Data protection is not security, and security is not scaremongering. Six level-headed points on backups, two-factor, phishing and the new NIS-2 regulation - for mid-sized businesses.
A business that gets hacked rarely has a technical problem. It has a human one.
Among mid-sized businesses, security is the topic everyone takes seriously and no one tackles systematically - until it happens once. This page is an attempt to say the most important things in six points, without stoking fear and without glossing over anything.
Anyone working in compliance with the GDPR has taken care of one thing: they have regulated how they handle personal data. That is important - but it does not protect against someone who wants to force their way into your systems.
An example: you can have a perfect privacy policy and at the same time run your accounting on an unattended computer with a default password. Data protection and security overlap, but they are not the same thing. Security begins where data protection ends: at the concrete question of who gets in, who can delete or change data, what happens in an emergency.
In the public imagination, hacks are always highly technical - sinister programmers, black screens, flashing code. In reality it is almost always simpler: someone clicks a link in an email.
The most common attacks today are called phishing (fake emails that lure people into entering passwords), CEO fraud (fake emails from the boss ordering transfers), and ransomware (an encryption program gets into your system via an opened attachment and locks your data). All three exploit people, not technology. The most effective security measure for a mid-sized business is therefore not an expensive firewall, but regular, simple education of your team.
If your system is encrypted tomorrow, the damage to the system is not the problem. The problem is your data. And data is only safe if it also exists somewhere else.
The rule of thumb is called 3-2-1: three copies of your important data, on two different media, one of them in a different location. In practice that often means: the data is on your server, one copy in a cloud backup, one copy on an external hard drive that is not permanently connected. Anyone with that can survive an encryption attack. Anyone with only the live copy loses everything - or pays a ransom. And anyone without a tested restore does not know, in an emergency, whether the backup actually works. Test restores are as important as the backup itself.
Two-factor means: not just the password decides, but in addition something you hold in your hand - usually your phone with a confirmation app or a code sent to you. That may seem annoying. But it is the single most effective measure you can introduce in your business.
Concretely: even if an employee gives away their password - whether through phishing or through carelessness - no one gets into your system without their phone. That rules out 99 percent of automated attacks. For all important access points - email, accounting, cloud storage, software login - two-factor should be standard today. It is not extra security for the paranoid, but basic equipment, like a security lock on the front door.
Since 2024 the European NIS-2 directive has been in force - it obliges many mid-sized businesses for the first time to take concrete security measures. Anyone operating in a sector classified as important - which includes, for example, food production, machinery, IT service providers, logistics and much more - must comply with certain standards.
Concretely that means: risks must be documented, security incidents reported, an emergency plan in place. Management is personally liable for failures. Anyone who falls into this category and has not yet dealt with it should not put it off. A first conversation with a specialised consultant or with the BSI (the German Federal Office for Information Security) quickly clarifies whether you are affected - and if so, with what urgency.
The GDPR regulates how you handle data. NIS-2 regulates how you secure your system, so that no one can steal data or disrupt processes. The two complement each other, but they have different supervisory authorities and different fine systems.
One important difference: the GDPR is about personal data. NIS-2 concerns all data and processes essential to your business operations - including production control, warehousing, communication. Anyone who is GDPR-compliant is not automatically NIS-2-compliant.
Security cannot be bolted on afterwards without it becoming expensive and brittle. It is part of the construction. We build our software with five things taken for granted:
Encrypted connections for every data flow. Separation between user roles - no one sees or changes what is none of their business. Logging - every important action is traceable, without anyone spying. Two-factor from the start, not as a retrofit. Automatic backups with regular restore checks.
That does not make our software highly secure in the sense of federal authorities - but as good as a sound mid-sized business needs. And above all: we talk with you about what is possible, what is sensible and what would be excessive. Security is always a trade-off. No one needs everything.
Security is not a product you buy. It is a behaviour you maintain.
The most expensive firewall is no help if your employees click phishing links. The best training is no help if your backups do not work. And the best backup is no help if you never tested it. Cyber security is an ongoing process - not a one-off purchase. We help you make that process as easy as it is allowed to be.
How we fundamentally handle your data is under How we handle data protection. What comes after the build and how security updates fit into maintenance is under Maintenance and further development. What the EU regulates with the AI Act for mid-sized businesses is under EU AI Act for SMEs.