A 2025 Year-End Cyber Hygiene Sprint for Indian SMBs: 12 Things to Finish Before Jan 1

Twelve days. That is what is left of 2025. Most Indian SMBs will spend those twelve days closing books, planning the January sales kickoff, and emptying the office for the long weekend. The opportunity is to also close the twelve cyber-hygiene gaps that, if left open, will be the things you wish you had done when the first incident of 2026 arrives. We have run this sprint for clients in Pune, Hyderabad, Bengaluru, and Indore through November and December. The 12-task list below is the consolidated playbook, with real time and cost numbers from those engagements. ## The 60-second answer The 12 tasks below are the floor of 2026 cyber-hygiene for an Indian SMB. They take roughly 35 engineering hours, cost roughly ₹1.4 lakh in tooling for a 50-person firm in year 1, and close most of the gaps that turn a phishing email into a ransomware incident. If your team can only finish six, do tasks 1, 2, 3, 5, 7, and 11 — the highest-impact half. ## Why year-end is the right time Three reasons December is the cyber-hygiene window. (1) Engineering teams are between sprint goals — the Q4 features have shipped and Q1 planning has not started. (2) Cyber-insurance renewal forms are sitting on the CFO's desk; the evidence pack from this sprint is exactly what underwriters want. (3) The DPDP Rules notification on Nov 14 means the May 2027 Phase 3 deadline is now visible on calendars — and three of the 12 tasks below are direct DPDP precursors. December 2025 is the cheapest, lowest-risk window in the calendar to ship this work. ## The 12 tasks (run them in this order) ## The total time and cost (real numbers) ## The 12-task checklist (print this, tape to wall)

• Admin MFA enforced on Microsoft 365, Salesforce, AWS, Google, GitHub, hosting panel
• Password manager rolled out to every employee, with onboarding training done
• EDR (Defender for Business or Falcon Go) at 100% endpoint coverage
• One backup restored end-to-end to staging, with timed restore log
• OAuth grants audited; unknown apps revoked; active apps re-issued at minimum scope
• External attack-surface scan run; criticals and highs ticketed
• Exposed RDP and SSH eliminated, verified with follow-up Shodan scan
• YubiKeys issued to top 10 admin accounts
• DPDP DPO appointed in writing, published on privacy page
• One-page IR card laminated and stuck to every laptop lid
• Quarterly tabletop scheduled for Feb, May, Aug, Nov 2026
• Cyber-insurance evidence pack PDF compiled and sent to broker

## What you can SKIP this year ## A real example: 40-staff Pune logistics SMB We ran this sprint for the same Pune logistics client we wrote about in the [Knownsec post](/blog/knownsec-leak-india-smb-1-week-hardening-checklist) — but more thoroughly, in mid-December. Sprint length: 7 working days (3 of ours, 4 of their sysadmin's). The line-item findings: - Task 1: 3 admin accounts had MFA disabled "for emergency access." Switched to FIDO2 keys + a sealed envelope in the safe. - Task 2: Bitwarden rolled out to all 38 staff. The pre-rollout audit found 12 reused passwords across business and personal accounts. None were caught later because the manager prevented them. - Task 4: Backup restore took 9 hours because the snapshot pipeline was not optimised. We refactored to nightly differentials and the next test took 47 minutes. - Task 5: Found a ZoomInfo OAuth grant from 2022 with full scope. Revoked. - Task 12: The cyber-insurance renewal in early February came in 8% lower because the evidence pack was the cleanest the broker had received from a logistics SMB that month. Total spend: ₹2.4 lakh in year 1 (slightly higher than median because they added a Falcon Go pilot for 5 servers). Total time: 38 engineering hours. The CTO's note in the project closure doc: "for the first time, the security posture matches the rest of the business." ## Common mistakes during a year-end sprint Symptom: "We are doing all 12 tasks in week 52." Don't. Pick 6 if you only have a week. Tasks 1, 2, 3, 5, 7, 11 are the highest-impact half. Ship them properly; defer the rest to early January. Symptom: "We will get the MFA exemptions out of the way later." Never. The MFA exemptions are the security holes. Deal with them now while everyone is in the office; do not push to January when half the team is on leave. Symptom: "We are buying a SIEM." Skip. A SIEM without an analyst to review alerts is shelfware. Get the basics first; revisit in mid-2026 if logging volume actually justifies it. Symptom: "We will train staff on phishing in February." Train them now, in week 51, while the office is quiet. A 30-minute lunch-and-learn on "what a real phishing email looks like" beats any annual training module. Use [Microsoft Attack Simulator](https://learn.microsoft.com/en-us/defender-office-365/attack-simulation-training-get-started) (bundled with Microsoft 365 E3+) to send a test phish in week 1 of January. ## When NOT to run the full sprint Skip the full sprint if (a) you have already passed an SOC 2 Type II audit in 2025 — your controls are already at this level; (b) you handle no PII or financial data and your only software is Google Workspace + a Shopify store — the 6 highest-priority tasks are enough; or (c) you are mid-acquisition and the acquirer's security team will impose its own framework in 30 days — wait, then implement theirs. ## What we are tracking heading into 2026 The three numbers to put on your dashboard for January 1: 1. Defender Secure Score (or equivalent). Should be 70%+. The most actionable single number. 2. Days since last admin password rotation. Should be ≤ 90. 3. Open critical-or-high CVEs on external scan. Should be 0. Track these monthly. Send to the CEO with a one-line trend comment. The discipline of measuring is half the security gain. ## Where the community is gathering For Indian SMB security, the most useful threads we read are on [r/cybersecurity](https://www.reddit.com/r/cybersecurity/) and [r/AskNetsec](https://www.reddit.com/r/AskNetsec/) (search for "small business" and "year end"). The [SANS Internet Storm Center](https://isc.sans.edu/diary.html) is excellent for daily threat intel. CERT-In's [advisory page](https://www.cert-in.org.in/) is the official source — subscribe to the email list. For DPDP-specific community discussion, [r/india](https://www.reddit.com/r/india/) has been the most useful in November and December. ## A subtle point about the year-end timing The reason this sprint works in late December specifically is that most adversaries also slow down. Major ransomware crews go quieter between Christmas and Indian New Year — not silent, but the dwell-time before exploitation goes up. That gives you a slightly larger window to deploy controls before the next wave hits in mid-January. We have run the year-end sprint for three consecutive Decembers (2023, 2024, 2025) and the median time-from-deploy-to-incident has been roughly 38 days into the new year — long enough that the controls were already paying off. ## Our take A 50-person SMB that spends ₹2.15 lakh in year 1 on cyber hygiene is buying genuine resilience for less than the cost of a single mid-level engineer. The same SMB that delays this work until after a breach pays roughly ₹14–28 lakh in incident-response, regulatory notification, customer churn, and insurance premium load. The math is not subtle. Year-end is when it lands cheapest because you are using slack engineering capacity and aligning with the insurance renewal cycle. Run it the week of December 22–28 if you possibly can. Our [QA + security lead Manvi](/team/manvi) and [CTO Hrishikesh](/team/rishikesh-baidya) jointly own this sprint when we run it for clients. The work fits within our [web development](/services/web-development) and [CRM development](/services/crm-development) practices because the underlying systems are usually ours. For a deeper take on why this matters at the founder level, our founder [Vivek Singh](https://viveksinra.com) has been writing about Indian SMB cybersecurity on his personal blog throughout 2025. ## FAQ ### Can a small SMB without IT staff really do this in a week? Yes, with the help of a fractional security consultant for 2–3 days. The Pune logistics client above had one sysadmin and we provided the consultant time. The total external billing was ₹85,000. For SMBs that already have a sysadmin who is willing to spend 30 hours, the external cost can be ₹0 if they follow this guide. ### What is the single most important task if we only do one? Task 1 — admin MFA on every system. It is the cheapest, fastest, and highest-impact single change. Do it before lunch tomorrow. ### Do we need to do task 8 (YubiKeys) if we already have authenticator-app MFA? Authenticator apps are vulnerable to phishing (specifically AiTM attacks). For your top 10 admins — the accounts where a compromise is catastrophic — phishing-resistant FIDO2 keys are the right level. For the rest of staff, authenticator apps are fine. The ₹42,000 spend protects the accounts that matter most. ### How does this sprint help with cyber-insurance? Brokers and underwriters are now specifically asking for evidence of EDR coverage, MFA enforcement, OAuth-grant hygiene, and a backup-restore test. The evidence pack from this sprint maps directly to the underwriter questionnaire. The Pune client got an 8% renewal discount; we have seen 4–12% across the clients we have run this for in 2024 and 2025. ### What changes in 2026 that makes this work different? Three things. (1) DPDP enforcement starts ramping (Phase 2 in November 2026). (2) Cyber-insurance underwriters are tightening eligibility — some are now declining renewal entirely for clients without EDR. (3) The ransomware crews are using AI-assisted tooling that compresses the dwell-time-to-exfil window. The sprint controls handle all three. ### Where can we get the laminated IR-card template? [Email us](mailto:contact@softechinfra.com) and we will send the editable Word template we use with clients. It is free. ### How do we know if the sprint actually worked? Three checks two weeks after the sprint. (1) Re-run the Shodan scan, confirm zero open RDP. (2) Re-run the Microsoft Defender Secure Score, confirm rise from ~40% to ~70%. (3) Have the CEO send a phishing test (Microsoft Attack Simulator) and check the click-through rate. If under 8% click-through, your training plus password manager is working. If above 15%, there is more user-education work to do.