Many small and medium-sized enterprises (SMEs) still believe:
“We’re too small to be an interesting target for hackers.”
❌ That assumption is dangerous.
In my daily work as an IT service provider, I repeatedly see that SMEs are affected particularly often — usually because basic security measures are missing or have never been reviewed.
In this article, I highlight the five most common IT security mistakes I encounter in companies and explain how they can be avoided with reasonable effort.
❶ “We have backups” — but nobody checks them
🔴 One of the most common statements I hear.
In many companies, backups exist — but:
- they are never tested
- they are stored on the same system
- they are affected in an incident as well
Why this is dangerous
In real emergencies, I often see companies realize too late:
The backup is incomplete, outdated, or unusable.
⏱️ The result: downtime, data loss, and costly emergency solutions.
✅ How I avoid this mistake
✔️ I rely on automated, regular backups
✔️ I ensure separate backup targets (offline or cloud-based)
✔️ I test data restoration at least once per year
❷ Weak passwords & no multi-factor authentication (MFA)
🔑 Weak or reused passwords are still very common.
Why this is dangerous
In my day-to-day work, I repeatedly encounter:
- compromised email accounts
- unauthorized logins from abroad
- unnoticed access over long periods
Often, a single stolen password is enough to cause serious damage.
✅ How I avoid this mistake
✔️ I recommend strong, unique passwords
✔️ I use password managers
✔️ I enable multi-factor authentication (MFA), especially for:
- email accounts
- VPN access
- cloud services
- administrative accounts
❸ Updates? “We’ll do it later…”
🧩 One of the most dangerous phrases in IT.
Why this is dangerous
I frequently encounter:
- outdated servers
- unpatched firewalls
- software without security updates
Attackers specifically exploit known vulnerabilities, often in an automated way.
✅ How I avoid this mistake
✔️ I schedule regular maintenance windows
✔️ I keep operating systems and applications up to date
✔️ Unsupported or outdated systems are replaced in time
❹ Employees are not sufficiently aware
📧 Even the best technology is ineffective if people are not prepared.
Why this is dangerous
In many incidents I support, the initial trigger was:
- a phishing link
- a malicious attachment
- a manipulated invoice
✅ How I avoid this mistake
✔️ I define clear rules for handling emails
✔️ I make it clear that asking questions is always encouraged
✔️ I promote an open error culture — reporting instead of hiding mistakes
❺ No incident response plan — “We’ll deal with it if it happens”
🚨 Many companies assume it won’t affect them.
Why this is dangerous
Without a plan, I regularly observe:
- chaos
- loss of valuable time
- wrong decisions under pressure
✅ How I avoid this mistake
✔️ I create a simple IT incident response plan
✔️ I ensure important information is available offline
✔️ I review the plan on a regular basis
🧠 Conclusion: IT security is a responsibility — not a product
🔐 To me, IT security does not mean:
“Buy a piece of software and you’re done.”
It means:
- clear processes
- continuous maintenance
- informed employees
- realistic emergency planning
👉 My experience shows:
Even small, well-planned measures can significantly improve a company’s security posture.
🤝 Free initial consultation
If you are unsure
how well your company is currently protected,
I would be happy to offer you a free and non-binding initial consultation as an IT service provider.
During this conversation, we can clarify:
- where potential security gaps exist
- which risks are realistic for your business
- and which measures are both effective and economically reasonable
💬 No obligation — but a clear and honest assessment.