top of page

Cybersecurity in small and mediumsized Enterprises (SME) - make or buy

When it comes to information security risks and remedies, large and small/medium enterprises have different options.

SMEs as an economic power

The German middle class is a size – because when we talk about SMEs in Germany, then that is not a trifle. Accordingly, their needs are still essential for the German economy today. In its definition, the IfM Bonn still distinguishes all small and medium-sized enterprises (SMEs) from large companies using quantitative criteria such as annual turnover (≤ €50 million) and number of employees (< 500 employees). After all, this is about 3.5 million companies, they generated around 34% of all taxable sales from deliveries and services and had around 18 million employees subject to social security contributions in their ranks in 2018.

Economically, SMEs are large, but on the IT side rather a dwarf, because SMEs employ comparatively few ICT specialists, because while in most large companies specialists in information and communication technology (ICT) work (77%), these are still much less common in SMEs. Only 17% of all SMEs state that they employ employees in this area of competence. The IT departments of SMEs are therefore rather lean and, out of operational necessity, primarily geared towards value creation.

Security situation and digitalization

Due to the innovation of information technology, many areas of life are changing and where innovation cycles (cf. Kondratjew ) lasted about 40-60 years outside, today IT systems are not only established everywhere, but are constantly and faster conquering new areas of life. In particular, the expansion of digital value creation activities with the (internet-based) networking of all companies involved in the value creation process, development, production and marketing stages is very challenging. What makes the topic even more explosive is the speed. Futurologists in IT no longer speak of years, but of weeks.

In this context, it is remarkable how dramatically fast new technologies are currently spreading in the cloud environment and how rapidly the corona pandemic has affected the digitization activities of SMEs.

Criminal activities and attacks are on the rise, according to the BSI, the IT security situation in Germany is tense, attacks affect private individuals and authorities alike; and increasingly, the middle class in particular is increasingly exposed to them. Often, criminals do not go in search of the biggest target, but of the easiest way. And large companies with good IT security structures are harder to "crack" than medium-sized companies with limited resources.


In this area of tension, medium-sized companies cannot sit back, but must increasingly ask themselves whether they are investing enough and correctly and whether they are well positioned enough. Thus, all organizations are forced to improve in the field of information technology and thus also information security, while at the same time there is a shortage of IT professionals. In addition, these experts find regionally very different opportunities on the labor market, so that "computer scientists" according to Staufenbiel are often drawn to the metropolises for reasons of earnings, which leads to a shortage of skilled workers for SMEs in the area.

In smEs - in connection with information security - the performance of standards, norms, frameworks and best practices of information security (e.B. TISAX, ISO 27001, BSI IT-Grundschutz) is often misunderstood. After all, they are often perceived by MEDIUM-sized companies as a hurdle if they are not demanded by regulation or customer requirements. Especially for the goal of increasing the internal information security maturity level or improving the organization ("security-by-design") and in cooperation with other companies, or to promote the reputation on the market, they provide invaluable services. Accordingly, the untapped potential of information security management systems (ISMS) at the level of SMEs remains high.

What does this mean for SMEs? Can they take the necessary measures on their own? What are current and market-driven options in the field of information security?

The complete outsourcing of services or information security issues is often prohibited due to costs, different orders of magnitude between supply and demand as well as security considerations. In addition, there must always be enough knowledge internally to assess and control external services or to cope with risk situations. The complete exit from internal services and the change to external service partners or to the cloud and thus the complete reduction of internal capacities and competencies is welcome for cost reasons. But the change of providers, their control or the way back is then difficult or possible with great effort.

One possible solution is the development of own IT personnel capacities, which, however, promises only limited success in the market situation and in the size and financial strength of SMEs and also has other pitfalls. After all, a full-time position for the "CISO / Information Security Officer" is often oversized in many cases of an SME with e.B. 50 employees. Furthermore, the accumulation of roles in one person (for example, the IT manager) is not in the sense of the standards and the business goals of the company, as it entails in particular conflicting goals in the field of tension between costs and security.

For example, large companies usually have the means and structures (or create them), smEs have to consider alternatives.

The often best possible path for SMEs is in the direction of "security-as-a-service", i.e. they temporarily (or permanently) bring the necessary competencies and capacities into the company in adapted service models. In addition, with the existing capacities, you often manage to tackle the internal implementation with external support.

This trend is also increasingly changing the way companies work in the field of IT and Internet security. In the medium term, according to Bitkom, every fourth company will use security-as-a-service models, the performance based on the combination of technology and standards with the SaaS model is impressive, e.B. also in the role of a "CISOaaS".


From our experience, even with limited resources, an intelligent combination of knowledge, concepts (security-by-design), remote solutions, standards (ISO/IEC 27001) and service models can offer better and more cost-effective options, and the services within the framework of "Security-as-a-Service" are on the rise. The trend among SMEs is in this direction, security-as-a-service models offer an ideal compromise between performance, costs, flexibility and stability, creating security and relieving management and budgets.

Beyond technical-organizational and commercial issues, the change of culture in SMEs is still important in order to accept and adapt security-as-a-service models. And the commitment of the – often still owner-managed – management of SMEs in the field of information security is also important, it must stand behind the concept, but also adapt and actively exemplify: "Cyber security is a matter for the boss!"

Security-as-a-Service is an interesting option und will lead to more Information Security and eventually support the management efficently and effectively.

Author: Klaus Kilvinger


bottom of page