1. Recognise the real risk: protect what matters, not what is obvious
Imagine a stainless steel trader storing 120 tonnes of material behind a simple 2-metre fence. Reckless? No. Because whilst the visible inventory is barely threatened, the real risk lies in an unremarkable room: specialist tools with a three-week lead time.
Here lies the central dilemma of modern security: we often protect the wrong things.
The solution is zonal security. Divide your company by criticality, not by value. The server room with a master key in the kitchen? High risk. Expensive raw materials in the yard? Low risk. The tool that cannot be sourced? Absolutely critical.
Modern digital locking systems help: remote management, access control, complete documentation. The investment pays for itself quickly through eliminated key management and greater legal certainty.
2. IT security: three underestimated threats
The backup dilemma: classic daily backups are often worthless – time zone errors, timestamp discrepancies and data conflicts make recovery impossible. A better approach: RAID-5 systems combined with the 3-2-1 rule: 3 copies of your data on 2 different media, 1 of them offline and unreachable by ransomware. Immutable storage (data that can no longer be deleted or changed) is the game-changer here.
QR code phishing (quishing): a new phishing variant uses QR codes in emails or on parking machines. Conventional anti-virus programmes only recognise QR codes as images – the harmful link remains invisible. When your employee scans the code, they bypass all company firewalls. Half a million such attacks have already been documented. Employee awareness is essential here.
Ransomware reality: 82% of all ransomware attacks hit small businesses. Defence only works if you have tested backups, raise employee awareness, limit access and implement zero-trust architecture – every access is verified, including from the internal network.
3. AI: the double-edged sword of efficiency
AI brings real opportunities: 34% of SMEs already use AI for 30–40% efficiency gains. Transcribing interviews, analysing data, generating reports – formerly days of work, now a matter of hours.
But: in 2026 AI has jumped from tenth to second place among the biggest business risks. Why? Faulty decisions, liability issues, faster cyber attacks, deepfakes and manipulation are real dangers.
The EU AI Act brings hard compliance requirements from August 2026. Penalties: up to €35 million or 7% of global annual turnover. Good news for SMEs: there are reliefs, simplified documentation and dedicated advisory channels.
Pragmatic approach: create an AI inventory, classify systems by risk, define governance, train employees and monitor continuously.
4. Occupational safety: when negligence becomes personal
Occupational safety is the area where personal liability applies – even as a GmbH managing director. One example: tradespeople renovate an old building without respiratory protection. Behind the dry lining: asbestos. Years later, lung cancer and personal liability pierces through to you.
The hierarchy is clear: technical measures > organisational measures > personal protective equipment. Safe machines are most effective because they eliminate risks before people intervene.
The problem: employees bypass safety systems. The punching machine has multiple sensors – but a colleague disables them briefly because it is faster. The ladder should be operated by two people – one does it alone.
The real solution: not more control, but better communication. Explain the "why", involve employees, lead by example, create an open error culture. Safety measures that are understood are accepted.
5. People: biggest risk and greatest opportunity
All the security systems in the world are useless if people bypass them. A high-bay warehouse with automated conveyor systems: 10 car bodies scrapped during testing because the technology failed or employees operated it incorrectly.
The reality: 40–50% of all cyber attacks stem from human error – the click on the phishing email, the weak password, the USB stick.
Solution: build a security culture. That does not mean control but integration. Form working groups, let employees help shape safety standards. Training must be practical, interactive and experiential. Collect feedback, identify gaps, adjust continuously. And most importantly: start at the top – when leadership demonstrates security, it spreads to everyone.
6. Iterative risk management: the risk ball never reaches zero
Many seek the one perfect solution. It does not exist. Risk management is a continuous process. You identify risks, assess them, implement measures – and then the next round begins. Because conditions change, measures create new risks, effectiveness must be reviewed.
A vivid image: "we make the risk ball smaller and smoother" – not zero, but continuously more manageable.
Practical example: a hotel installs a digital locking system. What happens during an internet outage? Power cut? The guest's smartphone with a dead battery? Suddenly the hotel has a reputation problem.
The cycle: identification → assessment (risk matrix) → measure definition → implementation with clear responsibility → monitoring and adjustment. Focus on the top 10 risks, not 100 minor issues.
7. Contingency planning: the underestimated Achilles heel
One defective specialist tool with a three-week lead time can bring your company to a standstill. Contamination in your restaurant leads to 14 days of forced closure even though everything is ready for production.
Spare parts strategy: create a list of critical components. For each: at least two sources, documented lead times, emergency contacts on file.
Supply chain resilience: just-in-time has become fragile. Diversify suppliers, use different transport routes, stock critical materials, plan scenarios: what happens if supplier X fails?
Conclusion: pragmatic action instead of perfection
Security is not a state – it is a continuous process. The central principles:
Prioritise radically: protect what is critical, even if it seems unremarkable.
Integrate people: security without acceptance is worthless. Explain the "why", involve employees.
Iterate continuously: the risk ball never reaches zero, but each round makes it more manageable.
Balance technology and people: automate sensibly, retain human control at critical points.
Prepare: contingency plans, alternative suppliers – survival strategies, not luxuries.
Use AI wisely: 30–40% efficiency gains are real if you manage the risks.
Accept imperfection: good enough, implemented quickly and continuously improved beats perfectly planned and never realised.
The central insight: people are your biggest risk – and your greatest opportunity. Invest in awareness, communication and culture. Because the best firewall, the most modern locking system, the most sophisticated backup – they are only as good as the people who use them.
