- Ransomware and phishing dominate the threat landscape for SMEs. Both risks can be significantly reduced through a combination of technical and organizational measures.
- Insider risks and lacking security awareness are systematically underestimated. People remain the most important factor in information security.
- Misconfigurations and outdated software are the most common technical vulnerabilities. Structured patch and configuration management is mandatory.
- Supply chain risks and cloud misuse are growing in importance with increasing interconnection and require new control mechanisms.
- For each of the ten risks, there are pragmatic countermeasures that are achievable even with limited budgets and small IT teams.
Why mid-market companies are particularly vulnerable
Mid-market companies face a paradoxical problem: They are large enough to be attractive to attackers but often too small for a fully equipped in-house IT security department. While large enterprises deploy SOC teams, multi-million security budgets, and specialized forensics partners, mid-market IT teams of three to five people often manage the entire operation including security.
The BSI has noted in its situation reports for years that the threat level for SMEs is growing. Attackers have recognized that SMEs are often easier to compromise than large enterprises while still being lucrative targets. Whether ransomware extortion, industrial espionage, or data theft: The damage per incident in the mid-market is frequently in the six-figure range and can be existentially threatening.
This article identifies the ten most relevant information security risks for mid-market companies in Germany. For each risk, you will find an assessment of likelihood and impact, an explanation of why SMEs are particularly affected, and concrete countermeasures that are feasible even with limited resources.
The assessments are based on a qualitative 5-level scale (1 = very low to 5 = very high), as also used in ISMS risk assessment, and draw on current threat data from BSI, ENISA, and industry-specific analyses.
Risk 1: Ransomware
Likelihood: 4 (High) | Impact: 5 (Critical) | Risk value: 20
Ransomware remains the greatest threat to mid-market companies in Germany. Attacks have become professionalized: Ransomware-as-a-Service (RaaS) enables even technically less skilled criminals to deploy highly developed encryption trojans. The typical attack combines encryption with data exfiltration. Attackers not only threaten loss of data but also its publication, increasing pressure on victims.
For mid-market companies, ransomware is particularly dangerous because the consequences quickly become existentially threatening. A two-week business standstill costs a company with EUR 10 million in annual revenue around EUR 400,000 in lost revenue. Added to this are costs for incident response, recovery, possible regulatory consequences, and the often long-lasting reputational damage.
The entry points are varied: phishing emails with infected attachments or links, exploitation of unpatched vulnerabilities in VPN gateways or remote desktop services, and compromised credentials from previous data breaches. Once inside the network, attackers often move undetected for weeks, exfiltrating data before triggering encryption.
Countermeasures
A robust 3-2-1 backup concept forms the foundation: three copies on two different media types, one of which is offline (air-gapped). Regular restore tests ensure that backups actually work in an emergency. Network segmentation limits the spread: When production, administration, and development are in separate segments, ransomware cannot spread unchecked. An email filter with sandbox analysis catches the majority of phishing attempts. Endpoint Detection and Response (EDR) detects suspicious behavior on workstations and servers. And a documented incident response plan specifically for ransomware reduces reaction time from days to hours in an emergency.
Risk 2: Phishing and spear phishing
Likelihood: 5 (Very high) | Impact: 3 (Medium) | Risk value: 15
Phishing is by far the most common attack vector. Nearly every cyberattack begins with some form of phishing, whether a broadly targeted campaign or targeted spear phishing against individual employees. The quality of phishing emails has improved drastically through the use of AI-generated text. Grammar errors and clumsy phrasing, once reliable indicators, have become rare.
In the mid-market, executive management and finance departments are particularly targeted by spear phishing. CEO fraud, where attackers impersonate the managing director and order an urgent wire transfer, causes millions in damages every year. But even simple credential phishing emails requesting login information on fake login pages are highly effective: Studies show that in companies without an awareness program, 20 to 30 percent of employees fall for professionally crafted phishing emails.
The impact of a single successful phishing attack is often limited (compromised email account, single infected computer), which is why we rate the impact at level 3. But phishing is frequently the starting point for more severe attacks such as ransomware or data exfiltration, which significantly increases the actual damage potential.
Countermeasures
Multi-factor authentication (MFA) is the single most effective measure. Even if credentials are compromised, the second factor prevents access. Implement MFA for all external access, cloud services, and privileged accounts. Regular phishing simulations (quarterly) with subsequent training build the ability to recognize suspicious emails and create healthy skepticism. An advanced email filter with link rewriting, attachment sandboxing, and impersonation protection catches the majority of phishing emails. For the finance department, establish a four-eyes principle for payment instructions and telephone verification for unusual requests.
Risk 3: Insider threats
Likelihood: 3 (Possible) | Impact: 4 (High) | Risk value: 12
Insider threats are an uncomfortable topic because they touch on trust in your own employees. But the numbers speak clearly: According to various studies, 20 to 30 percent of all security incidents are caused by insiders, with most being non-malicious, based on negligence or lack of knowledge.
The three main categories are: Negligent insiders who cause damage through carelessness (accidental sending of confidential data, loss of an unencrypted laptop, use of insecure cloud services). Malicious insiders who intentionally steal data or sabotage, for example before a job change to a competitor or out of frustration. And compromised insiders whose credentials are misused by external attackers.
In the mid-market, the risk is particularly relevant because access rights are often granted generously ("they need access to everything because they work on various projects"), offboarding processes are not standardized, and access for departed employees sometimes remains active for weeks.
Countermeasures
A consistent least-privilege principle according to the access and entry control policy ensures that every employee has only the access rights needed for their current task. Regular access reviews (semi-annually) check whether existing permissions are still appropriate. A formalized offboarding process with a checklist deactivates all access on the last working day. Data Loss Prevention (DLP) in its basic form monitors the sending of confidential data via email or USB. And logging and monitoring of privileged activities (admin access, database queries) creates transparency and traceability.
Risk 4: Misconfigurations
Likelihood: 4 (High) | Impact: 3 (Medium) | Risk value: 12
Misconfigurations are among the most common causes of security incidents and are systematically underestimated. An open S3 bucket in AWS, a firewall rule that permits more than intended, a database server accessible from the internet with default credentials, or a debug mode accidentally left active in the production environment: Such errors happen constantly, and attackers automatically scan for exactly these vulnerabilities.
In the mid-market, the problem is compounded by several factors. IT teams manage a growing number of systems (on-premises, cloud, SaaS) with limited personnel. Configuration is often done manually and undocumented. And the complexity of modern cloud environments with their hundreds of configuration options overwhelms even experienced administrators. A single misconfiguration in an AWS IAM policy can make the difference between a protected and an exposed system.
Countermeasures
Hardening standards for all deployed systems (operating systems, databases, cloud services) define the secure baseline configuration. Refer to the CIS Benchmarks, which are freely available for most technologies. Infrastructure as Code (IaC) with tools like Terraform or Ansible makes configurations reproducible and versionable. Every change is reviewed through code review before going to production. Regular configuration audits (quarterly) compare the actual configuration with defined standards. Cloud Security Posture Management (CSPM) automatically monitors cloud environments for misconfigurations and alerts the IT team. And a change management process ensures that configuration changes are documented and approved.
Risk 5: Outdated software and missing patch management
Likelihood: 4 (High) | Impact: 4 (High) | Risk value: 16
Unpatched vulnerabilities are, alongside phishing, the most important entry point for cyberattacks. Attackers systematically exploit the time between the publication of a patch and its installation (the so-called patch window). For critical vulnerabilities like Log4Shell or the regularly occurring Exchange vulnerabilities, active exploitation often begins within hours of publication.
In the mid-market, patch management is a chronic weakness. The reasons are varied: fear of compatibility issues ("the patch could break our ERP"), missing test environments, manual processes that do not scale across dozens of systems, and dependencies on vendors who patch slowly or no longer at all. Particularly critical are end-of-life systems that no longer receive security updates but continue to operate for cost reasons: the old Windows server for a specific production system, the no-longer-supported version of an industry-specific application.
Countermeasures
A structured patch process with defined timelines: critical patches within 72 hours, important patches within 14 days, regular updates monthly. A patch management tool automates distribution and monitors the patch status of all systems. For end-of-life systems that cannot be immediately replaced, use compensating controls: network isolation, additional monitoring, access restriction to the necessary minimum. A vulnerability scanner (vulnerability assessment) identifies unpatched systems and prioritizes by criticality. And a regular inventory of all deployed software helps you maintain oversight and recognize end-of-life dates early.
Risk 6: Supply chain risks (supply chain attacks)
Likelihood: 3 (Possible) | Impact: 4 (High) | Risk value: 12
Supply chain attacks exploit the trust relationship between companies and their suppliers, service providers, or software vendors. The attacker does not compromise your company directly but a supplier, and gains access to your network or data through this detour. The SolarWinds attack in 2020 impressively demonstrated how far-reaching the consequences can be: Through a compromised software update, thousands of companies and government agencies were infiltrated.
For mid-market companies, this risk manifests in various forms. An IT service provider with remote access to your systems is compromised and attackers use the existing VPN tunnel. A SaaS provider suffers a data loss and your customer data stored there is affected. A software update for a deployed application contains malicious code. Or a supplier with access to confidential project data is hacked.
Increasing interconnection and dependence on external services continuously enlarges the attack surface. At the same time, as a mid-market company, you have only limited influence on the security practices of your suppliers.
Countermeasures
A supplier assessment before engagement evaluates the provider's security level. Ask about certifications (ISO 27001, SOC 2), request security concepts, and evaluate the responses. For critical providers, conduct regular reassessments. Contractual security requirements define minimum standards for data protection, incident reporting, audit rights, and liability. Access controls for third parties restrict access to the necessary minimum: time-limited, restricted to defined systems, with logging of all activities. A Software Bill of Materials (SBOM) for critical applications makes dependencies transparent and enables rapid response when vulnerabilities are discovered in libraries. And a contingency plan for supplier failure ensures you remain capable of acting if a service provider is compromised.
Risk 7: Social engineering
Likelihood: 4 (High) | Impact: 3 (Medium) | Risk value: 12
Social engineering goes beyond phishing and encompasses all forms of psychological manipulation to get people to take actions that harm security. This includes pretexting (the attacker impersonates IT support, a managing director, or a government authority), baiting (infected USB sticks are "lost" in the company parking lot), tailgating (the attacker follows an employee through the secured door), and vishing (telephone phishing, often combined with spoofed caller IDs).
The sophistication of these attacks has increased. Attackers research their targets through LinkedIn and company websites, know internal structures, and address employees by name. Deepfake technology now even enables fake video calls that simulate the voice and face of a known person. For mid-market companies, where personal relationships and short decision paths are part of everyday operations, the vulnerability is particularly high because the culture of mutual trust is exploited by attackers.
Countermeasures
A comprehensive security awareness program goes beyond annual mandatory training. It includes regular short training sessions (monthly 10-15 minutes), phishing simulations, current warnings about new attack patterns, and an open error culture in which reporting suspicious contacts is rewarded rather than punished. Verification processes for sensitive actions ensure that telephone or email requests are confirmed through a second channel: A call allegedly from the managing director demanding an urgent wire transfer is called back on the known extension. Physical access controls with visitor registration and escort prevent tailgating. And clear policies for handling unknown storage media (USB sticks, external hard drives) reduce the baiting risk.
Risk 8: Data loss and insufficient backups
Likelihood: 3 (Possible) | Impact: 4 (High) | Risk value: 12
Data loss can have many causes: hardware defects, human error (accidental deletion), software bugs, ransomware attacks, or natural events. The question is not if but when data loss occurs. What matters is how quickly and completely you can recover from it.
In the mid-market, backup weaknesses often only become apparent in an emergency. The most common problems: Backups are created but never tested, so it is only discovered during restore that they are incomplete or corrupt. Backup media are stored at the same location as production systems and would also be destroyed by a fire or flood. Not all relevant data is covered by the backup strategy - particularly data in SaaS applications and on local workstations often falls through the cracks. And the restore time (RTO) was never measured, so the expectation "we'll be back online in a few hours" fails against the reality of several days.
Countermeasures
The 3-2-1-1 backup principle extends the classic approach with an immutable copy: three copies, two different media types, one copy offsite, one copy immutable (immutable storage). The immutable copy protects against ransomware that specifically targets backup systems. Quarterly restore tests validate that backups actually work and that defined recovery times can be met. A backup strategy that covers all data storage locations considers, beyond servers and file servers, also SaaS data (Microsoft 365, Salesforce), databases, network device configurations, and cloud infrastructure backups. Defined RPO and RTO (Recovery Point Objective and Recovery Time Objective) for different system categories provide clear targets for backup frequency and maximum recovery time.
Risk 9: Cloud misuse and shadow IT
Likelihood: 4 (High) | Impact: 3 (Medium) | Risk value: 12
Cloud adoption in the mid-market is growing rapidly, but security competence does not always keep pace. Cloud misuse encompasses two dimensions: insecure configuration of officially used cloud services and uncontrolled use of unapproved cloud services (shadow IT).
With official cloud services, typical errors include: publicly accessible storage buckets, overly broad IAM permissions, missing encryption for data at rest, audit logs not enabled, and insufficient network isolation between different workloads. Any single one of these errors can lead to a serious security incident.
Shadow IT emerges when business units independently use cloud services that are not approved or managed by IT. A sales representative stores customer lists in a private Dropbox account, the marketing department uses an AI tool without an AI usage policy and uploads confidential documents, a developer hosts test data on a personal cloud server. These services are subject to no security monitoring, no data backup, and no access control.
Countermeasures
A cloud governance policy defines which cloud services are approved, what security requirements must be met, and how the approval of new services works. Cloud Security Posture Management (CSPM) monitors the configuration of IaaS and PaaS services automatically and reports deviations from defined standards. A Cloud Access Security Broker (CASB) detects the use of unapproved cloud services and can block or control access. Regular training for IT administrators on the security features of deployed cloud platforms ensures the team keeps pace with complexity. And a simple approval process for new cloud services reduces the incentive for shadow IT: When official approval is quick and uncomplicated, fewer employees circumvent the process.
Risk 10: Lacking security awareness
Likelihood: 5 (Very high) | Impact: 3 (Medium) | Risk value: 15
Lacking security awareness is strictly speaking not a single risk but a risk multiplier. Employees who do not recognize security risks and do not know how to behave correctly make every other risk in this list more likely and more severe. Missing security awareness increases the click rate on phishing, leads to weak passwords, facilitates social engineering, causes misconfigurations through ignorance, and delays the detection and reporting of incidents.
In the mid-market, the awareness situation is often sobering. Many companies limit themselves to annual mandatory PowerPoint training perceived as a tedious obligation that hardly changes behavior. IT is considered responsible for security ("that's what we have the IT department for"), and the awareness that information security is everyone's responsibility is frequently absent from executive management to individual contributors.
Particularly problematic: Executive management often sets a bad example. When the boss has their password on a sticky note on the monitor, does not use MFA, and dismisses security policies as hindering "business," the workforce will not take security seriously either.
Countermeasures
A continuous awareness program replaces the annual one-time training. It consists of short monthly learning sessions (microlearning, 5-10 minutes), quarterly phishing simulations with immediate feedback, current security warnings for new threats, and an easily accessible knowledge portal with action guides for common situations. Engage executives as role models: Executive management visibly participates in training, uses MFA, and communicates the importance of information security. Gamification elements such as a phishing leaderboard (anonymized), badges for completed training, or small competitions between departments increase motivation and make security a positively framed topic instead of a mandatory exercise. Clear reporting channels and a blame-free culture encourage employees to immediately report suspicious emails, unusual occurrences, or their own mistakes instead of concealing them out of fear of consequences.
The interplay of risks: Why individual consideration is not enough
The ten risks in this list do not exist in isolation. They reinforce each other and form attack chains that increase the overall risk beyond the sum of individual risks.
A typical sequence: Lacking security awareness (Risk 10) makes phishing (Risk 2) successful. Through compromised credentials, the attacker gains access to the network, where they encounter outdated software (Risk 5) and misconfigurations (Risk 4). They move laterally through the insufficiently segmented network, exfiltrate data, and ultimately trigger ransomware (Risk 1). The insufficient backup (Risk 8) makes recovery impossible.
This chain formation explains why a holistic approach is important. A single measure (e.g., only a better antivirus scanner) is not enough when the remaining links in the chain remain weak. The good news: Measures addressing one risk often also reduce others. MFA protects against phishing and compromised insider credentials. Network segmentation limits the impact of ransomware, misconfigurations, and insider threats.
Prioritization: Where to start?
If you try to address all ten risks simultaneously, you will fail with limited resources. Sensible prioritization focuses on risk value and the feasibility of countermeasures.
Immediate measures (first 4 weeks)
Start with the measures that offer the highest security gain at the lowest effort:
Activate MFA for all external access, cloud services, and admin accounts. This can be implemented in a few days and reduces the risk of compromised credentials by over 90 percent. Check and test backup concept: Does a current, offsite-stored backup exist? Does the restore work? If not, this is the highest priority. Check patch status: Are critical systems (VPN, email server, firewall) up to date? Apply open critical patches immediately. Document emergency contacts: Who gets called during a security incident? Internal contacts, external IT service provider, attorney, insurance company.
Short-term measures (3 months)
In the first three months, build the baseline protection: Implementation of a patch management process, introduction of an email filter with sandbox analysis, start of a security awareness program with phishing simulations, conducting a configuration audit for critical systems, and creating a supplier overview with risk assessment.
Medium-term measures (6-12 months)
In the further course, work on structural improvements: Implement network segmentation, introduce an EDR solution, establish a cloud governance policy, implement the least-privilege principle for access rights, create an incident response plan and test it in a tabletop exercise, evaluate and conclude cyber insurance.
From risk list to ISMS
This top-10 list is a good starting point but does not replace systematic risk management. Your company's risks are individual and depend on your industry, IT landscape, organizational structure, and business activities.
A structured ISMS gives you the framework to systematically identify, assess, and treat your specific risks. ISMS Lite provides configurable risk matrices with automatic risk calculation, 11 frameworks with 583 controls including practical implementation recommendations, and end-to-end measures tracking. This way, you address not only the obvious risks but also recognize industry-specific and company-specific threats. The integrated cycle of assessment, treatment, review, and improvement continuously raises your security level.
Further reading
- Risk assessment in the ISMS: Methodology, matrix, and practical example
- Risk treatment: Mitigate, accept, transfer, or avoid
- Building an ISMS: The complete guide for companies with 50 to 500 employees
- Building a security awareness program: What employees really need to know
- Creating an incident response plan: Template and practical example
The ten risks in this article are a good compass for starting. Use them as the basis for your first risk assessment, adapt the ratings to your specific situation, and supplement them with risks that are particularly relevant to your company. The most important step is not the perfect analysis but getting started.