Most Indian SMBs treat the financial-year close as an accounting event. The CA reconciles the ledgers, the auditor signs off, the books lock. Almost nobody runs a security check in the same window. That is a missed habit, because the FY-end close is the one time every year your whole team is already auditing access, payments, and vendor lists. This post gives you a 12-point cyber-hygiene sprint you can finish in two working days, mapped to the same accounts your auditor is already touching.
2 days
Realistic Time for a 25-Person Firm
₹0
Tooling Cost (Free Tools Only)
68%
Breaches Tied to a Human Element
## What Is a FY-End Cyber-Hygiene Sprint?
A FY-end cyber-hygiene sprint is a fixed checklist of security tasks you run in the same week your accounts close for the financial year. It piggybacks on work you already do at year-end — reviewing who has access to payment systems, who left the company, which vendors you still pay — and adds the security half: revoking stale logins, testing your backups, rotating exposed tokens, and patching what slipped. Two days, no new spend.
## Why Run This Now, at FY-End?
India's financial year ends on March 31. That deadline already forces a clean-up: the finance team lists every active vendor, every payment approver, every bank login, every SaaS subscription on the books. Verizon's 2024 Data Breach Investigations Report found [68% of breaches involved a non-malicious human element](https://www.verizon.com/business/resources/reports/dbir/) — a stale account, a reused password, a missed patch. Those are exactly the things a year-end list surfaces. You are already doing half the work. The other half is security, and it takes the same source data.
There is a second reason. Cyber-insurance renewals in 2026 increasingly ask for proof of an access review and a tested backup in the last 12 months. If your policy renews around the financial year, this sprint generates the evidence in the same window.
Calendar-year sibling: If you prefer to run this in December, see our companion post,
A 2025 Year-End Cyber Hygiene Sprint for Indian SMBs: 12 Things to Finish Before Jan 1. The checks overlap; this version maps them to the FY-end books-lock instead.
## The 12-Point Sprint (The Full List)
Here is the whole checklist first, so you can hand it to whoever owns IT. The walkthrough below explains each one with the exact command or click path.
- 1. Access review — list every account on every critical system; revoke anyone who left.
- 2. Offboarding sweep — confirm departed staff lost Google, email, banking, and SaaS access.
- 3. Admin-rights audit — count your admins; cut the number to the minimum.
- 4. MFA coverage check — verify two-factor on email, banking, accounting, and cloud.
- 5. Password-reset on shared logins — rotate every shared or service password.
- 6. API token and key rotation — rotate payment-gateway keys, webhook secrets, and old PATs.
- 7. Backup restore test — actually restore a backup, do not just check it exists.
- 8. Patch sweep — update OS, browsers, and the apps touching money or customer data.
- 9. Phishing test — send your own team a fake phishing email and measure clicks.
- 10. Vendor-access review — list third parties with login or data access; revoke the dormant ones.
- 11. DNS and email-auth check — confirm SPF, DKIM, and DMARC are set.
- 12. Incident-contact sheet — write down who to call when something breaks, before it does.
## How Do You Run Each Check? (The 2-Day Walkthrough)
Split the work across two days. Day one is the read-and-list work: access, admins, vendors, MFA. Day two is the action work: rotations, the backup test, the patch sweep, the phishing test. A team of one IT person plus the finance lead can clear it.
1
Access review (90 minutes)
Open Google Workspace Admin, your accounting tool (Tally on cloud, Zoho Books, or QuickBooks), your bank portal, and your top five SaaS apps. Export the user list from each. Cross-check against your current payroll. Anyone on a user list who is not on payroll gets revoked today. In Google Workspace this is Directory then Users; suspend, do not delete, so you keep the mailbox for handover.
2
Offboarding sweep (45 minutes)
List everyone who left in the last financial year. For each, confirm their Google account is suspended, their email forwards to a manager, their bank-portal login is removed, and they are gone from Razorpay, AWS, GitHub, and any CRM. One departed sales rep with a live CRM login is a data-export risk for a year.
3
Admin-rights audit (30 minutes)
Count how many people have admin or owner rights on each system. A 25-person firm rarely needs more than two Google Workspace super-admins or two AWS root-equivalent users. Demote the rest to the lowest role that still lets them work. Fewer admins means a smaller blast radius if one account is phished.
4
MFA coverage check (45 minutes)
In Google Workspace Admin, run the 2-Step Verification report under Reports then Security. It shows exactly who has MFA off. Turn on enforcement. Repeat for your bank, your accounting tool, AWS or Azure, and your code host. Prefer an authenticator app or a hardware key over SMS — SIM-swap fraud makes SMS the weakest second factor.
5
Rotate shared and service passwords (45 minutes)
Every shared login — the common WhatsApp Business number, the social accounts, the shared FTP, the office Wi-Fi admin — gets a new password stored in a manager like Bitwarden or 1Password. If a former employee ever knew the old one, it is now dead. Write the rotation date next to each entry.
6
Rotate API tokens and keys (60 minutes)
Regenerate your Razorpay and any payment-gateway keys, your webhook signing secrets, and any GitHub personal access tokens older than a year. Search your codebase and old emails for keys pasted in plain text. A key sitting in a two-year-old Slack message is a live credential. Use git log -p | grep -iE "key|secret|token" on each repo to spot accidental commits.
7
Backup restore test (90 minutes)
Do not check that a backup exists. Restore one. Pick last night's database backup, spin it up on a throwaway server, and confirm the data opens and the row counts match. A backup you have never restored is a hope, not a backup. For a Tally or accounting file, restore to a second machine and open the company. Time how long it takes — that number is your real recovery time.
8
Patch sweep (60 minutes)
Update the operating system, browser, and the apps that touch money or customer data on every staff machine. Phones too. Focus on the high-risk surface: the accountant's Windows laptop, the server running your app, the router firmware. Note any machine still on an end-of-life OS; that is a renewal-or-replace decision for the new financial year.
9
Phishing test (45 minutes)
Send your own team a realistic fake phishing email — a "your GST refund is ready, click to verify" lookalike. Use a free tier of GoPhish or a manual tracked link. Count who clicks. Do not name and shame; use the result to schedule a 20-minute refresher. Last quarter, a Pune client saw 9 of 30 staff click a test mail on the first run, down to 2 after one training session.
10
Vendor-access review (45 minutes)
List every outside party with a login or data feed into your systems — the web agency, the ad consultant, the freelance bookkeeper, the IT contractor. Revoke anyone whose contract ended. For active ones, confirm they have their own named login, not a shared one, so you can trace and revoke per person.
11
DNS and email-auth check (30 minutes)
Run your domain through a free checker like MXToolbox. Confirm SPF, DKIM, and DMARC records exist. Without them, anyone can spoof your domain to send fake invoices to your customers. Set DMARC to at least p=quarantine once SPF and DKIM pass. This is the single cheapest defence against invoice-fraud emails sent in your name.
12
Incident-contact sheet (20 minutes)
Write one page: who to call when the website is down, when money looks wrong, when an account is locked. Include your hosting support, your bank's fraud line, your IT contact, and CERT-In's reporting channel. Print it. The worst time to look up a number is during the incident.
These twelve checks feed naturally into a longer-term plan. Once you have run the sprint once, our
automation team can wire the recurring parts — access reports, backup-restore alerts, patch reminders — into a scheduled monthly job so next FY-end is faster.
## What the Numbers Say
A few figures worth keeping in front of the finance lead when you ask for two days.
🧑💻
68% Human Element
Verizon's 2024 DBIR ties more than two-thirds of breaches to a person — a stale account or a clicked link. Checks 1, 2, and 9 target this directly.
⏱️
194-Day Detection
IBM's Cost of a Data Breach 2024 puts mean time to identify a breach at 194 days. A quarterly access review shortens the window an attacker sits unnoticed.
💸
Backups Fail Quietly
A backup nobody has restored fails when you need it. Check 7 is the only one that proves recovery actually works.
📧
Invoice Spoofing
Without DMARC, anyone can email your customers as you. Check 11 closes the door on the most common SMB payment scam.
## When Should You Not Do This Yourself?
This sprint is built for a 10-to-50-person firm with one IT-capable person. There are three cases where the DIY version is the wrong call, and pretending otherwise would be dishonest.
First, if you are a regulated entity — an NBFC, a healthcare provider holding patient records, a payment aggregator — your obligations go well past a two-day checklist. You need a documented information-security policy, a named officer, and likely an external audit. Use this sprint as a warm-up, not the finish line.
Second, if your access review turns up something live and bad — a former admin who still logs in, a payment key in a public repo, a backup that will not restore — stop and treat it as an incident. Do not quietly fix it and move on. Preserve the logs, change the credentials, and get help if you cannot trace the scope.
Third, if nobody on your team can confidently run a database restore or read a DMARC record, do not learn it for the first time during the close week. Bring in help for the technical checks (6, 7, 8, 11) and keep the people-and-process checks in-house.
The one check people skip: the backup restore test. Everyone confirms the backup ran. Almost nobody restores it. We have walked into two engagements where a year of nightly backups were corrupt and unusable — discovered only after a server died. If you do one thing on this list, do check 7.
## A Real Example: A 28-Person Logistics Firm in Coimbatore
A Coimbatore logistics firm — 28 staff, a custom dispatch app, Tally on a cloud server — asked us to run this sprint alongside their March close.
Manvi, who leads our QA and security reviews, ran it over two days. The access review found three live accounts for people who had left in the past year, including one with full access to the dispatch database. The backup restore test took 41 minutes and worked — but exposed that nightly backups were missing the file-uploads folder entirely, so customer proof-of-delivery photos were never being saved off-server.
The phishing test had 7 of 28 click a fake "courier KYC update" link. After a 25-minute session, a re-test two weeks later had one. We rotated their Razorpay keys and found an old test key still active in a staging environment. Total effort: two days. The pattern is the same one we apply on longer engagements through our
automation and reliability work — and on data-heavy builds like
Radiant Finance, where access discipline is non-negotiable — find the gap, prove the fix, schedule the recurrence.
Outcome: Three stale accounts closed, a silent backup gap fixed before it cost them, and a phishing click-rate cut from 25% to under 4% — in the same week the books closed.
## Related Reading
More from our security and reliability cluster
For the founder's-eye view on why Indian SMBs keep getting caught by supply-chain and social-engineering attacks, our founder Vivek Singh writes about the same beat on
his personal blog.
## Frequently Asked Questions
### How long does the 12-point sprint actually take?
For a 10-to-50-person firm with one IT-capable person, plan two working days. Day one covers the list-and-review checks (access, admins, vendors, MFA). Day two covers the action checks (rotations, backup restore, patching, phishing test). Larger or more regulated firms should budget more.
### Do I need to buy any tools to run this?
No. Every check works with free tiers: Google Workspace Admin reports, MXToolbox for DNS, GoPhish free tier for the phishing test, and Bitwarden free for password storage. The only cost is time. Paid tools speed up scheduling but are not required for a first run.
### Why run a security sprint at financial-year-end specifically?
Because your team is already auditing access, payments, and vendors for the books close. The same lists — who can approve payments, who left, which vendors you pay — are exactly what a security review needs. Running both at once roughly halves the effort versus doing them separately.
### What is the single most important check on the list?
The backup restore test (check 7). Most firms confirm a backup ran but never restore one, and a backup that fails on restore is no protection at all. Proving recovery works is the highest-value 90 minutes in the sprint.
### Is SMS-based two-factor good enough?
It is better than nothing but it is the weakest second factor. SIM-swap fraud lets an attacker redirect your SMS codes. Use an authenticator app or a hardware security key for email, banking, and cloud admin accounts. Keep SMS only as a fallback.
### How does this help with cyber-insurance renewals?
Insurers in 2026 increasingly ask for proof of a recent access review and a tested backup. Running this sprint and keeping the exported user lists, the restore-test log, and the patch record gives you the evidence in one folder, dated within the policy period.
### Can you run this sprint for us?
Yes. We run the full 12-point sprint for Indian SMBs in two working days and hand back a one-page findings sheet plus the evidence pack. We can also schedule the recurring checks so the next FY-end is faster. Book a call below.
Want this hygiene sprint run before your books lock?
We run the full 12-point cyber-hygiene sprint for Indian SMBs in 2 working days. Typical cost: ₹35,000–₹70,000 depending on team size. Suitable if you are a 10–60 person firm closing your financial year. No slides — just your systems and our honest findings.
Book a 20-min Call