Post-Diwali, Pre-GSTR-3B: 9 Cyber-Hygiene Checks Indian SMBs Almost Always Skip in Festive-Recovery Week

Diwali week wrapped on October 21, 2025. GSTR-3B for the October period is due November 20. The intervening four weeks are when Indian SMBs traditionally let cyber-hygiene slip — staff returning in waves from holiday, the patch backlog has accumulated, off-boarding from late-September departures is still pending, vendor renewals quietly auto-charged through the festive shutdown without anyone noticing. This is the post-Diwali, pre-GSTR-3B sprint we run with clients — 9 checks, roughly 4 hours total, almost always finds something nobody knew was open. ## The 60-second answer Run nine checks: patch backlog, leaver off-boarding, dormant SaaS subscriptions, expiring SSL/domain renewals, abandoned shadow IT from Diwali sales campaigns, post-festive backup verification, after-hours admin logins during the shutdown window, vendor invoice anomalies, and the tax-portal MFA refresh. Each is a 15-30 minute task. We have run this sprint with eight Indian SMB clients in late October-early November 2024 and 2025 — every single one had at least 2 open items. The most expensive miss we have seen: a leaver's IAM role had been forgotten for 6 weeks; the access logs showed nobody had used it. Could just as easily have been an attacker. ## Why this matters now The festive-recovery period is the highest-risk hygiene window in the Indian SMB calendar. Three structural reasons: First, the Diwali week itself has minimum staffing, so any incident in that window often gets logged but not acted on. The triage backlog accumulates. Second, the rush of campaign launches in the 2 weeks before Diwali typically introduces shadow IT — a marketing team signs up for a new analytics tool, sales for a new outreach platform, support for a new chat widget. Most of these never get reviewed, and some never even get used after Diwali. Third, and most underrated: the staff calendar is fragmented. Some teams returned Oct 22, some returned Oct 27, some have not returned by Nov 5. Joiners and leavers in the gap window slip through the off-boarding process. October leavers' IAM roles, GitHub access, Slack accounts often stay live until the December audit. GSTR-3B on November 20 is the natural forcing function — by then your accounting team is reconciling October, and the cyber-hygiene sprint should be complete so the books are clean. ## The 9 checks (in priority order) ## The 4-hour walkthrough Block 4 hours one morning the week of Oct 27-31. One founder/CTO + one engineer + one ops person. Coffee, a Notion doc, a fresh checklist. Each step has a verification before moving on. ## The 4-question SaaS-license sanity audit (within step 3) Within the SaaS-subscription audit, ask 4 specific questions for every paid SaaS:

Question	What it surfaces
How many seats are paid vs. used in the last 30 days?	Stale seats from leavers, trial users still on payroll seats, double-purchases
What is the renewal date and the auto-renewal terms?	Avoid surprise renewals; many vendors auto-renew without notice 30 days before
Is this on annual or monthly billing — and which is cheaper at our usage?	Annual is typically 15-25% cheaper; many SMBs default to monthly out of inertia
Could a smaller plan or a competitor at lower price serve us?	Right-sizing; no need to be on Enterprise tier if Pro tier covers your use case

These four questions in aggregate often save Indian SMBs 15-30% of their SaaS spend. The festive-recovery sprint is the natural moment to ask them — books are being closed for October, the team is reviewing the budget anyway. ## Common mistakes (each one hurts) Symptom: "We finished the audit but never wrote down the action items." Cause: the audit ran in conversation, not in a doc. Fix: do the audit in a Notion or Google Doc, with each finding and owner captured live. Symptom: "Two leaver accounts are still active." Cause: off-boarding checklist is not the source of truth — HR has it, IT has a separate one, neither is complete. Fix: one master off-boarding checklist, owned by IT, signed off by HR for each leaver. Symptom: "We did not catch the auto-renewed subscription." Cause: corp-card statement was not pulled in time. Fix: the audit happens in the same week the October corp-card statement closes — typically Nov 1-3. Symptom: "An ex-employee's GitHub PAT was used to push code." Cause: PATs persist after the user account is deactivated unless explicitly revoked. Fix: include "revoke all PATs" in your off-boarding checklist AND run a quarterly org-wide PAT audit. Symptom: "The SSL renewal failed during December." Cause: the renewal happened automatically but DNS-01 challenge failed because the DNS provider had changed. Fix: monitor SSL expiry from outside your stack (sslshopper alerts, BetterStack); test renewal automation quarterly. ## When NOT to do all 9 checks If you ran a full IT audit within the last 30 days, skip steps 1, 2, 3, 5 — focus on the festive-specific items (4, 6, 7, 8, 9). If your team is fully on the books and you had no Diwali shutdown (rare for Indian SMBs but possible for global teams headquartered in India with non-Indian operating hours), the after-hours review is less material. If you are a sole-founder business with no employees besides yourself, off-boarding and shadow-IT do not apply. The 9 checks become 5: patch, SSL/domain, backup, vendor anomalies, tax-portal MFA. Roughly 90 minutes total. ## The post-Diwali sprint checklist (print this)

• All endpoints patched; criticals zero, non-criticals scheduled within 7 days
• Every leaver since Oct 1 has 100% of access revocations confirmed
• Corporate-card statement reviewed; auto-renewed unused SaaS cancelled
• Zero SSL or domain expiries before Dec 31 without active renewal
• Shadow-IT inventory complete; each tool has a named owner and a governance decision
• Backup jobs verified for Oct 18-26; one successful restore test signed off
• Admin login logs Oct 18-22 reviewed; every anomaly explained or under investigation
• Vendor invoices Oct 15-onward reviewed; bank-detail changes verified by voice call
• GST portal, IRP, e-Way Bill MFA tested for every authorised user from a clean session
• Action-item tracker with owners and due dates committed to a shared doc

## A real example — a 42-person Pune e-commerce SMB A Pune-based D2C e-commerce SMB (₹18 cr revenue, 42 employees, ran a 35% Diwali sale) ran the 9-check sprint with us on October 28, 2024 — coming out of a Diwali sale that had spiked their AWS bill by 40% and introduced 6 new SaaS tools. What we found in 4 hours and 12 minutes: - 3 unpatched browser-based vulnerabilities on staff laptops; pushed within the hour. - 1 leaver from Sep 25 still had Slack access and a GitHub PAT with repo:write scope. Revoked. - 4 SaaS subscriptions auto-renewed during Diwali week that nobody was using; cancelled, saving ₹38k/year. - 1 SSL certificate expiring Dec 8 (would have expired during a planned year-end campaign push); renewed. - Shadow-IT audit found 6 new tools — 2 kept (sales outreach, customer-support add-on), 1 brought under governance (analytics with PII), 3 cancelled. - 2 backup nights had failed silently because the storage target was at 95% capacity. Cleaned up; reconfigured with auto-pruning. - After-hours review surfaced 2 admin logins from unfamiliar IPs at 3 AM IST on Oct 21. Investigation: both turned out to be the founder, who had logged in from a hotel during a wedding trip. Verified with the founder; no incident. - 2 vendor invoices had bank-detail changes — both confirmed legitimate by voice call. (The voice-call discipline is the hardest one to maintain; people skip it because it feels paranoid. It is not.) - GST portal MFA worked for 3 of 4 users; the 4th user had changed phones during Diwali and OTP was not delivering. Updated the registered mobile in the portal; verified before Nov 1. Total cost of the sprint: 1 founder day + 1 ops person day + 1 engineer half-day. Total operational savings: ₹38k/year on cancelled SaaS + an avoided Dec 8 SSL incident + an avoided Nov 20 GST-filing incident. Cost of NOT doing the sprint: at minimum the late-fee on GSTR-3B (₹10,000), at maximum a serious incident from any of the open items. For background on the broader regulatory pressure, see our September piece on the DPDP Act pre-notification readiness audit — privacy posture is the regulatory cousin of operational hygiene. ## A founder note from our team Our founder Vivek Singh writes about cybersec specifically for Indian SMB founders. The shortest version of his argument on hygiene sprints: most cyber-incidents in SMBs come from accumulated debt — patches not applied, leavers not off-boarded, subscriptions not reviewed — rather than novel attacks. The fix is calendar discipline, not better tools. Quarterly hygiene sprints prevent more incidents than expensive new platforms. The festive-recovery sprint specifically maps to a moment in the calendar where the team's natural focus is back on the books (GSTR-3B is a forcing function). Pairing the cyber-hygiene check with the financial close is the cheapest way to make hygiene routine. For complementary reading on operational discipline, see our recent AWS US-EAST-1 outage post from the Diwali eve and the Diwali phishing hardening checklist from the week before. Together they form a complete "before, during, after" Diwali cyber-hygiene cluster for Indian SMBs. ## The Reddit pulse The r/sysadmin threads each post-festive period (post-Christmas in the West, post-Diwali in India) document the same patterns: missed patches, forgotten leavers, surprise auto-renewals, expired certificates. The festive-recovery sprint is a global discipline; only the festival changes. The r/india threads in early November typically surface phishing-impact stories from the Diwali sales window — a useful pulse for what scams actually landed on consumers, which informs your customer-comms going forward. The r/IndiaTax threads in mid-November are full of last-minute GSTR-3B panic — most preventable with the MFA refresh in step 9 done 3 weeks earlier. ## FAQ ### Why the post-Diwali, pre-GSTR-3B window specifically? The team is back on the books, the financial close is forcing attention to October, the Diwali noise is just past, and there are still 3 weeks before the Nov 20 GSTR-3B deadline. This is the natural moment when the muscle for hygiene work is available. Outside this window, the discipline atrophies. ### Should we do this sprint quarterly or annually? Quarterly is ideal. Annual is the minimum acceptable cadence. The 9 checks above can be run in any quarter — adapt the festive-specific items (after-hours review, vendor invoice anomalies in the festive window) to your quarter's calendar. ### What if we have an MSP — do they not do this for us? Most MSP contracts cover patches and backup verification. Few cover off-boarding, shadow-IT discovery, vendor invoice anomalies, or tax-portal MFA. The 9-check sprint is mostly the ops/finance/IT cross-functional work that lives between the MSP scope and the in-house team. Do not assume your MSP covers it; check the contract. ### How do we make the off-boarding checklist actually work? One master checklist (Notion or Google Doc), owned by IT, with HR sign-off as part of the offer-acceptance and exit-interview process. Every line item gets checked off with a name and timestamp. Any line item that cannot be checked within 24 hours of the last working day gets escalated to the founder. Most off-boarding fails because nobody owns the checklist; assign ownership. ### What is the cost of a forgotten leaver-account in practice? We have seen ranges from ₹0 (no abuse, audit caught it before damage) to ₹40+ lakh (ex-employee used a forgotten GitHub PAT to push malicious code that took 6 weeks to detect and roll back, then required incident response and customer notification). The expected value of a forgotten leaver-account is low but the variance is high. The cost of preventing it (15 minutes per leaver) is minimal. ### How do we handle the vendor-invoice voice-call discipline at scale? It only applies to invoices with bank-detail changes or invoices from new (not previously paid) vendors. For a typical 30-person SMB, that is 2-5 invoices a month. At your AP team's standard productivity, the voice-call adds 5 minutes per invoice — entirely manageable. ### What is the right shadow-IT discovery cadence? Quarterly is standard. After major events (Diwali sales, year-end campaigns, product launches) is mandatory. The audit pattern is the same: ask each functional lead what new tools they started using; map to data sensitivity; decide on governance. ### Is there a tool that automates this whole sprint? Partially. SaaS spend management (Vendr, SaaSOptics, Cleanshelf) covers steps 3 and parts of 5. Patch management (Intune, Jamf, ManageEngine) covers step 1. Off-boarding automation (Okta Lifecycle Management, BetterCloud) covers step 2 if you have an IdP. None of these is a substitute for the 4-hour sprint discipline — the sprint is the moment where humans review the automation output and catch what the tools missed.