MSME & Policy

CERT-In outlines safeguards for Indian orgs, MSMEs amid Mythos AI cybersecurity risk concerns

India's digital economy is growing faster than its security culture. For MSMEs — which make up 30% of GDP yet account for a disproportionate share of cyber breaches — this gap is a live vulnerability. Today we examine CERT-In outlines safeguards for Indian orgs, MSMEs amid Mythos AI cybersecurity risk concerns.

The Threat Landscape in 2026

The Threat Landscape in 2026 — insight by Dr. Dibyendu Choudhury

India's cyber threat landscape has undergone a qualitative shift in 2026, directly relevant to CERT-In outlines safeguards for Indian orgs, MSMEs amid Myth. Attackers are AI-assisted, patient, and targeting the weakest link in supply chains — which is usually a small or medium business. CERT-In's advisories this year have repeatedly flagged the same pattern: attackers are no longer opportunistic — they profile a target for weeks, mapping vendor relationships and payment cycles before making a single move, which is exactly why a fast, well-timed fraudulent request can look completely routine to the person approving it.

How This Attack Works

How This Attack Works — insight by Dr. Dibyendu Choudhury

The cert in outlines safeguards for indian orgs msmes amid mytho attack methodology has evolved. Phishing emails are hyper-personalised — generated by AI that has scraped your LinkedIn, company website, and email pattern. Deepfake audio impersonating executives is being used to authorise fraudulent transactions. Supply chain attackers compromise one software vendor and ride that trusted relationship into hundreds of downstream businesses simultaneously. What makes the 2026 wave distinct from earlier phishing campaigns is the removal of the old tells — broken grammar, generic greetings, mismatched sender names. AI-generated correspondence now mirrors the specific tone, terminology, and even the invoicing format your actual vendors use, which means the old advice ('watch for spelling mistakes') is no longer a reliable defence on its own.

CERT-In outlines safeguards for Indian orgs, MSMEs amid Mythos AI cybersecurity risk concerns
India's MSME cyber threat landscape in 2026

Why MSMEs Are Especially Vulnerable

Why MSMEs Are Especially Vulnerable — insight by Dr. Dibyendu Choudhury

MSMEs are disproportionately vulnerable for three structural reasons: lack of dedicated security personnel, reliance on consumer-grade tools for business operations, and insufficient vendor security vetting. A single compromised email account can expose customer data, contracts, and financials — triggering both reputational and regulatory consequences under the DPDP Act 2026. There is also a fourth, quieter factor: many MSMEs run critical operations — invoicing, payroll, customer records — on the owner's personal devices and personal email accounts, with no separation between business and household digital life. That blending multiplies the attack surface in ways that are invisible until an incident forces an accounting of exactly what was exposed. None of this requires a large budget to fix. Separating business and personal accounts, enforcing MFA, and keeping a simple written record of who has access to what system are all zero-cost or low-cost changes — the barrier is almost always awareness and time, not capital.

Real Cases from India

Real Cases from India — insight by Dr. Dibyendu Choudhury

In Q1 2026, a Pune-based MSME lost ₹18 lakh to a Business Email Compromise fraud — the attacker impersonated the CEO via a spoofed email instructing accounts to wire funds to a 'new supplier'. A Delhi logistics firm had its customer database encrypted after an employee clicked a fake GST notice. Neither had basic multi-factor authentication enabled. A third case, less widely reported: a Coimbatore textile exporter had its GST portal credentials harvested through a fake compliance-update email, and the attackers used the access not to steal money directly but to file fraudulent returns that took the business months to untangle with the tax department.

Your 10-Step Protection Checklist

  1. Enable MFA on every business email account — this single step blocks 99% of credential-based attacks.
  2. Verify all wire transfers above ₹50,000 via phone call to a known number — never to a number in the request email.
  3. Use CERT-In's empanelled auditors for a free vulnerability scan — eligible for MSMEs under the government cyber-hygiene initiative.
  4. Back up critical data to an offline location weekly — ransomware cannot encrypt what it cannot reach.
  5. Brief your accounts and HR teams specifically on BEC and deepfake fraud — human defence is your first and most critical layer. Rehearse it once with a mock email, not just a slide.

Regulatory Compliance You Cannot Ignore

The DPDP Act 2026 imposes obligations on any organisation processing personal data — employee records, customer databases, supplier contacts. Penalties can reach ₹250 crore. MSMEs are not exempt. A basic data map — what data you hold, where it lives, who can access it — is your minimum starting point. Most MSME owners assume compliance obligations scale with company size; in practice the DPDP Act applies the same core duties — consent, purpose limitation, breach notification — to a five-person firm as to a listed conglomerate, only the enforcement scrutiny differs.

The Cost of Inaction

The average cost of a cyber breach for an Indian SME in 2026 is estimated at ₹35–80 lakh when factoring in recovery, legal liability, reputational damage, and business disruption. Prevention — which can be implemented for a fraction of this — is not optional. The costs that do not show up in insurance claims are often the largest: the weeks of management attention diverted from growth, the customer trust that erodes quietly rather than all at once, and the vendor relationships strained by a breach notification you were legally obligated to send.

The Regulatory Landscape You Cannot Ignore

Beyond the DPDP Act, sector-specific regulators are tightening reporting obligations: CERT-In's 6-hour breach-reporting mandate applies regardless of business size, and RBI-regulated lenders now expect basic cyber-hygiene attestations from MSME borrowers as part of credit due diligence. Non-compliance is increasingly a business-continuity risk, not just a legal one. Insurers, too, have started underwriting cyber policies against a documented minimum-controls checklist — meaning a weak security posture can now translate directly into higher premiums or declined coverage, not just regulatory exposure.

Building a Security-First Culture

Technology controls fail without a culture that treats security as everyone's job. Practical steps: a 15-minute quarterly briefing for all staff, a clear no-blame reporting channel for suspected phishing, and a named owner for security decisions — even in a 10-person company. The businesses that recover fastest from an incident are the ones where someone already knew what to do. In my advisory conversations with MSME owners, the single highest-leverage change is almost never a new tool — it is naming one person, by title, who is responsible for security decisions. Diffuse responsibility is the most common reason basic controls never get implemented. A written, one-page incident response plan — who to call, what to disconnect, whom to notify — turns a panicked first hour into a managed one, and most MSMEs can draft theirs in under an afternoon.

"In cyber security, the question is never whether you will be targeted — only whether you will be ready." — Dibyendu Choudhury

📖 Related Reading

📬 Join 49,000+ Indian Professionals

The Inner Circle newsletter delivers curated MSME intelligence, leadership wisdom, and strategic insights every week — completely free. Plus receive the 20 Gita Lessons PDF as a welcome gift.

Subscribe Free →

Ready to Go Further?

Is your MSME cyber-ready? I offer focused digital-risk assessments to help small businesses protect their data and reputation.

Book a Cyber-Risk Review

Published 14 July 2026 · dibyenduchoudhury.com

Dr. Dibyendu Choudhury

Dr. Dibyendu Choudhury

Author of 9 published books. Retd. Govt. Employee (MoMSME) · MSME Policy Expert · Visiting Faculty at NI-MSME · Vedic Philosophy Scholar. Writing at the intersection of ancient Indian wisdom, modern entrepreneurship, and national policy.

Never Miss an Insight

Join 47,000+ readers — free fortnightly newsletter on MSME policy, Vedic wisdom & leadership.