IT Security for Skilled Trades and Small Businesses Under 50 Employees

Why IT Security Is Existential Even Without a Legal Mandate

The roofing company with twelve employees, the carpentry shop with eight staff, the engineering firm with 25 people — they all tend to think of cybersecurity as something for large enterprises and corporations. NIS2 doesn't apply to them, ISO 27001 sounds like something for companies with their own IT department, and day-to-day business leaves little room for topics not directly tied to the order pipeline.

And then it happens anyway. A click on the wrong email attachment, and three hours later every file on the server is encrypted. Ransomware hits small businesses particularly hard. The order history, client data, calculations, CAD drawings, accounting — all gone. The ransom note demands EUR 25,000 in Bitcoin. The backup? Was on the same server. The last external backup? Six months old.

This is not a hypothetical scenario. According to the BSI Situation Report 2025, small and medium-sized businesses are disproportionately frequent victims of ransomware attacks — not because they are particularly attractive targets but because they are particularly easy to hit. Missing firewalls, outdated software, no network segmentation, weak passwords, and employees who have never seen a phishing email: These are the entry points that attackers find and exploit automatically.

The cost of a successful attack is often devastating for a small business relative to its revenue. If a company with EUR 1.5 million annual revenue is down for two weeks because IT doesn't work, and then pays EUR 15,000 for recovery, that can threaten its very existence. Add potential DSGVO (GDPR) fines if customer data was exfiltrated, plus reputational damage with clients and business partners.

IT security is therefore not a luxury for large companies but a business necessity for any company that uses a computer. The good news: Getting started doesn't have to be expensive or complicated.

DIN SPEC 27076: The IT Security Check for Small Companies

The DIN SPEC 27076 was developed for exactly this starting situation. Its official name is "IT Security Consulting for Small and Micro Enterprises," and it was published in 2023 with participation from the BSI, various chambers of trade, and IT security service providers. The target audience is companies with up to 50 employees that have done little or no structured IT security to date.

What DIN SPEC 27076 Offers

DIN SPEC 27076 is neither a management system like ISO 27001 nor a certification standard like TISAX. It is a structured consulting process that captures a small company's current IT security status in just a few hours and derives concrete recommendations for action.

The process is deliberately streamlined:

1. Initial interview (approx. 1 hour): An IT security consultant conducts a structured interview with the business owner or IT contact.
2. Analysis (approx. 2-3 hours): The consultant evaluates the responses and creates a results report with risk assessment and prioritized recommendations.
3. Results presentation (approx. 1 hour): The consultant presents the findings and explains the recommended measures.

The whole process typically takes half to one full working day and costs between EUR 1,500 and 3,500 depending on the provider. Through funding programs, you can get a large portion of these costs reimbursed — more on that later.

Distinction from ISO 27001 and IT-Grundschutz

The key difference from ISO 27001 or BSI IT-Grundschutz: DIN SPEC 27076 is not a management system you need to build and maintain. It is a status assessment with concrete recommendations. You receive a report telling you where you stand and what you should do, but implementation is up to you.

For many small businesses, this is exactly the right starting point: not the obligation to operate a complete ISMS but clear orientation on which measures provide the greatest benefit and where the most urgent risks lie.

If your company grows and eventually exceeds 50 employees or EUR 10 million in revenue, you already have a solid foundation from the DIN SPEC 27076 measures on which to build a formal ISMS.

The Six Topic Areas of DIN SPEC 27076

The DIN SPEC 27076 questionnaire covers six topic areas that together provide a complete picture of a small company's IT security posture. Each area contains specific assessment questions that the consultant addresses during the interview.

1. Organization and Awareness

This area checks whether IT security is organizationally anchored in the company. Who is responsible? Are there basic rules for handling IT? Are employees regularly made aware?

Typical assessment questions:

• Is there a person responsible for IT security?
• Are new employees briefed on IT security rules?
• Are there rules for handling emails and recognizing phishing?
• Are employees regularly informed about current threats?

For many skilled trades businesses, this is the area with the greatest catch-up need. IT security is often "the boss's business" in the sense that the boss handles everything, but there are no documented rules and no systematic employee awareness.

2. Identity and Access Management

This area addresses access to IT systems. Who has access to what? How are passwords managed? Are there individual user accounts?

Typical assessment questions:

• Does every employee have their own user account?
• Are passwords regularly changed, or is a password manager used?
• Are there administrator accounts used only for administrative tasks?
• Are accounts deactivated when an employee leaves the company?
• Is multi-factor authentication used for important systems?

In practice, small businesses commonly have shared passwords, administrator rights for all employees, and no processes for deactivating accounts when employees depart. These are serious security gaps that can be closed with minimal effort.

3. Data Backup

Backups are the life insurance against ransomware. This area checks whether data backups exist, are performed regularly, and actually work in an emergency.

Typical assessment questions:

• Are regular backups of all important data created?
• Are backups stored in a location separate from the main system?
• Is recovery from backup regularly tested?
• Is there a documented backup concept with defined intervals?

The most common mistake at small businesses: A backup exists, but it's stored on the same hardware as the production data. During a ransomware attack, the backup gets encrypted along with everything else. Or the backup runs automatically, but nobody checks whether the saved data is actually recoverable.

4. Patch and Change Management

Software updates are one of the most effective defense mechanisms against cyberattacks because many attacks exploit known vulnerabilities for which patches already exist. This area checks whether updates are applied promptly.

Typical assessment questions:

• Are operating systems and applications regularly updated?
• Is there a process for security-critical updates?
• Is software still in use that is no longer supported by the manufacturer (end-of-life)?
• Are updates tested for compatibility before deployment?

In skilled trades businesses, you commonly find computers with Windows versions that haven't received security updates for years, or industry software that only runs on outdated operating systems. These are ticking time bombs that will be exploited sooner or later.

5. Protection Against Malware and IT Attacks

This area checks technical protective measures: firewall, antivirus, network security, and protection against the most common types of attacks.

Typical assessment questions:

• Is current antivirus software installed on all workstations and servers?
• Is a firewall in place and regularly maintained?
• Are emails checked for malware and phishing?
• Is the WiFi encrypted with WPA3 or at least WPA2 and secured with a strong password?
• Is there a separate guest WiFi?

The good news: Most of these measures are technically simple to implement and cost little. A properly configured firewall, current antivirus protection, and a securely configured WiFi are not rocket science and are routine for any IT service provider.

6. IT Systems and Networks

The sixth area examines the IT infrastructure as a whole: network structure, encryption, mobile devices, and the physical protection of hardware.

Typical assessment questions:

• Is there an overview of all IT systems and devices in the company?
• Are mobile devices (laptops, smartphones) protected with a password or PIN?
• Is data on mobile devices encrypted?
• Is physical access to the server room or server cabinet secured?
• Are old data carriers securely disposed of?

The IT systems inventory is missing in almost every small company. Nobody knows exactly how many computers are on the network, what software runs on them, or whether all devices meet current security standards. Without this knowledge, structured IT security is impossible.

Baseline Security Measures Anyone Can Implement Immediately

Regardless of whether you do the DIN SPEC 27076 check or not, there are a number of measures every business can and should implement immediately. They cost little, require no deep technical expertise, and drastically reduce the risk of a successful attack.

Passwords and Access

Introduce a password manager. A password manager like KeePass, Bitwarden, or 1Password costs between zero and five euros per employee per month and solves the problem of weak and reused passwords in one stroke. Every employee gets a single strong master password to remember, and the manager generates and stores a unique, complex password for each system.

Activate multi-factor authentication. For all systems that offer it: email, cloud services, accounting software, online banking. Setup takes ten minutes per service per employee. The protection gain is enormous because a stolen password alone is no longer sufficient to gain access.

Set up individual user accounts. No more shared "office login" — instead a personal account per employee with only the permissions needed for their respective tasks. Administrator rights only for the IT contact.

Backups

Implement the 3-2-1 rule. Three copies of your data, on two different media types, one of them at a different location. Concretely, that can look like this: Production data on the server, daily backup to an external hard drive, and weekly backup to the cloud or to tape stored in a bank safe deposit box.

Test backup recovery. At least once per quarter: Take the backup, restore a file or an entire folder, and verify that the data is complete and readable. A backup you've never tested is not a backup — it's a hope.

Store backups offline. At least one backup copy must not be permanently connected to the network. During a ransomware attack, all reachable drives are encrypted. If your backup is on a network share, it's just as affected as the original data.

Updates and Patches

Enable automatic updates. For operating systems, browsers, and Office applications: Turn on automatic updates and stop clicking them away. For industry software, you may need to clarify with the manufacturer whether automatic OS updates are supported, but for standard software there's no reason to delay updates.

Replace end-of-life software. Windows 10, whose support ended in October 2025, should by now be updated to Windows 11 or replaced with a supported system. The same applies to old Office versions, outdated browsers, and any other software that no longer receives security updates.

Network and Access

Configure a firewall. Every business needs a firewall between the internal network and the internet. Modern firewalls for small businesses cost between EUR 300 and 1,500 and offer features like intrusion prevention, content filtering, and VPN. Setup should be handled by an IT service provider who also regularly maintains the firewall.

Secure WiFi. A strong password with WPA3 encryption (or at minimum WPA2) for the company WiFi. Plus a separate guest WiFi that has no access to the internal network. And please change the router's default password — factory-set passwords are often publicly known.

VPN for remote access. If employees access company data from home or on the road, it should be via an encrypted VPN connection — not via unsecured Remote Desktop connections directly exposed to the internet.

Employee Awareness

Create phishing awareness. Show your employees examples of phishing emails and explain how to recognize them: unusual sender addresses, urgent calls to action, links to unknown websites, attachments from unknown senders. This doesn't need to be a professional training session — half an hour in a team meeting with real examples can already make a significant difference.

Establish clear rules. Define simple, understandable rules: Don't plug unknown USB sticks into company computers. Don't install software independently. Ask the IT contact about suspicious emails rather than opening the attachment. Lock the screen when leaving the workstation. These rules don't need to be in a 20-page document — one page with the five most important points is enough to start.

Repeat regularly. Once a year, a brief refresher, ideally with current real-world examples. IT security is not a topic you cover once and then forget. Threats change constantly, and employee awareness must keep pace.

Funding Programs: How the Government Reduces Costs

One of the most common reasons small businesses postpone IT security measures is cost. A cyber insurance policy can also cover residual risk, but it requires baseline measures. The perception is often that professional IT security is expensive and can only be afforded by larger companies. In fact, there are a number of funding programs that specifically address this and cover a significant portion of costs.

"go-digital" by BMWK

The "go-digital" funding program from the Federal Ministry for Economic Affairs and Climate Action targets small and medium-sized businesses with fewer than 100 employees. It funds consulting services in the areas of digitalization, IT security, and digital market development.

Key details:

• Funding rate: up to 50% of consulting costs
• Maximum funding amount: EUR 16,500
• Maximum consulting days: 30 days in six months
• Application is made through authorized consulting firms listed in the program

For an IT security check per DIN SPEC 27076 including implementation consulting, "go-digital" is ideally suited. The authorized consultant submits the funding application, conducts the consulting, and invoices directly. You only pay your co-payment share.

Regional Digitalization Grants

Many German states and regions have their own funding programs for small business digitalization that often include IT security. The programs have different names and terms depending on the state, but the principle is similar: grants for investments and consulting in digitalization and IT security.

Some examples:

• Bavaria: "Digitalbonus" with up to EUR 10,000 in grants (50% funding rate)
• North Rhine-Westphalia: "MID-Digitalisierung" with up to EUR 15,000
• Baden-Wuerttemberg: "Digitalisierungspraemie Plus" as a repayment grant on a low-interest loan
• Lower Saxony: "Digitalbonus.Niedersachsen" with up to EUR 10,000

Programs change regularly, so it's worth researching current options at your local Chamber of Industry and Commerce (IHK) or Chamber of Trades. They also provide free advice on available funding opportunities.

Transfer Center for IT Security in SMEs (TISiM)

The federally funded Transfer Center for IT Security in SMEs offers free initial consultations, webinars, and action guides specifically for small businesses. The "Sec-O-Mat" on the TISiM website creates an individual action plan based on a few questions. This doesn't replace professional consulting but is a good first step for assessing your own risk profile.

Cyber Insurance as a Complement

In addition to prevention funding, there is the option of covering residual risk through a cyber insurance policy. For small businesses, these policies typically cost between EUR 500 and 3,000 per year, depending on revenue, industry, and chosen coverage scope.

Important to know: Most cyber insurance policies require a minimum level of IT security. If you can't demonstrate basic measures like backups, firewalls, and current software, you either won't get a policy or the insurer will deny coverage in the event of a claim. The baseline security measures from the previous section are therefore also relevant for insurance coverage.

Costs and Effort Realistically Estimated

One of the most important questions for skilled trades businesses and small business owners: What does all of this cost, and how much time do I need to invest? Here is a realistic calculation for a company with 15 to 30 employees.

Initial Costs

The range is deliberately broad because the condition of existing IT varies widely. A business that already has a decent firewall and current software is at the lower end. A business with outdated systems, no backup, and open WiFi is at the upper end.

Ongoing Costs

For a company with EUR 1.5 million annual revenue, that corresponds to 0.2 to 0.6 percent of revenue for IT security. For comparison: The average damage from a ransomware attack on a small business is EUR 50,000 to 120,000 according to a Bitkom study, when you add up operational downtime, recovery, and reputational damage. The investment in prevention is therefore economically a fraction of the potential damage.

Time Investment

IT security requires not just money but also time. Realistically, you should plan for the following:

• Initial: 2 to 4 days for the IT security check, planning, and implementing the most important measures (in collaboration with an IT service provider)
• Ongoing: 2 to 4 hours per month for maintaining IT security (backup verification, update checks, processing IT service provider reports)
• Annual: 1 day for a refresher training and a review of the security status

For the owner of a skilled trades business who is already stretched thin with order planning, personnel management, and customer service, this sounds like a lot. But compare it with the effort after a successful cyberattack: weeks of chaos, interrupted business processes, trouble with clients and authorities, and in the worst case the question of whether the business can continue operating at all.

The Pragmatic Start: What You Can Do Tomorrow

If you've read this far and are wondering where to begin, here is a roadmap based on prioritizing by impact and effort:

Week 1: The Absolute Basics

• Check if your backup works. Do a test restore of a file.
• Activate multi-factor authentication for your email account and online banking.
• Change your router's default password if you've never done so.
• Check if automatic updates for Windows and Office are enabled.

Weeks 2 to 4: Build a Solid Foundation

• Set up a password manager for yourself and learn to use it. Then roll it out to your team.
• Contact your local Chamber of Industry and Commerce or Chamber of Trades and ask about funding programs for IT security.
• Commission an IT security check per DIN SPEC 27076 with an authorized consultant.
• Ensure your backup follows the 3-2-1 rule.

Months 2 to 3: Implement Recommendations

• Implement the prioritized recommendations from the IT security check.
• Conduct a brief employee awareness session (recognizing phishing, secure passwords, locking screens).
• Have your IT service provider review and improve network security (firewall, WiFi, segmentation).
• Create a simple one-page IT security policy with the five most important rules for your employees.

Ongoing: Stay Consistent

• Quarterly: Test backup recovery, check updates, IT service provider reviews systems.
• Semi-annually: Brief update for employees on current threats.
• Annually: Review security status, potentially repeat DIN SPEC check.

When a Formal ISMS Makes Sense

DIN SPEC 27076 and the baseline security measures from this article are the right starting point for small businesses. But there are situations where you should consider a formal ISMS:

Your company grows beyond 50 employees. Above this threshold, NIS2 applies if you operate in a regulated sector. Then you need a systematic ISMS, not just individual measures.

Your clients require it. When large clients include ISO 27001, TISAX, or comparable certifications in their procurement requirements, you can't avoid an ISMS.

You process particularly sensitive data. Medical practices, tax advisors, law firms: Anyone working with highly sensitive data should have structured security management even with fewer than 50 employees.

You've already been attacked. After a security incident, motivation is high, and investing in an ISMS is also an investment in the future security of the business.

The transition from baseline security measures to a formal ISMS doesn't have to be abrupt. You can formalize gradually: first put policies in writing, then systematize risk assessment, then document processes. Tools like ISMS Lite cost 500 Euro pro Jahr and are thus affordable even for small companies wanting to make the step from Excel-based baseline security to a structured ISMS. If you've already implemented the baseline security measures from this article, you have a solid foundation on which an ISMS can build.

Special Challenges in Skilled Trades

Skilled trades businesses have some specific challenges compared to office-based companies that must be considered in IT security:

Mobile devices on construction sites. Tablets and smartphones used on construction sites for measurements, photo documentation, and time tracking are harder to control than stationary office computers. They can be lost, stolen, or damaged. Encryption, screen lock, and remote wipe capability are mandatory here.

Industry software with special status. Many skilled trades businesses use specialized industry software for order management, calculation, or time tracking that is sometimes not compatible with the latest operating system versions. In such cases, a conversation with the software manufacturer helps. Often updates or workarounds are available, and if not, the outdated software must be replaced with a current alternative.

Customer data in skilled trades. Even a skilled trades business processes personal data: customer addresses, photos from construction sites (which may show private spaces), bank information for invoicing. A data loss is not just annoying but can be DSGVO (GDPR)-relevant.

Lack of IT expertise. In most skilled trades businesses, there is no IT employee. The business owner or a tech-savvy journeyman handles IT on the side. That works for daily operations, but for IT security you either need a competent external IT service provider or you invest in continuing education. The chambers of trades increasingly offer courses on IT security in skilled trades, tailored to the needs of small businesses.

Looking Ahead: Regulation Is Coming

Even though small businesses are not currently subject to NIS2, the trend clearly points toward more regulation in the area of cybersecurity. The EU Commission has already announced it will review and potentially adjust the thresholds in the coming years. The supply chain security requirements under NIS2 also mean that even small companies will increasingly be asked by their larger clients to provide evidence of IT security measures.

Those who lay the groundwork now are prepared. The measures described in this article cost a fraction of what a successful cyberattack would cost, and they simultaneously form the basis for more advanced requirements that may come to your business in the future.

IT security is not a question of company size. It is a question of responsibility — toward your employees, your clients, and your own business.

Further Reading

• Top 10 Security Risks for SMEs and How to Address Them
• Ransomware Attack: Immediate Response and Recovery
• Recognizing and Reporting Phishing: A Practical Guide
• Backup Strategy and Restore Testing: How to Properly Secure Your Data
• Introducing MFA: Multi-Factor Authentication for Businesses