Security & Governance — pragmatic IT security for the Mittelstand

IT security in the Mittelstand is rarely a lack of tools — usually it’s a lack of order. Defender is licensed, a firewall runs somewhere, MFA is “set up, I think”, and the backup script hasn’t sent an error message in months. Still, the uneasy feeling remains: if an incident comes in tomorrow — would we even notice, and would we have an answer that a cyber insurer or a supplier accepts? For mid-market companies (German Mittelstand) we build a security baseline that is documented, tested regularly, and doesn’t disturb daily work — instead of yet another console nobody operates.

Does this sound familiar?

• The cyber insurer has sent a questionnaire for the renewal with a hundred questions — and for half of them you have been looking for an honest answer for days.
• Your NIS-2 exposure is unclear. But the most important customer has already asked whether you are “NIS-2 compliant”, and sales leadership reflexively answered “of course”.
• Backups have run for years, the job reports are green — but a full restore has never been seriously tested. When the last attempt happened, nobody knows.
• You have three different security tools — antivirus from five years ago, Defender, plus “something with XDR” from the last workshop. Nobody knows what is really monitored and where gaps remain.
• A female employee left at the beginning of the year. Does she still have access to the mailbox, the SharePoint site for sales, the VPN? Strictly speaking that should be clarified. Strictly speaking.
• A guest account from a project in 2022 was never deactivated. The auditor noticed it just now.

Why this happens

Security in the Mittelstand rarely emerges as a planned programme, but as sediment of individual decisions. Seven years ago an antivirus was introduced, four years ago Microsoft 365 was added — so Defender too. After an incident among acquaintances, someone “thought about XDR for a moment”. A compliance question from the insurer got MFA moving. Each individual decision made sense at the time. The only problem is that they were never thought together — and the original reasons nobody can reconstruct anymore.

On top of that comes external pressure, which has noticeably grown in the last two years. Cyber insurers ask things nobody used to ask — Conditional Access, privileged-account protection, log retention. NIS-2 pulls companies into obligations that previously didn’t have to deal with the topic — and via the supply chain even smaller businesses are drawn into the documentation logic. What was “best practice” three years ago is today a precondition for insurance cover or the major-customer contract.

And then the tool sprawl: vendors push ever new modules — Defender for Identity, Defender for Cloud Apps, Sentinel, Purview. Every component can be useful. But if nobody at the company has the time to read three consoles daily, the additional license quickly becomes expensive reassurance instead of real improvement. Security theatre instead of security.

What this is concretely about

Zero-Trust baseline

Conditional Access, MFA, device compliance — as a shared baseline you can orient by, not as a never-ending project. Concretely that means: which identity may access which application from which device, under which conditions. MFA for everyone, with clear exceptions for service accounts that are secured differently. Devices that aren’t compliant don’t get to the company data. That’s no magic, and it isn’t “done in two weeks” either — but it is a reachable target state, not a buzzword. How you notice the baseline is missing: when the question “Does everyone have MFA?” can’t be answered in ten seconds with proof.

Endpoint protection & patch management

Defender for Endpoint cleanly configured, Intune compliance policies that really bite, and a patch rhythm that is documented. Vulnerability management means: which critical gaps are currently on which devices, and when will they be closed — not “we patch somehow”. In many M365 licenses most of this is already included, just not activated or not thought through to the end. We make the existing tool actually usable before talking about additional tools.

Backup drill & disaster recovery

A backup that has never been restored is hope, not a backup. We test restores seriously — per quarter at least one file recovery, once a year a full system recovery, cleanly documented. RTO (how long may the outage last at most) and RPO (how much data loss is bearable) are defined with management, not guessed by IT. And we check whether the backups are actually protected against ransomware — that is, stored immutably or at least segmented. How you notice it: when no one can name a date for “When was the last full restore test?”.

Identity governance

Who has which access, who actually no longer has it after a role change or departure, and who controls that when. Guest accounts from old projects, service accounts with passwords nobody has rotated in five years, shared admin accounts without a clear owner — those are the spots where audits regularly get stuck. We build access reviews as a rhythm, not as a one-time cleanup that grows over again in two years.

NIS-2 & supplier cyber requirements

Pragmatically implement what is actually required — not stage compliance theatre that produces more paper than effect. First clarify whether you are directly or indirectly affected (often that’s the decisive point, more than the pure sector). Then go through the required areas: risk management, incident handling, supplier security, business continuity. We build the records so that they are enough for an audit and at the same time make sense in daily work — not two separate worlds of “real IT” and “compliance folder”.

When “fewer tools” brings more security — the honest answer

Sometimes the security problem isn’t “we need a new SIEM”, but “we have three tools nobody understands anymore”. We often reduce before we add. Example: if nobody at the company reads the Defender console daily, an additional SIEM on top brings nothing — we first make the existing tool usable. Only when the Defender setup runs cleanly, the alerts are prioritized, and someone evaluates them, does an extension make sense. Before that, every additional tool is just more noise covering up real signals.

What you should look out for — even if you don’t go with us

• Ask before every security project how the handover documentation will look at the end. Whoever doesn’t have a template has never handed over cleanly — and you end up with a setup only the service provider understands. That’s the exact opposite of security.
• Ask about the rollback plan before Conditional Access or Intune policies are enforced. A wrongly configured policy can lock out half the workforce on Monday morning. Whoever hesitates when asked “What happens if it goes wrong?” doesn’t have a plan.
• Mistrust flat-rate offers that promise “NIS-2 compliance in 30 days”. NIS-2 is not a checkbox but a continuous practice. Whoever shortens that sells you certificate theatre that holds up like paper in an emergency.
• If someone immediately proposes a new SIEM/XDR without first looking at the current tool state and the operating capacity in-house — caution. That’s sales, not consulting.
• Clarify who signs the cyber insurer questionnaire — and on what data basis. A wrong self-declaration can cost the insurance cover in case of damage. Better to answer a few questions honestly with “in implementation” than with a blanket “yes”.
• Ask whether the service provider also advises against something. Whoever always says “yes, you need that too” optimizes their own revenue, not your security.

When this is now due

• Cyber-insurer renewal with an extensive questionnaire — especially if the premium increase has already been announced and you have to negotiate.
• The NIS-2 deadline is in sight, or you are already directly affected and have left the topic lying.
• A supplier or major customer has sent a cyber self-assessment and demanded evidence (TISAX, VDA-ISA, own questionnaire).
• An audit note has documented gaps in permissions, logging, patch management or backup practice.
• A security incident in your own company — or, almost as often, an incident at a supplier, competitor or industry peer that wakes up management.
• A compliance project from management (approach to ISO 27001, BSI Grundschutz, sector-specific requirements).
• A generational change in the IT department — the person who held everything in their head is leaving. With them the unwritten security knowledge leaves.

How we work

Phase 1 — Initial conversation & assessment

We start with a 30-minute initial call, then with a structured look into the current state: existing licenses and security modules, Conditional Access policies, Defender configuration, backup setup, identity landscape, documented processes. Delivery: an honest assessment — what really protects today, what is theatre, what is completely missing, what is redundant. In language that management can also read.

Phase 2 — Risk and architecture plan

Based on the assessment, we prioritize with you. Which gaps are urgent in relation to your risk profile, which can wait, which are actually no risk you want to carry. From this emerges a plan that is readable for an auditor and at the same time gives a clear implementation order for the next 6–12 months.

Phase 3 — Implementation in controlled steps

We roll out measures step by step, always with pilot groups and a rollback path. Conditional Access isn’t enforced overnight for everyone, Intune policies are first tested against IT devices, backup drills are scheduled, not spontaneous. No big-bang action where something gets “rolled out” on a Friday evening.

Phase 4 — Handover, drill rhythm & ongoing operations

At the end there is documentation with which, theoretically, someone else could replace us. Optionally we accompany ongoing operations: quarterly check of access reviews, scheduled restore drill, response to new Microsoft Defender features, annual update of the risk picture. Security as rhythm — not as constant escalation.

What you can expect from us — and what not

What you get:

• Direct contact to the founder as your fixed point of contact, without ticket carousel.
• Remote response immediately during service hours, with honest communication when something takes longer.
• On-site appointments planned by distance: in Viersen within 24 hours, in neighbouring cities 1–2 working days, further away 3–5 working days.
• Documentation that a cyber insurer or external auditor can also read.
• Recommendations that may also work against our own revenue, when it fits for you.

What we deliberately don’t do:

• 24/7 standby with a guaranteed 15-minute response. Whoever promises that won’t keep it — or has a team behind it that we are not.
• Forensic engagements after an acute security incident with complex evidence preservation. That’s done by specialized incident-response firms — we help set up the clean connection to them.
• Self-certifications for standards that an accredited auditor must issue (ISO 27001, TISAX). We prepare — the certification itself comes from an accredited body.

Where we also say no:

• If you want to buy an additional SIEM even though nobody at the company operates the Defender console — then first make the basis usable, then we talk again.
• If the honest answer is: “Your risk situation does not justify this effort.” A carpentry with 35 employees and three sites needs a different protection level than a medical-tech supplier with NIS-2 obligation. We don’t sell what is standard at the major-account customer, but what carries at your company.
• If the need is actually a pure training of the workforce and not a tooling project. Solving phishing awareness with 30 minutes of configuration would be nonsense.

How it starts

• 30 minutes initial conversation, free of charge, non-binding, by video or phone.
• What we clarify: current state of the security building blocks, most urgent triggers (insurer, audit, supplier, your own gut feeling), what’s coming up in the next 6–12 months.
• Optionally useful in advance, but not required: currently used M365 licenses, whether there is already a cyber-insurer questionnaire that is being answered, whether an audit appointment is in the calendar.
• Engagement models are possible as a one-time baseline project (e.g. introducing Zero Trust, setting up a backup drill), as ongoing security support in a quarterly rhythm, or as a hybrid — what suits you, we clarify in conversation.

Book an initial conversation

Frequently asked questions

Are we affected by NIS-2? That depends not only on the sector, but on size, critical activities and on whether you sit in a relevant supply chain. We check this with you in a structured way: first the direct exposure (sector, size), then the indirect via major customers who pass on the NIS-2 obligation through the chain. Often the answer is: “Directly no — but two major customers will demand evidence, so it amounts to the same thing.”

Do we have to certify ISO 27001? Rarely as an obligation, often as the wish of a major customer. A real certification is considerable effort and only sensible when either a customer concretely demands it or a sector has established it as a de-facto standard. In many cases an ISO-oriented practice without a formal certificate is enough — the same substance gain, considerably less paper. We help do the honest evaluation, instead of reflexively recommending “yes, we certify”.

Is MFA enough for our insurance? Three years ago often yes, today usually no. Cyber insurers now typically ask about Conditional Access, privileged-account protection, endpoint detection, backup separation and an incident-response plan. MFA is the entry ticket, not the whole concert. We go through the questionnaire with you and show what insurers actually expect.

What does a backup drill cost us? That depends strongly on scope. An initial restore test of a critical application with documented procedure is a manageable project — a full disaster-recovery test with failover to a fallback infrastructure is considerably more involved. We first sort with you which drill is necessary for your risk situation before we talk about scope. A concrete figure comes after the initial conversation, in the offer.

What if we have already had a security incident? Then the first question is whether the acute situation is contained — during a live incident you need an incident-response firm with forensic capacity, not us. If the acute phase is over and it’s about “this must not happen again”, we are exactly right: we analyze in a structured way what happened, which measure prevents a recurrence, and which traces have to be documented (for insurers, supervisors, possibly authorities).

Can we introduce Zero Trust step by step? Yes, and that’s also the only path that realistically works in the Mittelstand. There is no big-bang Zero Trust — it’s a series of steps over 6–18 months. First enforce MFA broadly, then Conditional Access on the most critical applications, then device compliance, then fine-grained. Every step has a rollback path and a measurable security gain. Whoever promises “Zero Trust in four weeks” hasn’t understood the term.

Related topics

• Use Case: Introducing a Zero-Trust baseline — without paralyzing operations on Monday morning
• Use Case: Backup drill & restore exercise — from green job report to resilient recovery
• Knowledge (German): GDPR-compliant cloud migration in 6 steps

Looking more for a clean workplace operation? Services overview