Far too low-hanging fruit

Nothing’s going to happen to us. This is what many small and medium-sized companies think when it comes to cybersecurity. In this chapter of our Cybersecurity Series, we show why smaller businesses in particular are targeted by hackers. 

Imagine for a moment a fruit tree full of delicious fruit hanging to the ground. You wouldn’t think you should climb all the way to the top of the tree to harvest the fruit there, even if the apples or cherries appeared that much bigger and juicier. Instead, you’d probably first pick the fruit you could reach without a ladder and extra help.


The image of low-hanging fruit is frequently used in the business world as well: First take care of business requiring little effort before attending to the products that are harder to deliver to the customer.


Unfortunately, hackers also employ this principle. Their attacks are neither particularly elaborate nor aimed at a specific company. Rather, hackers try to seize what they can easily get their hands on when they go about raiding the internet. If, out of 1 million duplicate emails, only 100 unsuspecting people click on the infected attachment, and only 10 of them pay a ransom to get their computers unlocked — that’s easy money. 

It all adds up

And just who are the low-hanging fruit in our image? They are millions of small and medium-sized companies all over the world that believe they’re not interesting enough for hackers and, as a result, do too little for their cybersecurity. But cybercriminals know this of course. That’s why they also prefer to scatter their automated attacks among smaller businesses, following the motto it all adds up. And that lot grows into quite a heap: Losses from cyberattacks totaled US$600 billion worldwide in 2018, according to an estimate from reinsurer Munich RE.


Surveys also reflect this discrepancy between the perceived limited threat and actual high threat. According to the 2018 Forsa study “Cyberrisiken im Mittelstand” (“Cyber Risks in Small and Medium-Sized Businesses”) conducted for the German Insurance Association (GdV), 34 percent of the SMEs surveyed believe cyber risks will impact them while 73 percent think they’re adequately protected. 

Many SMEs have already fallen victim

You could also call it the principle of hope, because reality doesn’t look so rosy. One-third of all companies have already fallen victim to an attack, the auditors at EY (formerly Ernst & Young) say. And in a survey from Horvath & Partners, that figure is as high as two-thirds. The number of unreported incidents is significant: According to EY, 15 percent of cyber incidents were discovered only by chance and many probably not at all. The Forsa study for GdV provides evidence that cyberattacks are even more successful the smaller the company is — that’s arguably where the fruit hangs especially low.


“Companies are afraid, but they still do too little,” Peter Kühfuß says. He is managing director of KMPC Innovations, a start-up in Heilbronn, Germany, that advises companies on networking their machines using sensors and that gets them ready for the Internet of Things using a production monitoring tool. The specialist in business information technology knows firsthand about the challenges small and medium-sized companies face. Inadequate cybersecurity often starts with a lack of knowledge about internal work processes. 

Inadequate cybersecurity often starts with a lack of knowledge about internal work processes.

Consider this example: The sales department of a company wants to implement a new structure and increase sales. At some point, it becomes apparent that production can’t deliver very large quantities. Then management begins a feverish search for ways to boost production performance, for example by using sensors to monitor machines. Hastily seizing on the wrong concept here risks creating gaps in the cyber protection. “That’s why we first meet together in workshops to determine what the company actually wants,” Kühfuß says. 

Only read, not write

Exactly how this can properly work is demonstrated by the I4sec project funded by the German Ministry of Education and Research: In the project, KMPC and industrial partners work on developing concepts to securely collect and transmit sensor data for remote maintenance. Buday, which manufactures technical adhesive tapes, is one of the partners in the project: When does the cutter no longer have a sharp edge? What was the temperature when glue was applied? Buday intends to draw on such information to help the company improve its efficiency and quality — without introducing security risks internally. An ironclad rule is that data from the sensors must remain read only and commands may not be written back into the machine control system.


The Data Capture Unit (DCU) from Siemens follows the same principle. It enables direct data collection from critical and industrial assets to the cloud for data analytics and predictive maintenance, while completely mitigating the cybersecurity risk of such connection. The DCU uses Siemens data diode technology, that not only forces data to flow one way (only read) but keeps industrial and IT networks physically separated. This approach prevents hackers to remotely manipulate any critical or industrial assets, as the security function lies in the chip design and not the software.


At Siemens, such solutions are part of the company’s holistic cybersecurity approach. This approach helps the company to ideally protect not only its infrastructure across all business units, but also the products, solutions and services for its customers. In addition, Siemens has joined forces with leading businesses from around the world to establish the Charter of Trust with its 10 principles that can serve as guidelines for all kinds of companies. 

Corona is impacting IT security

This is urgently needed as well: “Companies must do more for cybersecurity and expand their digital know-how,” Kühfuß urges. That particular applies to the current Covid19 crisis which has caused a level of social and economic upheaval unprecedented in modern times.  The result is a huge increase of use of Cloud solutions and a massive use of e.g. video conferencing tools without any security considerations. That makes the disease to an accelerator for the urgency of the issue of Cybersecurity. Arguing “nothing happened in the past” would be a particularly risky thinking for every enterprise. After all, hackers know how to exploit this carelessness. And so the worry is that the fruit is now hanging that much lower and cybercriminals will seize their chance to make a good haul.


If you would like to know what cyber risks companies are vulnerable to and what exactly you can do about them — including with assistance from Siemens — click here.

Our series of five articles explains what small and medium-sized companies can do to protect themselves against cyber risks. The series examines why smaller companies are more frequently impacted by attacks and what role employees play. The articles also provide tips on how companies can protect themselves against attacks at reasonable expense and leverage this as part of their business strategy — for example with concrete assistance from Siemens. As soon as a new article appears, it will be linked here:

Part 1: Room for improvement

Part 2: Far too low-hanging fruit

Part 3: Human beings: the chink in the armor

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.