Room for improvement

What’s the cybersecurity situation at small and medium-sized enterprises? Numerous studies show that it could be better. But there’s a ray of hope: Awareness of the problem is growing. This is the first in our series of five articles explaining why and what small and medium-sized enterprises can do to protect themselves from cyberrisks. 

According to reports in the press, the attack came out of nowhere. In February 2020, hackers apparently penetrated the computer network at Technische Werke Ludwigshafen, a municipal utility company in southwest Germany, and got away with 500 gigabytes of data that included information on all its customers, employees, and business partners, including account details. Because the company didn’t pay the horrific ransom that was demanded, in May the criminals began publishing the stolen information on the darknet, where the data can be used by other hackers for further blackmail attempts. The company has informed its customers how they can protect themselves against a misuse of their data.

Billions in damage

The incident in Ludwigshafen is just the tip of the iceberg. Every day, companies are victimized by cybercriminals who steal sensitive data and cripple IT systems. While few cases come to light, the number of unreported cases is high, because companies don’t want the damage to become widely known. The reinsurance company Munich RE estimates the damages caused by worldwide cyberattacks to be $600 billion within one year. In the smallest companies, these attacks are successful at an above-average rate, according to the study “Cyberrisiken im Mittelstand” (“Cyber risks in medium-sized enterprises”) conducted by Forsa on behalf of the German Insurance Association. Nevertheless, it’s amazing how laid back (and naive?) many companies are on the subject. In Germany, for example, 71 percent of small and medium-sized enterprises (SMEs) consider their risk to be low.

Small companies, great danger

This discrepancy between the perceived and real threat is frightening. The most common excuses are “We’re too small,” or “We don’t have any valuable data.” First of all, the size or value of the target is of secondary importance to hackers. Cyberattacks can be like buckshot: You simply take a random shot and hope that you hit something. And the ammunition is potent. Over the past year, the German Federal Office for Information Security (BSI) has counted up to 400,000 new malware programs per day. Both major corporations and small companies will sooner or later be hit by a fragment – and suffer painful injuries if there are no security measures in place.

The fear grows

The good news is that SMEs are becoming increasingly aware of the risks, at least in Germany. In a 2019 survey by the insurance company Gothaer Versicherung, 43 percent of SMEs with up to 500 employees considered cyberattacks to be the greatest threat to their companies. This number was only 32 percent two years before. This pleases the insurance group, which has recognized that cyberpolicies that insure against hacker damage are a “sleeping giant.”

In the smallest companies, cyberattacks are successful at an above-average rate.

Learning from mistakes

The bad news is that measures to increase cybersecurity are like New Year’s resolutions. We know that we should exercise more, but laziness always wins out – or carelessness, in the case of cybersecurity. The widespread knowledge of the threat too seldom results in concrete precautionary measures, as the Forsa study for the insurance industry proves: 73 percent of companies believe that they’re sufficiently protected from cyber risks without taking further measures. But experience has shown that when they realize their mistake, it’s often too late and, above all, expensive. When it comes to cybersecurity, it’s best to not rely on the “St. Florian principle”: hoping that it will always be your neighbor’s house that burns down.

Prevention required

Markus Schliess knows this attitude only too well. The lawyer specializing in IT law in Stuttgart, Germany, counsels companies on how they can protect themselves from cyber risks and the associated legal risks. He emphasizes prevention. Working with company management, he develops guidelines on how employees should behave and teaches these measures in training courses. “The European Data Protection Regulation for example defines strict guidelines,” warns Schliess. Anyone who doesn’t comply and loses personal data may end up having to pay twice: the ransom money to the hackers or for damage to IT on the one hand, and severe penalties on the other. “The regulatory authority looks very closely at whether everything was done to avoid data loss.” For example, companies that can show evidence that they’ve provided their employees with training are usually on the safe side, according to Schliess.

Keep calm and call for assistance

“Many SMEs need help with the planning and implementation of prevention, detection, and response measures,” says Arne Schönbohm, President of the German Federal Office for Information Security (BSI). Today there’s an entire range of resources available for SMEs, including the BSI’s IT emergency card, which can be attached to every employee’s monitor to inform them of what to do if they suspect an attack. Rule No. 1: Keep calm. Rule No. 2: Call the phone number provided and get help. Another source of fast assistance is the IT emergency service package developed by BSI in collaboration with several partners, including the Charter of Trust and its founding member Siemens. The Charter of Trust has also developed a three-phase plan for how SMEs can arm themselves against threats.

From problem to solution

Digitalization is often maligned as the actual cause of cyberattacks by those who deny the risks, but that’s not the problem. On the contrary, it’s part of the solution, as the German Bitkom study proves. But nevertheless it’s still often lacking.


Siemens has developed a holistic approach to cybersecurity, one which helps the company not only to protect its infrastructure, but as well as the products, solutions and services for its customers as much as possible. Furthermore the company has joined forces with leading companies from around the globe to form the Charter of Trust with its ten principles.


If you want to know about the cyberrisks that companies are susceptible to and what exactly you can do about them, also with the help of Siemens, click here.

This is the first in our series of five articles explaining why and what small and medium-sized enterprises can do to protect themselves from cyberrisks. The articles explore the question of why smaller companies are more frequently attacked and what role employees play. They also provide tips on how companies can protect themselves from attacks at a manageable cost and can make this part of their business strategy – for example, with specific support from Siemens. As soon as the next article is published, it will be linked here:


Part 1: Room for improvement

Part 2: Far too low-hanging fruit

Part 3: Human beings: the chink in the armor

Part 4: Digitalization - sure, but secure

Part 5: Three steps to cyber protection

Bernd Müller

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.