The five security mistakes behind 80% of SME incidents
According to the BSI IT Security Report 2023, ransomware and phishing remain the most common attack vectors against small and medium businesses. What stands out: most successful attacks exploit no zero-days — they exploit missing basics.
1. No MFA on critical accounts
Microsoft data shows: 99.9% of compromised accounts had no MFA enabled. Privileged accounts without a second factor are the most common entry point. Cost of MFA: €0 with Google Authenticator or Bitwarden Authenticator.
2. Backups that were never tested
A backup whose restore was never rehearsed is not a backup — it is a hope. In 40% of ransomware incidents, recovery fails because backups were corrupted, incomplete or outdated. Test restore at least quarterly.
3. Updates by feeling rather than process
Most vulnerabilities exploited against SMEs already had a patch available for weeks by the time of the attack. The difference is not knowledge — it is process: one fixed patch day per month is a sufficient minimum standard.
4. Email as an unfiltered entry point
SPF, DKIM and DMARC are free DNS records that make email spoofing significantly harder. Without them, anyone can send email appearing to be from your domain. Configuration takes one hour. Without it, your domain ends up on phishing blocklists others use.
5. Security policies nobody knows
Policies living only as PDFs on the intranet protect nothing. A 30-minute annual briefing with three concrete rules (no external USB, no public WiFi for company accounts, report suspicious emails) has measurably more impact than a 50-page rulebook.
Continue in tree
Security
What someone finds out about your company in 60 seconds
DNS, TLS, open subdomains, missing headers — an attacker needs no hacking tools for this. Just patience and a browser.
Security
Supply chain attacks: why your software is putting you at risk
SolarWinds, XZ Utils, npm trojans — attackers now target not you, but the tools you use every day.