If you don't notice unusual activity, a hacker can steal your customer data, payment information, or business secrets for weeks before you realize it. For example, a Delhi manufacturing firm didn't notice an employee's account was compromised until their entire product design library was sold to a competitor—by then, the damage was done and they lost ₹2 crore in lost contracts. Without detection, you also miss early signs of server failures, ransomware infections, or insider threats, which means downtime gets worse and recovery becomes expensive. Regulatory bodies like CERT-In expect you to have detection controls; missing this can result in penalties during compliance audits.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no way to see what's happening on your systems or network. Your IT person only finds out about problems when a user complains or your internet stops working.
Initial
Your IT person manually checks a few servers or logs once a week when they remember, but there's no consistent process or records of what they looked for or what they found.
Developing
You have basic log files being kept and your IT person reviews them weekly with a written checklist, noting anything suspicious in a basic spreadsheet or notebook.
Defined
You have documented procedures for monitoring key systems, logs are reviewed at least twice weekly, and you maintain records of unusual activities found and how they were resolved.
Managed
Monitoring is automated using simple alerting tools, logs are centralized, alerts are reviewed daily, and you have a formal incident response process documented and tested quarterly.
Optimised
Real-time alerts notify you automatically of suspicious patterns, all logs are analyzed continuously, your team investigates within hours, and you conduct monthly reviews of detection effectiveness with documented improvements.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple one-page checklist of things to look for each week (failed login attempts, unusual file access, unexpected admin changes). Ask your IT person to walk through it every Friday and sign off with date and findings. | Business owner + IT person | 2-3 hours |
| 1 → 2 | Enable Windows Event Viewer or Linux system logging on all servers; export logs to a shared folder or simple spreadsheet weekly. Create a template form documenting what was checked, what was found (if anything), and actions taken. | IT person | 3-5 days |
| 2 → 3 | Write a formal Monitoring & Detection Procedure document (1-2 pages) that lists exactly which systems to monitor, how often, what events matter, who does it, and what to do if something suspicious is found. Get business owner to approve and sign it. | IT person + business owner | 1-2 weeks |
| 3 → 4 | Deploy a log aggregation and alerting tool (such as Wazuh, ELK Stack, or Splunk free tier); configure it to automatically flag high-risk events (brute force attempts, unauthorized privilege escalation, ransomware indicators). Set up daily email summaries. | IT person or external consultant | 3-4 weeks |
| 4 → 5 | Conduct a monthly review meeting where you analyze detection trends, test your alert accuracy to reduce false positives, interview staff on suspicious activity they've noticed, and document improvements to your monitoring rules. | IT person + business owner + external auditor (quarterly) | Ongoing (4-6 hours/month) |
Documents and records that prove your maturity level.
- Weekly or daily monitoring checklist or log review report (dated and signed by IT person) showing what was checked and what was found
- Server/system event logs or centralized log files covering at least the last 90 days
- Documented Monitoring & Detection Procedure approved and signed by management, listing what events are suspicious and how to respond
- Investigation records or incident tickets for at least 2-3 suspicious activities found in the last 6 months, showing what was discovered and how it was resolved
- Dashboard or alert configuration report from your monitoring tool showing active rules and alerts (if using automated tools)
Prepare for these questions from customers or third-party reviewers.
- "Walk me through what unusual activities you've detected and investigated in the last 3 months. Show me the records."
- "If someone logs into an admin account outside normal business hours, how would you know and what would you do?"
- "How often do you review your logs and who is responsible for doing it? Show me your procedure and your records."
- "Have you ever found evidence of a breach or attack attempt? How did you detect it and how did you respond?"
- "What monitoring tools do you use, and how are alerts configured? Who receives alerts and how quickly do they investigate?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Centralized log collection and analysis—gathers logs from all servers and computers in one place so you can search and alert on suspicious patterns | Wazuh (open-source, suitable for MSMEs), ELK Stack (Elasticsearch, Logstash, Kibana—free but requires technical skill) | Splunk (₹4–8 lakh/year for small deployments), Microsoft Sentinel (₹3–5 lakh/year for small setups) |
| Real-time alerting on suspicious events—automatically sends you notifications when something dangerous happens (e.g., repeated failed logins, ransomware behavior) | Wazuh alerts, osquery (endpoint monitoring), OSSEC (host-based intrusion detection) | SentinelOne (₹8–12 lakh/year), Crowdstrike (₹10–15 lakh/year), Cisco Secure Endpoint (₹5–10 lakh/year) |
| Endpoint Detection & Response (EDR)—monitors individual computers for malware, suspicious behavior, and lateral movement by attackers | Windows Defender (included in Windows), Velociraptor (open-source, free) | Microsoft Defender for Endpoint (₹2–4 lakh/year), Elastic Security (₹5–8 lakh/year) |
| Network traffic monitoring—watches what data is moving in and out of your network to catch data exfiltration or command-and-control communications | Zeek (open-source network security monitor), Suricata (open-source IDS/IPS) | Palo Alto Networks (₹15–25 lakh/year), Fortinet FortiGate (₹8–15 lakh/year) |
| Simple event tracking and spreadsheet—for very small businesses with minimal budget, a manually maintained Excel or Google Sheet documenting daily/weekly checks and findings | Microsoft Excel, Google Sheets, LibreOffice Calc | — |
- Collecting logs but never reading them—many Indian MSMEs enable logging for compliance sake but the IT person is too busy with day-to-day tasks to actually review the logs, so alerts go unnoticed.
- Confusing 'monitoring' with 'backups'—some businesses think taking daily backups counts as detecting unusual behavior, but backups don't tell you if a hacker was in your system; you need active monitoring.
- Only reacting after a customer complains—waiting for users to report slow systems or access issues instead of proactively watching logs means attackers have more time to cause damage.
- Over-reliance on antivirus alone—antivirus catches known malware, but unusual behavior detection catches new attacks, insider threats, and misconfiguration; you need both.
- Poor log retention—deleting or overwriting logs after a few days due to storage limits means you can't investigate incidents that happened a week ago; plan storage for at least 90 days.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) (data processor obligations to maintain data security measures including detection and monitoring of security incidents) |
| CERT-In 2022 Guidelines | Directions 3, 4, 5 (incident reporting, security incident logging, and continuous security monitoring requirements) |
| ISO 27001:2022 | Annex A.12.4.1 (Event logging), A.12.4.3 (Protection of log information), A.12.6.1 (Management of technical vulnerabilities) |
| NIST CSF 2.0 | Detect Function (DE.AE-1: Anomalies and events are detected and analyzed; DE.AE-5: Incident alert thresholds are established and validated) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →