“We don’t have anything worth stealing.” I hear this regularly when speaking with managing directors of small and medium-sized enterprises about IT security. And this very mindset makes them perfect victims.

Let me debunk five persistent misconceptions that I’ve encountered repeatedly over 20 years of IT experience – and which can cost companies dearly.

Misconception 1: “We’re Too Small for Hackers”

The Reality: Cybercriminals don’t think in company sizes – they think in attack vectors. An automated scan doesn’t care whether you have 10 or 10,000 employees. It’s looking for open doors.

Small businesses are particularly attractive because they often:

  • Have no dedicated IT security department
  • Keep outdated systems in operation
  • Don’t regularly train employees
  • Neglect backup strategies

Tip: Automated attacks hit the local bakery just as they hit the corporation. The difference: The corporation has a security team responding at 3 AM.

Misconception 2: “We Have a Firewall, That’s Enough”

The Reality: A firewall is like a front door – important, but useless if someone comes through the window. Modern attacks use:

  • Phishing emails to employees (the firewall just sees: “Ah, an email, that can come in”)
  • Social engineering (call: “This is the IT department, I need your password”)
  • Compromised websites (even reputable sites can be hacked)
  • USB drives in the company parking lot (“Oh, what’s this?")

Tip: IT security is like Swiss cheese – each layer has holes, but the holes shouldn’t align.

Misconception 3: “Our Employees Would Never Fall for Phishing”

The Reality: Yes. They will. I’ve witnessed the CEO of a mid-sized company click on a fake link – even though he’d received training two weeks earlier.

Humans aren’t machines. We make mistakes, especially when:

  • We’re under time pressure
  • The email appears to come “from the boss”
  • It concerns supposedly important topics (salary, termination, taxes)

Tip: Training is good. Regular phishing tests are better. Technical measures that catch mistakes are best.

Misconception 4: “We Have a Backup”

The Reality: Having a backup is great. But can you tell me:

  • When was it last tested?
  • How long does a complete restore take?
  • Is the backup encrypted and stored offline?
  • Who has access to the backup system?

I’ve seen companies whose “backup” turned out to be corrupt files on a hard drive in the same server room. Or whose cloud backup was deleted by the attacker because the credentials were saved in the browser.

Tip: The 3-2-1 rule: 3 copies, on 2 different media, 1 off-site. And: test, test, test.

Misconception 5: “That Only Happens to Others”

The Reality: According to BSI (German Federal Office for Information Security), one in three German companies fell victim to a successful cyberattack in 2024. The unreported number is probably higher – not everyone likes to admit being hacked.

The average cost of a ransomware attack for an SME:

  • Ransom demand: EUR 50,000 - 200,000
  • Business downtime: often higher than the ransom
  • System rebuild: EUR 20,000 - 100,000
  • Reputational damage: priceless

Tip: Don’t ask “if” but “when” – and prepare accordingly.

What Can You Do Now?

  1. Take inventory: What IT do you have? How is it protected? Where are the gaps?
  2. Set priorities: Not everything at once, but the most important first (backups, patches, employee training)
  3. Budget for it: IT security costs money. But significantly less than a successful attack.
  4. Bring in experts: Not everyone needs a full-time CISO – but everyone needs someone who knows what they’re doing.

Want to know how your IT security stands? An honest outside perspective often helps more than you think. Get in touch – the first conversation costs nothing but some time.