A New Target For Cyber Criminals: India's SMEs

A recent study by the India SME Forum shows that 60% of India's SMEs experienced cyberattacks in the past year, with 45% leading to ransom payments. Pankit Desai of cybersecurity firm Sequretek notes that many SMEs are unprepared for these threats, and while cyber insurance is on the rise, it often falls short in coverage and effectiveness.

Chandrakant Salunkhe of the SME Chamber of India highlights that sectors like healthcare, finance, manufacturing, and retail are particularly vulnerable. While manufacturing SMEs are hit for intellectual property theft, retail SMEs, are susceptible to payment fraud and data breaches. Desai highlights that even after ransom payments, recovery isn't always full-proof, with stolen data potentially being leaked on the dark web.

As cyberattacks increase, more SMEs are turning to cyber insurance. Vikas Bansal, Partner at IT Risk Advisory and Assurance at BDO India said, "Many SMEs underestimated their vulnerability, believing they were insignificant targets."

A Deloitte estimate from October 2023 places the cyber insurance market at $50-60 million (Rs 350-500 crore) in India, which is expected to grow at a compounded annual growth rate of 27-30% over the next few years.

While cyber insurance offers a lifeline, covering some costs associated with ransomware attacks, it often falls short of addressing all damages. Desai of Sequretek mentions that most policies leave it to SMEs to bear any additional costs. Salunkhe adds that uncertainty around coverage and high premiums make many hesitant to fully embrace insurance as a safety measure.

The effectiveness of cyber insurance is further limited by pre-existing vulnerabilities in the SME's systems. Bansal explains that, similar to health insurance, cyber insurance may not cover attacks exploiting unpatched systems. Comprehensive security testing and remediation are essential to ensure coverage, but many SMEs overlook these steps.

Phishing remains a primary avenue for attacks, with many SMEs failing to adequately train employees to recognize threats. According to Bansal, SMEs are making efforts to introduce multi-factor authentication and other cybersecurity tools, but poor cybersecurity hygiene continues to expose them to risk.

Recovering from a cyberattack is also difficult, with SMEs facing high costs, downtime, and the need for external IT support, all of which can harm their reputation and customer trust.

SMEs often struggle due to the lack of in-house IT expertise, the high costs of system restoration, and the operational downtime caused by attacks. Bansal points out that reputational damage and legal fees further complicate recovery.

Both Desai and Salunkhe emphasise the need for SMEs to close critical cybersecurity gaps. This includes adopting automated backups, regularly patching systems, and investing in affordable, open-source cybersecurity tools.

Salunkhe believes that SMEs must be more proactive in assessing vendor security and continuously monitoring their systems.