Small and medium-sized enterprises (SMEs) are increasingly becoming the target of cybercriminals and are rarely adequately protected. In an exclusive interview, Patrick Schönowski, Policy Officer for Digital Policy at the German SME Association (DMB), explains why IT security is an essential competitive factor and where politicians need to do more to support SMEs.
Mr. Schönowski, cyber attacks are increasingly affecting smaller companies. From the DMB’s perspective, what are the biggest challenges for SMEs regarding IT security?
In the digital space, companies are exposed to random cyber attacks on a daily basis. According to the latest report from the German Federal Criminal Police Office (BKA), 80 per cent of ransomware attacks, a type of cyber attack, are directed at SMEs. Smaller businesses are increasingly affected, as they often have a lower level of protection due to limited financial resources and a lack of IT specialists. Furthermore, not all managers have yet recognised the dangers of cyber attacks for their own companies.
Overall, we find that SMEs rarely perceive resilience as an essential competitive factor. More awareness is needed here. After all, a high level of IT protection not only strengthens competitiveness, but also saves costs in cases of damage in the long term. However, in order for SMEs to be able to efficiently take care of their IT security in times of staff shortages, high energy costs and complex reporting obligations, the German federal and state governments must provide more support or relieve the burden on businesses. Outside of parliaments, associations like eco are also helping with events such as the Internet Security Days.
How can events such as the Internet Security Days specifically help SMEs to better protect themselves against digital threats?
With its Internet Security Days, eco is addressing the challenges mentioned above: Together with its cooperation partners such as the DMB, the event attracts media attention and thus raises awareness of the issue among many companies. The event provides answers to the fundamental question faced by SMEs: How can they secure their operations quickly and as efficiently as possible? Here, visitors to the Internet Security Days can acquire practical knowledge and learn, for example, how to improve their email security or how to best train their employees.
Many SMEs don’t have their own IT department. What realistic measures do you recommend for small businesses to improve their IT security – without huge budgets?
In addition to basic technical security measures such as regular security updates, every digitally active company should take these two preventive measures: First, the company should create security awareness throughout the entire team. Initially, free webinars are sufficient to acquire basic knowledge.
Secondly, they should prepare for security incidents. Companies should create regular backups of important business data to keep operational restrictions to a minimum in case of emergency. Since quick action is required in such cases, responsibilities and emergency contacts – if necessary, from external IT service providers – should be established in advance.
Where do you see a need for political or regulatory action to ensure that SMEs are not left behind on the topic of cybersecurity?
There are several areas where the German federal government needs to take action on IT security. First and foremost, policymakers must counteract the shortage of IT specialists by specifically promoting STEM education. Additionally, they must also make regulatory requirements more understandable for SMEs. Requirements such as those of the IT security law NIS-2, which can indirectly affect small businesses, must be evaluated by the German Bundestag in order to avoid placing a disproportionate burden on SMEs.
Last but not least, the German federal government, together with the Federal Office for Information Security, has a responsibility for creating more low-threshold information resources. A stronger expansion of needs-based support measures is also necessary so that even small players in the IT supply chain can better protect themselves.
If you are also interested in the challenges and solutions of IT security, visit the Internet Security Days 2025.
(Image: Jochen Rolfes)
