The digital threat landscape is no longer a marginal issue – it is part of our everyday reality. This is particularly evident in small and medium-sized enterprises: while IT structures are becoming more complex and interconnected, security concepts often lag behind technological progress.

2025 is just around the corner – and with it come new challenges: technical, organisational and legal.

The CosH special feature provides an overview of the most important developments, explains why traditional security concepts are often no longer sufficient, and presents practical approaches for making your company more resilient.

Cybercrime has long since become professionalised. Particularly on the rise:

Ransomware-as-a-Service (RaaS): Criminal groups offer ready-made attack packages, including support and payment systems – a ‘business model’ that was already responsible for over 60% of all ransomware attacks in 2024.

Deepfakes and AI-generated phishing emails: Attacks are becoming more credible because artificial intelligence is capable of imitating communication styles – even internally. This dramatically increases the success rate of social engineering.

Supply chain attacks: Attackers target not only the company itself, but also its IT service providers, software suppliers or hosting partners – often the weakest link in the chain.

So the big question is no longer: Is my company a target? But rather: Am I prepared when the attack comes?

🔐 3. Zero Trust, XDR, MFA & Co. – How does modern security work?

Moderne Sicherheitsarchitekturen setzen nicht mehr auf Perimeterverteidigung allein. Stattdessen dominieren diese Ansätze:

🔐 3. Zero Trust, XDR, MFA & Co. – How does modern security work?

Extended Detection & Response (XDR): Traditional AV solutions are no longer sufficient. XDR combines telemetry data from various IT areas (network, endpoints, cloud) to detect even complex attack patterns in real time.

MFA, PAM & BYOD rules: Multi-factor authentication, privileged access management and a clear policy for private devices (Bring Your Own Device) will become the minimum standard in 2025.

What is often overlooked is that the most effective measures are not necessarily the most expensive ones, but rather those that are best integrated into processes.

In 2025, several regulatory requirements will come into force that may also affect small and medium-sized enterprises – either directly or indirectly through their role as service providers or suppliers:

NIS2 Directive (EU): Far-reaching requirements for cybersecurity, risk analysis, business continuity and reporting obligations. It affects not only critical infrastructures, but also many medium-sized companies – often without their knowledge. What NIS2 requires:

• Clear responsibilities for IT security
• Risk management & business continuity
• Incident response processes
• Documentation and reporting requirements
• Regular review and improvement of protective measures

And what happens if you don’t comply: hefty fines of up to €10 million or 2% of annual turnover – and potentially massive damage to your reputation.

Digital Operational Resilience Act (DORA): IT risk management is becoming a legally binding discipline for all companies in the financial and insurance sectors, including IT service providers in these industries.

Cyber Resilience Act: Emphasises the responsibility of manufacturers and software providers to deliver secure products. This affects entire ecosystems and supply chains.

Actively addressing these requirements is important not only for compliance reasons, but also because they provide a useful framework for IT security strategy.

Despite technical advances, one thing remains constant:

The biggest weak spot is sitting in front of the screen. This applies to social engineering as well as to faulty configurations.

But who should take responsibility when:

• IT managers repairing printers, patching servers and maintaining ERP systems all at the same time?
• No time for further training?
• Is there a lack of awareness on the part of management?

According to a Bitkom study from 2024, 68% of SMEs say that they cannot build up enough security expertise internally. And yet many companies shy away from seeking external support – for fear of costs, loss of control or complexity.

We see in practice that the decisive difference is not the budget, but the courage to implement a structured approach. What works is not a huge project, but a clear, realistic roadmap.

1. Security assessment as a starting point

Where do you really stand? Which systems are exposed? What are your crown jewels? A technical and organisational check provides the answers.

2. Prioritise protective measures

• Not all at once. Instead:
• MFA (multi-factor authentication)
• Patch management
• network segmentation
• Logging & Monitoring
• Basic protection for end devices

3. Raising awareness – internally and externally

Training courses are not a chore, but a survival strategy. A well-informed employee is more valuable than any firewall.

4. Clarify responsibilities

Who makes decisions in an emergency? Who reports incidents? IT security requires defined roles – not gut feelings.

5. Understand external support not as a weakness, but as a strategy

An external IT security partner can provide specialised expertise – scalable, controllable, efficient. From 24/7 monitoring and vulnerability scans to support with NIS2 audits.

Company: Nordwest Handel AG, Dortmund Industry: Wholesale & logistics Size: approx. 1,200 employees, over 1,000 specialist retail partners Date of incident: November 2023 Type of attack: Ransomware attack with partial data encryption

Causes & weak points

Specific technical details have not been made public for understandable reasons. However, it is known that the attack was not carried out via social engineering or phishing, but presumably via a technical vulnerability in the system – an indication of exploitable attack paths in third-party software or insufficiently secured services.

Consequences of the attack:

• Temporary shutdown of essential IT services
• Slowed down or halted ordering and logistics processes
• Emergency operation with manual support
• High organisational effort required for recovery
• Internal resource allocation and external costs
• The financial damage has not been publicly quantified, but is likely to have been significant given the company’s role in the supply chain.

Lessons learned from the incident:

This incident exemplifies:

• Even established B2B companies with their own IT teams are vulnerable.
• Small and medium-sized enterprises are increasingly becoming the focus of professional cybercriminals.
• Protection provided by traditional antivirus solutions is no longer sufficient.
• Without contingency plans, backup strategies and external support, companies can quickly become overwhelmed.