Half of India's SMEs Hit by Cyber Attacks in 2025: Survey

Nearly Half of Indian SMEs Face Cyber Threats

A significant cybersecurity crisis is unfolding across India's small and medium enterprise (SME) sector. New survey data reveals that close to half of all Indian SMEs experienced cyber incidents during 2025, underscoring a critical gap in digital security preparedness among the country's backbone businesses.

The findings paint a sobering picture for India's 6.3 crore registered MSMEs, which collectively contribute roughly 30% of GDP and employ over 11 crore people. As these enterprises digitise operations—from accounting to customer management—they've become increasingly vulnerable to cyber threats ranging from ransomware to phishing attacks.

What the Survey Reveals

The survey data indicates that cyber incidents are no longer rare occurrences but commonplace challenges for SME operators. The breadth of the problem suggests systemic weaknesses in how smaller businesses approach cybersecurity infrastructure and employee training.

Common Threat Types

SMEs reported facing diverse cyber threats, including:

• Ransomware attacks targeting critical business data
• Phishing emails designed to steal credentials and financial information
• Malware infections affecting operational continuity
• Unauthorised data access and breaches
• Business email compromise (BEC) schemes

The prevalence of these incidents reflects both the attractiveness of SMEs as targets—often perceived as having weaker defences than large corporations—and the limited resources many smaller businesses dedicate to cybersecurity.

Why SMEs Remain Vulnerable

Resource Constraints

Most Indian SMEs operate with lean IT teams or outsourced IT support. Unlike multinational corporations with dedicated Chief Information Security Officers (CISOs) and comprehensive security operations centres, many SMEs lack the budget, expertise, and headcount to implement enterprise-grade cybersecurity measures. A typical small business might have one IT person managing everything from network maintenance to security, leaving gaps in threat detection and response.

Legacy Systems and Outdated Software

Many SMEs continue operating on older software versions and legacy systems that lack modern security patches. The cost of upgrading can be prohibitive, leaving businesses exposed to known vulnerabilities that cybercriminals routinely exploit. This technical debt compounds over time, creating an expanding attack surface.

Low Security Awareness

Employee training often takes a back seat in resource-constrained organisations. Without regular cybersecurity awareness programmes, staff remain susceptible to social engineering attacks. A single employee clicking a malicious link or sharing credentials can compromise an entire organisation's network.

Supplier Chain Exposure

SMEs frequently lack visibility into their supply chain partners' security practices. Larger enterprises often demand security compliance from vendors, but smaller businesses may overlook this critical control point, becoming indirect targets through their relationships with more desirable targets.

Financial and Operational Consequences

Cyber incidents impose substantial costs beyond the headline of an attack. An SME facing ransomware may face business interruption for days or weeks, leading to lost revenue and damaged customer relationships. Recovery expenses—including forensic investigation, system restoration, and potential ransom payments—can exceed a small business's annual IT budget.

The reputational damage is equally significant. Indian consumers and B2B partners increasingly expect businesses to safeguard their data. A single breach can erode customer trust built over years, pushing business to competitors perceived as more secure.

Regulatory consequences have also intensified. India's Digital Personal Data Protection Act, 2023, establishes clear obligations for data handling and breach notification. Non-compliance can result in penalties and legal liability, adding another dimension to cybersecurity costs.

Steps SMEs Can Take Now

Foundational Security Measures

SMEs need not spend crores to significantly improve their security posture. Basic measures often prevent the majority of common attacks:

• Multi-factor authentication (MFA) on all critical systems, especially email and financial software
• Regular backups stored offline or in secure cloud environments to protect against ransomware
• Software updates applied promptly across all devices and applications
• Password management using reputable password managers instead of spreadsheets or sticky notes
• Network segmentation to limit an attacker's lateral movement if they breach one system

Building a Security Culture

Low-cost or free resources can support employee training. Government bodies like DSCI (Data Security Council of India) and private organisations offer cybersecurity awareness materials tailored for small businesses. Regular phishing simulation exercises help staff recognise social engineering attempts.

Seeking External Support

Many industry associations and government agencies offer subsidised cybersecurity assessments for SMEs. Managed security service providers (MSSPs) now offer scalable, affordable solutions where businesses pay per device rather than maintaining in-house expertise. Cloud security tools have also become accessible at reasonable price points.

The Road Ahead

The survey results serve as a wake-up call for India's SME ecosystem. Policymakers, industry bodies, and technology vendors must collaborate to democratise cybersecurity. Subsidised training programmes, affordable insurance products, and simplified compliance frameworks can help level the playing field.

For individual SME leaders, the message is urgent: cybersecurity is no longer optional or a cost centre to minimise. It's a business imperative that directly affects profitability, survival, and growth. The time to act is now, before an incident forces painful, expensive decisions.