storage), and critical data stores (customer, HR, financial).

2. Appoint a security lead and adopt baseline policies

1. Designate an internal security lead (even part‑time) responsible for cyber compliance, audit coordination and incident response.
2. Draft concise information security, acceptable use, password and BYOD policies, and communicate them to all staff with basic training.

3. Implement the 15 elemental controls pragmatically

1. Use the CERT‑In MSME guideline PDF as a checklist and prioritise “high impact, low cost” items such as patching, strong authentication, regular backups, and log retention.
2. Where budgets are tight, rely on built‑in security features of operating systems and cloud tools before investing in premium security suites.

4. Prepare for your annual CERT‑In audit

1. Engage a CERT‑In empanelled auditor well before the due date and conduct an internal self‑assessment using the 15 controls.
2. Treat the first audit as a baseline exercise, then maintain an action tracker to implement recommendations over the next 6–12 months.

5. Integrate DPDP compliance into everyday processes

1. Update website and application privacy notices, consent language, vendor contracts and HR documentation in line with DPDP rules.
2. Put in place simple workflows like email templates and ticketing or spreadsheet tracking, for data access/erasure requests and breach notifications.

For MSMEs, investing even 1% of annual revenue in structured cyber and data protection compliance can unlock enterprise contracts and prevent business‑ending incidents. In a market where larger clients increasingly demand proof of security and DPDP compliance from smaller vendors, cyber compliance becomes a growth enabler, not just a legal checkbox.