Many small and medium-sized enterprises (SMEs) still believe:
βWeβre too small to be an interesting target for hackers.β
β That assumption is dangerous.
In my daily work as an IT service provider, I repeatedly see that SMEs are affected particularly often β usually because basic security measures are missing or have never been reviewed.
In this article, I highlight the five most common IT security mistakes I encounter in companies and explain how they can be avoided with reasonable effort.
βΆ βWe have backupsβ β but nobody checks them
π΄ One of the most common statements I hear.
In many companies, backups exist β but:
- they are never tested
- they are stored on the same system
- they are affected in an incident as well
Why this is dangerous
In real emergencies, I often see companies realize too late:
The backup is incomplete, outdated, or unusable.
β±οΈ The result: downtime, data loss, and costly emergency solutions.
β How I avoid this mistake
βοΈ I rely on automated, regular backups
βοΈ I ensure separate backup targets (offline or cloud-based)
βοΈ I test data restoration at least once per year
β· Weak passwords & no multi-factor authentication (MFA)
π Weak or reused passwords are still very common.
Why this is dangerous
In my day-to-day work, I repeatedly encounter:
- compromised email accounts
- unauthorized logins from abroad
- unnoticed access over long periods
Often, a single stolen password is enough to cause serious damage.
β How I avoid this mistake
βοΈ I recommend strong, unique passwords
βοΈ I use password managers
βοΈ I enable multi-factor authentication (MFA), especially for:
- email accounts
- VPN access
- cloud services
- administrative accounts
βΈ Updates? βWeβll do it laterβ¦β
𧩠One of the most dangerous phrases in IT.
Why this is dangerous
I frequently encounter:
- outdated servers
- unpatched firewalls
- software without security updates
Attackers specifically exploit known vulnerabilities, often in an automated way.
β How I avoid this mistake
βοΈ I schedule regular maintenance windows
βοΈ I keep operating systems and applications up to date
βοΈ Unsupported or outdated systems are replaced in time
βΉ Employees are not sufficiently aware
π§ Even the best technology is ineffective if people are not prepared.
Why this is dangerous
In many incidents I support, the initial trigger was:
- a phishing link
- a malicious attachment
- a manipulated invoice
β How I avoid this mistake
βοΈ I define clear rules for handling emails
βοΈ I make it clear that asking questions is always encouraged
βοΈ I promote an open error culture β reporting instead of hiding mistakes
βΊ No incident response plan β βWeβll deal with it if it happensβ
π¨ Many companies assume it wonβt affect them.
Why this is dangerous
Without a plan, I regularly observe:
- chaos
- loss of valuable time
- wrong decisions under pressure
β How I avoid this mistake
βοΈ I create a simple IT incident response plan
βοΈ I ensure important information is available offline
βοΈ I review the plan on a regular basis
π§ Conclusion: IT security is a responsibility β not a product
π To me, IT security does not mean:
βBuy a piece of software and youβre done.β
It means:
- clear processes
- continuous maintenance
- informed employees
- realistic emergency planning
π My experience shows:
Even small, well-planned measures can significantly improve a companyβs security posture.
π€ Free initial consultation
If you are unsure
how well your company is currently protected,
I would be happy to offer you a free and non-binding initial consultation as an IT service provider.
During this conversation, we can clarify:
- where potential security gaps exist
- which risks are realistic for your business
- and which measures are both effective and economically reasonable
π¬ No obligation β but a clear and honest assessment.