Skip to content
Best Practices

67% of German SMEs Were Hit by Cyber Attacks Last Year. The Real Problem? The Basics They Left Wide Open.

Cybersecurity incidents often become expensive because everyday basics are missing: updates, MFA, tested backups, scoped access, network segmentation and clear incident documentation.

AuthorNate Medvedeva
PublishedMay 7, 2026
Reading time7 min read

Most SMEs do not spend much time thinking about cybersecurity until it is already too late. That is not shocking. There is always something more urgent, and the day is already full before anyone asks whether the backups are actually running, whether that old server is overdue for replacement, or whether the network grew over the years without any real separation between office IT, production, guest access and external remote connections.

The numbers are not abstract

The Hiscox Cyber Readiness Report 2025 found that 67% of German SMEs experienced at least one cyber attack in the previous twelve months. The same report found that 60% are either uninsured or not adequately insured against cyber risk.

The CYBERsicher Lagebild 2025 from the BSI tells the same story in a different register. Ransomware attacks on German companies published on leak sites more than quadrupled between 2021 and 2024. According to BKA figures cited in the report, more than 80% of 950 evaluated ransomware incidents affected small and mid-sized businesses.

What the current numbers sayThree indicators from the article, shown as practical risk pressure rather than abstract security noise.
German SMEs hit by at least one cyber attack
67%

Hiscox Cyber Readiness Report 2025

Uninsured or not adequately insured against cyber risk
60%

Hiscox Cyber Readiness Report 2025

Evaluated ransomware incidents affecting SMEs
80%

BKA figures cited by BSI

To make it tangible: our public website recently absorbed more than 3,000 DoS and bot attacks in a single day. In our case it was irritating but harmless because the firewall did exactly what it was supposed to do. Put that same automated pressure on a customer portal, a warehouse system, a patient database or a machine-control environment, and the consequences change fast.

The old belief that attackers only go after large corporations and governments should be retired. They go after whatever is reachable, weakly protected, badly maintained or connected to something useful.

Why the risk feels different now

A few years ago, many smaller IT environments were still small and transparent. A server somewhere, a handful of workstations, email, shared folders, maybe a VPN, maybe one or two pieces of industry software that everybody complained about and nobody dared replace because “we’ve always done it like this.”

That is no longer reality for most companies. Even ordinary SMEs now depend on a long chain of cloud services, remote access tools, mobile devices, SaaS platforms, customer portals, supplier portals, ERP, warehouse systems, APIs, machine interfaces and legacy integrations that were built for one specific problem and then never touched again. Every added system creates another place where access, permissions, updates, responsibilities and recovery must be clear, documented and tested.

A good example is Faxploit, a printer and fax exploit that showed how a device most people would call harmless office periphery can become an entry point. A misconfigured, unpatched printer or fax machine connected to systems it has no business touching can hand a bad actor access to internal networks, databases or production environments that were never supposed to be reachable from there.

The basics that still fail everywhere

You cannot prevent every exploit. But there are things you can and should do proactively to stop the worst outcomes. Most problems start when:

1. Software is left unmaintained because it still runs

Operating systems, servers and firmware still need patching. Custom-developed software does not stop needing work the moment the first invoice is paid. If a system matters to your business, it needs maintenance like any other piece of critical infrastructure.

2. Backups exist, but nobody knows whether they work

A backup is just a copy. Recovery is the ability to restore that copy into something usable when it actually matters. If no one has tested a meaningful restore in months or years, the business is relying on faith, not process.

3. Networks grow over time without proper separation

When guests, office systems, production, suppliers and remote access all sit too close together, one compromised device becomes a guided tour through the rest of the company.

4. Access rights become far too broad

People often have more access than they need because it was easier at the time, because nobody wanted to break a workflow, or because nobody came back later to clean it up. Once an attacker gets one of those accounts, they inherit every bad decision attached to it. Access should follow actual need and stay tightly scoped.

5. Monitoring is minimal, documentation non-existent

Minimal monitoring means problems are noticed late, sometimes only when the damage is already visible. Little or no documentation turns every incident into guesswork. You waste time figuring out what connects to what, which credentials still work, who set something up, and whether a system is even still in use.

We will cover backups, network segmentation and AI-related risks in separate follow-up articles. For now, the important point is simpler: most attacks do not become expensive because attackers are brilliant. They become expensive because they exploit the weak links you created yourself.

What you can do this month without turning the business into a security project

You do not need to overhaul everything at once. You need to audit what you have, identify the obvious risks, and close the gaps one by one.

1. Updates always on

Turn on automatic updates where appropriate. Where that is not possible, define a clear process for critical patches so they do not drift because everyone assumed someone else was watching. This applies to:

  • Operating systems
  • Desktop and mobile applications
  • Individual or custom-developed software, which needs a maintenance budget and a sensible update cycle
  • Peripheral devices such as printers, fax machines and scanners
  • Network equipment, firewalls and switches
  • PLCs, HMIs and other industrial components where updates are available and operationally feasible

2. MFA is non-negotiable

Turn it on everywhere it should already be active: email, cloud platforms, VPN, admin access, financial tools, customer systems, repositories and hosting. If a platform offers MFA and you skipped it, you just became the easiest door in the building.

3. Test those backups

Pick something genuinely critical, such as a file share, database, email mailbox, application or server, and run a full restore from start to finish. Find out what works, what is missing, how long it takes, and who actually knows what to do. Document the process step by step so recovery is not dependent on one person who happens to be on holiday when things go wrong.

4. Review access rights

Review who has access to what and be less sentimental about old permissions.

  • Remove stale accounts.
  • Check external providers and supplier access, and always give only the minimum required.
  • Separate normal user accounts from admin accounts.

If somebody only needs access to one system, they should not quietly have access to three others just because it was convenient once. The idea is simple: if someone gets through one door, they should not automatically hold the keys to the rest of the building.

5. Segment that network

At minimum, separate guest Wi-Fi, office IT and production or operational systems. Then look at supplier access, remote maintenance, VPN tunnels, shared services and old machines that should not be able to reach everything else. Legacy systems in particular often belong in their own isolated segment.

Segmentation turns one breach into one contained problem
Flat networkOffice, guest Wi-Fi, production and suppliers can all see too much.Compromised device
Firewall / VLAN boundary
Segmented network
Guest
Office IT
Production
Supplier VPN
Legacy systems

Each zone has only the routes it needs. Movement is limited.

The goal is clear separation and containment. If one system is compromised, it should not automatically open the way to the rest of the business.

6. Document the worst-case scenario

Write a one-page incident plan. It does not have to be fancy. Just cover the basics:

  • Who is responsible for what?
  • Who contacts providers, customers, partners or authorities?
  • Who deals with insurance?
  • Who handles data protection questions?
  • Which systems get disconnected first?
  • Where are the recovery keys and emergency credentials?

Hopefully you will never need it. But the better prepared you are, the less damaging any incident becomes.

The basic controls work as a chain
  1. 01PatchClose known exposure before it becomes the easiest path in.
  2. 02Scope accessLimit what one compromised account can reach.
  3. 03SegmentStop one weak device from becoming a full-network incident.
  4. 04RestoreProve recovery before the emergency.
  5. 05DocumentRemove guesswork when time is expensive.

Takeaway

Cybersecurity becomes expensive when companies treat it as a side topic right up until it spills into operations. And when it does spill, it is usually not because the attacker was a genius. More often it is because the basics were left loose for too long.

The good news is that these basics are fixable.

  • Audit what you have.
  • Understand what is connected to what.
  • Review who has access to which systems.
  • Patch what is exposed.
  • Test whether recovery actually works.
  • Document, document, document.

You may not be able to prevent every incident. You can make sure one incident does not turn into something catastrophic.

Agent view