Home / Services / Security & Governance

Security & Governance — pragmatic IT security for the Mittelstand

Zero-Trust baseline, endpoint protection, NIS-2 preparation and backup drills for mid-market companies — substantial, documented, without compliance theatre.

IT security in the Mittelstand is rarely a lack of tools — it’s usually a lack of order. Defender is licensed, a firewall is running somewhere, MFA is “set up, I think”, and the backup script hasn’t sent an error message in months. Yet the uneasy feeling remains: if an incident hit tomorrow — would we even notice, and would we have an answer that a cyber insurer or a supplier would accept? We build a security baseline for mid-market companies that is documented, tested regularly, and doesn’t get in the way of daily work — instead of yet another console nobody operates.

Does this sound familiar?

Why this happens

Security in the Mittelstand rarely comes about as a planned programme — it accumulates as sediment from individual decisions. Seven years ago an antivirus was introduced; four years ago Microsoft 365 arrived, and with it Defender. After an incident at a company they knew, someone “briefly looked into XDR”. A compliance question from the insurer got MFA moving. Each individual decision made sense at the time. The problem is that they were never thought through as a whole — and nobody can reconstruct the original reasoning anymore.

On top of that comes external pressure, which has grown noticeably over the last two years. Cyber insurers ask about things nobody used to ask about — Conditional Access, privileged-account protection, log retention. NIS-2 pulls in companies that previously never had to deal with the topic — and via the supply chain even smaller businesses get drawn into the documentation logic. What counted as “best practice” three years ago is now a precondition for insurance cover or the next major-customer contract.

And then there’s the tool sprawl: vendors keep pushing new modules — Defender for Identity, Defender for Cloud Apps, Sentinel, Purview. Every component can be useful. But if nobody in-house has the time to read three consoles every day, the extra license quickly becomes expensive reassurance rather than a real improvement. Security theatre instead of security.

What this covers in practice

Zero-Trust baseline

Conditional Access, MFA, device compliance — as a shared baseline everyone can align to, not a never-ending project. Concretely, that means: which identity may access which application, from which device, under which conditions. MFA for everyone, with clear exceptions for service accounts that are secured a different way. Devices that aren’t compliant don’t get to company data. That’s not magic, and it isn’t “done in two weeks” either — but it is a reachable target state, not a buzzword. How you can tell the baseline is missing: when the question “Does everyone have MFA?” can’t be answered within ten seconds — with evidence.

Endpoint protection & patch management

Defender for Endpoint configured properly, Intune compliance policies that actually take effect, and a patch rhythm that is documented. Vulnerability management means: which critical vulnerabilities currently exist on which devices, and when will they be closed — not “we patch things somehow”. In many M365 licenses most of this is already included — just not activated, or not thought through to the end. We make the tools you already own workable before we talk about additional ones.

Backup drill & disaster recovery

A backup that has never been restored is a hope, not a backup. We test restores seriously — at least one file-level recovery per quarter, a full system recovery once a year, cleanly documented. RTO (how long an outage may last at most) and RPO (how much data loss is bearable) are defined with management, not guessed by IT. And we check whether the backups are actually protected against ransomware — stored immutably, or at least segmented. How you can tell there’s a gap: when nobody can name a date in answer to “When did the last full restore test run?”

Identity governance

Who has which access, who should no longer have it after a role change or departure, and who reviews all of that — and when. Guest access from old projects, service accounts with passwords nobody has rotated in five years, shared admin accounts without a clear owner — these are the spots where audits regularly get stuck. We build access reviews as a rhythm, not as a one-off cleanup that’s overgrown again two years later.

NIS-2 & supplier cyber requirements

Pragmatically implement what is actually required — instead of staging compliance theatre that produces more paper than protection. First clarify whether you are directly or indirectly affected (more often than not, that’s the decisive question — not the sector alone). Then work through the required areas: risk management, incident handling, supplier security, business continuity. We build the evidence so it holds up in an audit and makes sense in daily operations at the same time — not two separate worlds of “real IT” and “the compliance binder”.

When “fewer tools” means more security — the honest answer

Sometimes the security problem isn’t “we need a new SIEM” but “we have three tools nobody understands anymore”. We often reduce before we add. Example: if nobody in-house reads the Defender console daily, an additional SIEM on top achieves nothing — we make the existing tool workable first. Only once the Defender setup runs cleanly, alerts are prioritized and someone actually evaluates them does an extension make sense. Until then, every additional tool is just more noise drowning out real signals.

What you should look out for — even if you don’t hire us

When this becomes urgent

How we work

Phase 1 — Initial conversation & assessment

We start with a 30-minute initial call, followed by a structured look at the current state: existing licenses and security modules, Conditional Access policies, Defender configuration, backup setup, identity landscape, documented processes. The deliverable: an honest assessment — what genuinely protects you today, what is theatre, what is missing entirely, what is redundant. In language the management team understands, too.

Phase 2 — Risk and architecture plan

Based on the assessment, we prioritize together with you: which gaps are urgent relative to your risk profile, which can wait — and which are risks you don’t actually want to carry at all. The result is a plan an auditor can read that also gives you a clear implementation sequence for the next 6–12 months.

Phase 3 — Implementation in controlled steps

We implement measures step by step, always with test groups and a rollback path. Conditional Access isn’t enforced for everyone overnight, Intune policies are tested against IT devices first, backup drills are planned, not spontaneous. No big-bang move where something gets “rolled out” on a Friday evening.

Phase 4 — Handover, drill rhythm & ongoing operations

At the end there is documentation that would let another service provider take over from us at any time. Optionally, we stay on for ongoing operations: quarterly access-review checks, scheduled restore drills, responses to new Microsoft Defender features, an annual update of the risk picture. Security as a rhythm — not constant escalation.

What you can expect from us — and what you can’t

What you get:

What we deliberately don’t do:

Where we also say no:

Getting started

Book an initial conversation

Frequently asked questions

Are we affected by NIS-2? That depends not only on your sector, but on size, critical activities and whether you’re part of a relevant supply chain. We check it with you in a structured way: first direct exposure (sector, size), then indirect exposure via major customers who pass the NIS-2 obligation down the chain. The answer is often: “Directly, no — but two major customers will demand evidence, so it comes down to the same thing.”

Do we have to certify against ISO 27001? Rarely as a legal obligation, often as a major customer’s wish. A real certification is a significant undertaking and only makes sense if a customer concretely demands it or your industry has established it as a de-facto standard. In many cases an ISO-oriented practice without the formal certificate is enough — the same gain in substance, considerably less paper. We help you make that honest assessment instead of reflexively recommending certification.

Is MFA enough for our insurance? Three years ago, often yes; today, usually no. Cyber insurers now typically ask about Conditional Access, privileged-account protection, endpoint detection, backup separation and an incident-response plan. MFA is the ticket in, not the whole concert. We go through the questionnaire with you and show you what insurers actually expect.

What does a backup drill cost us? That depends heavily on scope. A first restore test of one critical application with a documented procedure is a manageable project — a full disaster-recovery test with failover to standby infrastructure is considerably more involved. We first sort out with you which drill your risk situation actually requires before we talk about scope. You’ll get a concrete figure in the proposal after the initial call.

What if we have already had a security incident? Then the first question is whether the acute situation is under control — during a live incident you need an incident-response firm with forensic capacity, not us. Once the acute phase is over and the question becomes “this must never happen again”, that’s exactly where we come in: we analyze in a structured way what happened, which measures prevent a recurrence, and which traces need to be documented (for insurers, supervisory bodies, possibly the authorities).

Can we introduce Zero Trust step by step? Yes — and that’s the only path that realistically works in the Mittelstand. There is no big-bang Zero Trust; it’s a series of steps over 6–18 months. First enforce MFA across the board, then Conditional Access for the most critical applications, then device compliance, then refine from there. Every step has a rollback path and a measurable security gain. Anyone promising “Zero Trust in four weeks” hasn’t understood the term.

Looking more for clean workplace operations? Services overview