.png)
Shekhar Pawar works with MSMEs on cybersecurity with a unique protocol pioneered by him. He holds a doctorate in cybersecurity and is CEO of SecureClaw Inc., Delaware, USA and Cybersecurity (India) Pvt Ltd.
October 22, 2025 at 2:36 PM IST
Cybercrime has quietly evolved into the costliest covert war of our times. In 2024 alone, the FBI logged more than 859,000 cybercrime complaints with financial losses of over $16 billion, up 33% from the year before. Globally, cybercrime could cost the world $10.5 trillion by the end of 2025 — a figure that puts it on par with the GDP of the planet’s richest nations. That is not merely a statistic. It is a silent siphoning of global wealth.
The hardest hit won’t be the giants with cyber armies, but the small businesses that form the backbone of every economy. These firms account for 90% of global businesses, employ around 70% of the workforce and contribute more than half of worldwide GDP. As of 2025, almost six in ten small and mid-sized firms said they had been hit by a cyberattack. The average price tag for each breach? About $2.6 million. What’s worse, half admitted they didn’t even have basic protection in place. For businesses that live month-to-month, that’s not just a gap in security; it’s a crack in the foundation.
False Security
Recent international research by this author, involving SMEs across 19 countries, uncovered why conventional cybersecurity frameworks rarely work for smaller enterprises. The first barrier is scale. Existing frameworks impose hundreds of generic controls that drive up the complexity and cost of compliance. The second challenge is capability. Many firms lack skilled staff to interpret technical requirements and maintain vigilance. And the final, most critical gap is context: off-the-shelf solutions rarely fit the messy, day-to-day realities of running a small business.
The consequence is a dangerous illusion of protection. More than half of surveyed firms believed they had appropriate controls in place, yet some had none at all. A fifth lacked even basic policies, and a third had never trained employees on cyber hygiene. Only half felt certain they hadn’t already been breached. Confidence without competence is a costly combination.
To bridge this gap, a new wave of cybersecurity design developed by this author has emerged, one that tailors protection to the business domain. Known as Business Domain Specific Least Cybersecurity Controls Implementation, it replaces rigid checklists with a focused framework built on two principles. The first is layered defence, protecting data, applications, networks, devices, and people across seven concentric layers. The second is mission-critical asset protection, concentrating controls on the processes or systems that matter most to each business.
A manufacturer dependent on CNC machines cannot afford a ransomware lockout. A financial services firm must preserve transactional confidentiality. A pharmaceutical company depends on the integrity of its digital formulation systems. The aim, then, isn’t uniformity but alignment—making sure security priorities mirror business priorities. The idea is to make protection measurable, meaningful, and manageable for small enterprises already stretched thin by compliance demands.
India has begun moving in this direction too. In September 2025, India’s Computer Emergency Response Team issued “15 Elemental Cyber Defence Controls for MSMEs”, a prescription of 45 baseline safeguards covering everything from asset tracking and incident response to governance and data protection. It is a step away from theoretical compliance, toward practical continuity. The document signals a recognition that the nation’s economic backbone can no longer remain digitally fragile. Notably, CERT-In acknowledged the BDSLCCI framework in strengthening cybersecurity across the MSME sector.
Around the world, MSMEs are rethinking cybersecurity as a pillar of survival rather than a procedural nuisance. The most successful models now combine simplicity, scalability, and specificity. They let companies benchmark their defences, train staff, and strengthen oversight without drowning in jargon or cost. Cybersecurity, in short, has become a function of business continuity, one that can make or break value creation.
If there’s one takeaway from this global rethink, it’s that frameworks built for billion-dollar corporations don’t translate to small players. Small businesses need systems that fit their scale and sense, not someone else’s checklist. When defences are lean but layered, specific rather than sweeping, cyber safety becomes achievable rather than aspirational.
In today’s world, cyber resilience is business resilience. Whether a company trades, manufactures or writes code, the principle stands: the firewall is now as critical as finance. The next decade will not merely reward innovation. It will demand immunity.
The lesson from the global surge in cybercrime could not be clearer. Survival is no longer about size. It is about security.
More From BasisPoint
