IT security is not optional! The lessons for SMEs
IT security is not optional! The lessons for SMEs

News about viruses/Trojans in company networks, hospitals and public institutions is constantly increasing.[1] The fear of attacks on “critical infrastructures” such as electricity and water suppliers or nuclear power plants is spreading.[2] Large corporations are reporting attacks on their IT systems, some of which have led to entire production sites being shut down for weeks.[3]
The world of work has changed: Not so long ago, many companies – especially in the SME sector – often only had a few PC workstations in their companies. Many were still a long way from centralized data on servers, networking of workstations, use of the Internet and mobile working.
Computers, servers and IT in general now dominate almost every area of activity across all sectors and industries
Today, however, we rely on electronic calendars for our appointments, databases for our contacts, file and application servers for our lists, documents, images and videos. In the engineering office, drawings are no longer made on the drawing board, but on the PC. In a nursing home, the health status of residents is no longer documented in paper files, but on a tablet PC. Such examples of how IT has changed and now dominates the world of work can be found everywhere. At service providers, retailers, manufacturers and craftsmen.
Unfortunately, however, the importance of IT security often only becomes clear when a “disaster” occurs.
IT security is multi-layered: the question of what happens to the data on a laptop if it is stolen while on the move, for example, primarily concerns the topic of “IT security”. But the spread of a Trojan/virus in the company network, which encrypts the company data and suddenly “locks out” the company, is also a scenario in the context of “IT security”.
Despite their different effects, both examples have one perfidious thing in common: They do not usually announce themselves long in advance, but usually occur unexpectedly and immediately.
This makes it all the more astonishing how many companies – especially in the SME sector – still treat IT security as a relatively low priority to this day.
IT is still often seen purely as a cost factor instead of a critical success factor for competitiveness and the company’s continued existence.[4]
IT often still does not appear as a separate item in budgets and annual plans. Urgently needed investments in system stability and security are postponed, in line with the (long outdated) motto of the 1990s: “Never change a running system”.
This misunderstood attitude, which is often slow to change, may be due to the fact that few areas have changed as rapidly in the last 10-20 years as the influence of IT on our everyday lives, both in our private and business lives. Keeping pace here is admittedly a major challenge. However, here too, the adaptability of companies will ultimately determine success (company survival and growth) and failure.
What does this mean for a company in concrete terms?
First of all, you should be aware of the importance of a functioning and secure IT landscape for your own company. A series of questions can help to develop a real picture – for example:
- What activities would still be possible in the company if every laptop, PC, server and smartphone in the company suddenly stopped working (e.g. due to a Trojan or virus attack)?
- How long could we really continue to exist without e-mail communication and without access to invoice and production data or orders without risking significant customer and supplier relationships?
- How much do my employees cost me per day if they can’t work productively because the IT isn’t working?
- What would be the effect on existing and potential customers if customer and company data suddenly appeared freely accessible on the Internet due to a security gap in the company’s own IT?
- And how high would the additional potential damage from fines to the authorities be?
If these issues are examined within the company, it almost always comes to the same conclusion: The company’s dependency on functioning IT is usually significantly underestimated, the costs of a company shutdown (in whole or in part) would be immense and the damage to its reputation would often threaten its existence. Many companies are realizing that while they are concerned about rising supplier and crude oil prices or the shortage of skilled workers, the risk factor of IT security has been largely neglected to date.
What can a company do now?
It is important to recognize that IT must become a continuous and plannable topic in the company. Just as it does not generally make sense to react to a doctor’s advice to be overweight with a radical diet, but rather to adopt a sustainable lifestyle in the long term, IT security is also an issue that requires continuous attention and where high one-off investments often fizzle out quickly and with little effect.
Corporate IT is generally not an end in itself, but supports the employees working in the company in the performance and fulfillment of their tasks.
Companies provide employees with PCs, smartphones, etc., which must be kept up to date and secure at all times. Accordingly, the amount of expenditure for operating and securing the company’s IT can often be seen as a direct function of the number of employees – and should therefore also be allocated directly to ongoing personnel expenses in cost accounting and budget planning (pro rata if necessary).
What should an IT security concept look like?
Ultimately, IT support is always about security: security against outages, security against data leaks, security against viruses and Trojans, future-proofing the solutions used, etc.
Although there is no such thing as 100% security, a combination of different measures can achieve an acceptable level of security for the company. It helps to take a number of aspects into account:
- Security in IT works according to the “onion principle”: different organizational and technical levels interact to achieve the desired goal. This starts with IT guidelines within the company, raising awareness and training employees, technical measures on end devices (laptops, tablets, etc.) and central infrastructures (servers, applications, etc.)
- Principle of the “weakest link”: An IT security concept is only sufficiently effective if it is implemented consistently and seamlessly throughout the company. For example, individual unprotected devices can serve as a gateway for malware or unauthorized third parties into the structure and undermine other measures.
- Corporate IT is a responsible task for specialist experts: an external, broad-based IT service provider is often better suited to providing support than individual, internal administrators. Service providers often have a broader range of IT expertise in conjunction with business/strategic expertise, as well as further training and certifications (e.g. ISO 27001). In the IT environment, the continuous development of new knowledge beyond “one’s own nose” is crucial. Furthermore, dependence on individual persons and conflicts of interest within the company are avoided.
- IT security and professional IT support are operating expenses directly attributable to the company’s success (as are salaries for specialists, etc.) and should be included as such in planning calculations.
In summary, it can therefore be concluded that there is a considerable need to catch up, especially in SMEs, with regard to the importance of IT security for corporate success.[5] The challenges, but also the associated opportunities for competitiveness and the continued existence of the company cannot be emphasized enough.
About us
We are a powerhouse of IT specialists and support customers with digitalization. Our experts optimize modern workplace, DevOps, security, big data management and cloud solutions as well as end user support. We focus on long-term collaboration and promote the personal development of our employees. Together, we are building a future-proof powerhouse and supporting customers on their path to successful digitalization.