IT security in the Mittelstand is rarely a lack of tools — it’s usually a lack of order. Defender is licensed, a firewall is running somewhere, MFA is “set up, I think”, and the backup script hasn’t sent an error message in months. Yet the uneasy feeling remains: if an incident hit tomorrow — would we even notice, and would we have an answer that a cyber insurer or a supplier would accept? We build a security baseline for mid-market companies that is documented, tested regularly, and doesn’t get in the way of daily work — instead of yet another console nobody operates.
Does this sound familiar?
- The cyber insurer has sent a hundred-question renewal questionnaire — and for half of the questions you’ve been hunting for an honest answer for days.
- Your NIS-2 exposure is unclear. But your most important customer has already asked whether you’re “NIS-2 compliant”, and the head of sales reflexively wrote back “of course”.
- Backups have been running for years and the job reports are green — but a full restore has never been seriously tested. Nobody knows when the last attempt ran.
- You have three different security tools — a five-year-old antivirus, Defender, plus “something with XDR” from the last workshop. Nobody knows what’s actually monitored and where the gaps are.
- An employee left at the beginning of the year. Does she still have access to the mailbox, the sales SharePoint site, the VPN? That should have been sorted by now. Should have.
- A guest account from a 2022 project was never deactivated. It took the financial auditor to notice.
Why this happens
Security in the Mittelstand rarely comes about as a planned programme — it accumulates as sediment from individual decisions. Seven years ago an antivirus was introduced; four years ago Microsoft 365 arrived, and with it Defender. After an incident at a company they knew, someone “briefly looked into XDR”. A compliance question from the insurer got MFA moving. Each individual decision made sense at the time. The problem is that they were never thought through as a whole — and nobody can reconstruct the original reasoning anymore.
On top of that comes external pressure, which has grown noticeably over the last two years. Cyber insurers ask about things nobody used to ask about — Conditional Access, privileged-account protection, log retention. NIS-2 pulls in companies that previously never had to deal with the topic — and via the supply chain even smaller businesses get drawn into the documentation logic. What counted as “best practice” three years ago is now a precondition for insurance cover or the next major-customer contract.
And then there’s the tool sprawl: vendors keep pushing new modules — Defender for Identity, Defender for Cloud Apps, Sentinel, Purview. Every component can be useful. But if nobody in-house has the time to read three consoles every day, the extra license quickly becomes expensive reassurance rather than a real improvement. Security theatre instead of security.
What this covers in practice
Zero-Trust baseline
Conditional Access, MFA, device compliance — as a shared baseline everyone can align to, not a never-ending project. Concretely, that means: which identity may access which application, from which device, under which conditions. MFA for everyone, with clear exceptions for service accounts that are secured a different way. Devices that aren’t compliant don’t get to company data. That’s not magic, and it isn’t “done in two weeks” either — but it is a reachable target state, not a buzzword. How you can tell the baseline is missing: when the question “Does everyone have MFA?” can’t be answered within ten seconds — with evidence.
Endpoint protection & patch management
Defender for Endpoint configured properly, Intune compliance policies that actually take effect, and a patch rhythm that is documented. Vulnerability management means: which critical vulnerabilities currently exist on which devices, and when will they be closed — not “we patch things somehow”. In many M365 licenses most of this is already included — just not activated, or not thought through to the end. We make the tools you already own workable before we talk about additional ones.
Backup drill & disaster recovery
A backup that has never been restored is a hope, not a backup. We test restores seriously — at least one file-level recovery per quarter, a full system recovery once a year, cleanly documented. RTO (how long an outage may last at most) and RPO (how much data loss is bearable) are defined with management, not guessed by IT. And we check whether the backups are actually protected against ransomware — stored immutably, or at least segmented. How you can tell there’s a gap: when nobody can name a date in answer to “When did the last full restore test run?”
Identity governance
Who has which access, who should no longer have it after a role change or departure, and who reviews all of that — and when. Guest access from old projects, service accounts with passwords nobody has rotated in five years, shared admin accounts without a clear owner — these are the spots where audits regularly get stuck. We build access reviews as a rhythm, not as a one-off cleanup that’s overgrown again two years later.
NIS-2 & supplier cyber requirements
Pragmatically implement what is actually required — instead of staging compliance theatre that produces more paper than protection. First clarify whether you are directly or indirectly affected (more often than not, that’s the decisive question — not the sector alone). Then work through the required areas: risk management, incident handling, supplier security, business continuity. We build the evidence so it holds up in an audit and makes sense in daily operations at the same time — not two separate worlds of “real IT” and “the compliance binder”.
When “fewer tools” means more security — the honest answer
Sometimes the security problem isn’t “we need a new SIEM” but “we have three tools nobody understands anymore”. We often reduce before we add. Example: if nobody in-house reads the Defender console daily, an additional SIEM on top achieves nothing — we make the existing tool workable first. Only once the Defender setup runs cleanly, alerts are prioritized and someone actually evaluates them does an extension make sense. Until then, every additional tool is just more noise drowning out real signals.
What you should look out for — even if you don’t hire us
- Before any security project, ask to see what the handover documentation will look like at the end. A provider without a template has never handed over cleanly — and you’ll end up with a setup only that provider understands. Which is the exact opposite of security.
- Ask for the rollback plan before Conditional Access or Intune policies go live. One misconfigured policy can lock out half the workforce on a Monday morning. Anyone who stumbles over the question “What happens if this goes wrong?” doesn’t have a plan.
- Be sceptical of package deals promising “NIS-2 compliance in 30 days”. NIS-2 isn’t a checkbox, it’s a continuous practice. Anyone who compresses it into a package is selling you certificate theatre that will hold up like paper when it matters.
- If someone immediately proposes a new SIEM/XDR without first looking at your current tool landscape and in-house operating capacity — be careful. That’s sales, not consulting.
- Clarify who signs the cyber-insurance questionnaire — and on what factual basis. An inaccurate self-declaration can cost you your cover when a claim comes. Better to answer a few questions honestly with “in progress” than everything with a blanket “yes”.
- Ask whether the provider ever advises against something. Anyone who always says “yes, you’ll need that too” is optimizing their own revenue, not your security.
When this becomes urgent
- A cyber-insurance renewal with an extensive questionnaire — especially if a premium increase has already been announced and you need to negotiate.
- The NIS-2 deadline is in sight, or you’re already directly in scope and have been putting the topic off.
- A supplier or major customer has sent a cyber self-assessment and is demanding evidence (TISAX, VDA-ISA, their own questionnaire).
- An audit finding has documented gaps in permissions, logging, patch management or backup practice.
- A security incident in your own company — or, almost as often, an incident at a supplier, competitor or industry peer that gets management’s attention.
- A compliance initiative from management (moving towards ISO 27001, BSI Grundschutz, sector-specific requirements).
- A generational change in the IT department — the person who kept everything in their head is leaving, and the unwritten security knowledge leaves with them.
How we work
Phase 1 — Initial conversation & assessment
We start with a 30-minute initial call, followed by a structured look at the current state: existing licenses and security modules, Conditional Access policies, Defender configuration, backup setup, identity landscape, documented processes. The deliverable: an honest assessment — what genuinely protects you today, what is theatre, what is missing entirely, what is redundant. In language the management team understands, too.
Phase 2 — Risk and architecture plan
Based on the assessment, we prioritize together with you: which gaps are urgent relative to your risk profile, which can wait — and which are risks you don’t actually want to carry at all. The result is a plan an auditor can read that also gives you a clear implementation sequence for the next 6–12 months.
Phase 3 — Implementation in controlled steps
We implement measures step by step, always with test groups and a rollback path. Conditional Access isn’t enforced for everyone overnight, Intune policies are tested against IT devices first, backup drills are planned, not spontaneous. No big-bang move where something gets “rolled out” on a Friday evening.
Phase 4 — Handover, drill rhythm & ongoing operations
At the end there is documentation that would let another service provider take over from us at any time. Optionally, we stay on for ongoing operations: quarterly access-review checks, scheduled restore drills, responses to new Microsoft Defender features, an annual update of the risk picture. Security as a rhythm — not constant escalation.
What you can expect from us — and what you can’t
What you get:
- Direct access to the founder as your permanent point of contact — no ticket carousel.
- Immediate remote response during service hours, with honest communication when something takes longer.
- On-site visits by appointment — with our base in Viersen and short distances across the Lower Rhine region, usually possible at short notice.
- Documentation that a cyber insurer or an external auditor can actually follow.
- Recommendations that can go against our own revenue when that’s what’s right for you.
What we deliberately don’t do:
- 24/7 standby with a guaranteed 15-minute response. Anyone promising that either won’t keep it — or has a team behind them that we don’t.
- Forensic engagements after an acute security incident with complex evidence preservation. That’s for specialized incident-response firms — we help set up a clean handover to them.
- Self-issued certifications for standards that require an accredited auditor (ISO 27001, TISAX). We prepare you — the certification itself comes from an accredited body.
Where we also say no:
- If you want to buy an additional SIEM even though nobody in-house operates the Defender console — make the basics workable first, then let’s talk again.
- If the honest answer is: “Your risk situation doesn’t justify this effort.” A 35-person carpentry business with three sites needs a different level of protection than a medical-device supplier subject to NIS-2. We don’t sell what’s standard for enterprise accounts — we sell what actually works at your company.
- If what’s actually needed is staff training, not a tooling project. Trying to solve phishing awareness with 30 minutes of configuration would be nonsense.
Getting started
- A 30-minute initial call — free, no obligation, by video or phone.
- What we clarify: the current state of your security building blocks, the most urgent triggers (insurer, audit, supplier, your own gut feeling), and what’s coming up in the next 6–12 months.
- Useful to have beforehand, but not required: your current M365 licenses, whether a cyber-insurance questionnaire is on your desk right now, whether an audit date is in the calendar.
- Engagement models: a one-off baseline project (e.g. introducing Zero Trust, setting up a backup drill), ongoing security support in a quarterly rhythm, or a hybrid — we’ll work out what fits you in the call.
Frequently asked questions
Are we affected by NIS-2? That depends not only on your sector, but on size, critical activities and whether you’re part of a relevant supply chain. We check it with you in a structured way: first direct exposure (sector, size), then indirect exposure via major customers who pass the NIS-2 obligation down the chain. The answer is often: “Directly, no — but two major customers will demand evidence, so it comes down to the same thing.”
Do we have to certify against ISO 27001? Rarely as a legal obligation, often as a major customer’s wish. A real certification is a significant undertaking and only makes sense if a customer concretely demands it or your industry has established it as a de-facto standard. In many cases an ISO-oriented practice without the formal certificate is enough — the same gain in substance, considerably less paper. We help you make that honest assessment instead of reflexively recommending certification.
Is MFA enough for our insurance? Three years ago, often yes; today, usually no. Cyber insurers now typically ask about Conditional Access, privileged-account protection, endpoint detection, backup separation and an incident-response plan. MFA is the ticket in, not the whole concert. We go through the questionnaire with you and show you what insurers actually expect.
What does a backup drill cost us? That depends heavily on scope. A first restore test of one critical application with a documented procedure is a manageable project — a full disaster-recovery test with failover to standby infrastructure is considerably more involved. We first sort out with you which drill your risk situation actually requires before we talk about scope. You’ll get a concrete figure in the proposal after the initial call.
What if we have already had a security incident? Then the first question is whether the acute situation is under control — during a live incident you need an incident-response firm with forensic capacity, not us. Once the acute phase is over and the question becomes “this must never happen again”, that’s exactly where we come in: we analyze in a structured way what happened, which measures prevent a recurrence, and which traces need to be documented (for insurers, supervisory bodies, possibly the authorities).
Can we introduce Zero Trust step by step? Yes — and that’s the only path that realistically works in the Mittelstand. There is no big-bang Zero Trust; it’s a series of steps over 6–18 months. First enforce MFA across the board, then Conditional Access for the most critical applications, then device compliance, then refine from there. Every step has a rollback path and a measurable security gain. Anyone promising “Zero Trust in four weeks” hasn’t understood the term.
Related topics
- Use Case: Introducing a Zero-Trust baseline — without paralyzing operations on Monday morning
- Use Case: Backup drill & restore exercise — from green job report to resilient recovery
- Knowledge (German): GDPR-compliant cloud migration in 6 steps
Looking more for clean workplace operations? Services overview