Despite filing a police compliant and paying a ransom, Shekhawat failed to secure access to his account. He finally accessed it after Facebook reset his account. Shekhawat made just ₹12,000 from the page that month compared with monthly earnings of ₹3,00,000 and ₹4,00,000 prior to the attack.

Cyber-attacks on small- and medium-sized businesses (SMBs) have been on the rise. According to a 2019 study by Accenture, 43% of cyberattacks worldwide are aimed at SMBs. India has 6 crore SMBs that account for 30% of the GDP as per the Confederation of Indian Industry and with the adoption of technology their contribution is only likely to grow.

Consulting firm Zinnov expects SMBs in India to consume digital services worth $80 billion in the next 5 years.

Unlike large enterprises, many SMBs often do not have resources and manpower to deal with the evolving threat landscape. On top of it, they feel that they are not at risk.

A July 2019 study by UK based cyber-security firm Keeper Security found that decision makers in 62% of companies between $1 million and $500 million did not think they would be the target of cyber-attacks. It is this perception which may discourage them to spend enough on cyber-security.

“Small budgets certainly have a role to play for small companies that might forego hardware security via firewalls and unified threat management devices, and certainly would find it difficult to hire IT staff with the skill and experience to implement security measures,” said Samir Mody, vice president, CyberThreat Lab, K7 Computing, an Indian cyber-security firm.

To cut down on spending, many are tempted to use cracked or pirated software. Mody warned that using pirated or outdated operating systems also leads to the risk of cyber-attacks since they may not get security updates.

According to an August 2019 report by Russian cyber-security firm Kaspersky, despite the availability of newer versions of software, around 41% of consumers still use either an unsupported or approaching end of support desktop operating system such as Windows XP or Windows 7.

About 40% of very small businesses and 48% of SMBs continue to rely on these operating systems. Microsoft recently killed all support including security updates and patches for Windows 7.

SMBs in banking, financial services and insurance sector are more vulnerable as they allow cyber-criminals to make monetary gain and steal sensitive data at the same time.

Similar to SMBs, startups also feature high the list of potential targets of cyber-criminals. Despite founders of startups having a better understanding of modern day cyber-security risks, and a higher likelihood of them taking steps to protect their assets, there have been frequent cyber-attacks on startups. Among Indian startups, Zomato suffered a security breach in 2017.

Also, targeting startups can sometimes be more lucrative than SMBs. “Most important thing that a startup needs to protect is its IP (intellectual property). Many of these startups have no funding for first 6 to 12 months but they have a great idea. If the idea or source code is leaked, they can lose what makes them unique,” said Mukul Shrivastava, partner, Forensic and Integrity Services, EY India.

Credibility is also important. If a customer data base is breached, startups lose credibility, which can stall future investment in addition to heavy penalties they may have to pay, added Shrivastava. A 2019 study by US-based National Cyber Security Alliance suggests that 60% of SMBs that face a cyberattack tend to go out of business within six months.

Cyber-attacks have a catastrophic effect on startups as they are characteristically anchored in technology and operate on a lean infrastructure. If this infrastructure gets compromised, it usually compromises their business entirely, warned Rakesh Kharwal, managing director, India/South Asia & ASEAN, Cyberbit – an Israeli cyber-secuirty firm.

“Any cyber-attack primarily complicates a business in three ways, i.e. operations, market perception, and legal. Now, startups also have meagre capital. A report by Data Security Council of India (DSCI) also states that the average cost of cyber-attacks has increased by 8% in India. So, for startups, it becomes tough to sustain unit economics,” added Kharwal.