IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
German SMEs face lower cyber losses, but risks stay high

German SMEs face lower cyber losses, but risks stay high

Wed, 8th Jul 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

HDI has published its Cyber Study 2026 on cyber risks facing small and medium-sized businesses in Germany. The survey points to lower average losses from successful attacks.

Some 60% of respondents viewed cyber damage as a relevant risk, while 31% rated the chance of their business being targeted within the next two years as high or rather high. The research was based on responses from about 1,100 decision-makers responsible for IT and insurance matters at SMEs, as well as self-employed people and freelancers in Germany.

Although many attacks are now stopped before they cause major harm, successful incidents still occur. The study put the average loss from a successful cyber attack at about €25,000, down sharply from at least €68,000 in each edition of the survey since 2022.

Peter Bertram, Head of Product Management and Underwriting Cyber at HDI, linked that decline to a more established response among companies.

"Die deutlich gesunkene Schadenhöhe kann bedeuten, dass viele Unternehmen inzwischen routinierter mit der Bedrohung umgehen, präventive Maßnahmen greifen und Angriffe schneller eingegrenzt werden", Bertram said.

He also warned against complacency.

"Neue Gefahr droht allerdings, wenn aus Routine Nachlässigkeit wird und der Fokus auf die Cybersicherheit nachlässt", Bertram said.

Existential threat

The findings suggest cyber risk remains serious for a large share of smaller businesses. One in three companies said a severe cyber incident could threaten its existence, underlining the financial strain such events can place on firms with fewer resources.

About 35% of respondents said their business had been targeted by a cyber attack at least once over the past five years. The study indicated that smaller companies with annual revenue between €2.5 million and €10 million were particularly exposed to existential pressure after an incident, echoing earlier findings that they often struggle more than larger peers to absorb losses.

Most companies reported some level of preparation. Technical safeguards such as firewalls and automated backups had been introduced by 87% of those surveyed, while 71% carried out staff training and 69% had organisational measures such as IT policies or security strategies in place.

Those measures were linked to both the likelihood and cost of attacks. Businesses that had introduced preventive steps recorded average losses 33% lower than companies that had not.

Cloud balance

The study also examined the role of cloud computing in cyber risk management. More than half of the businesses surveyed, 54%, said they use cloud services for at least part of their IT infrastructure.

For many respondents, cloud adoption was tied directly to security considerations. Around 49% cited improved IT security as a reason for using cloud services, ahead of flexibility and mobility at 44% and cost factors, such as lower spending on hardware and maintenance, at 38%.

At the same time, the results suggest cloud use can create a false sense of security if it is not matched by proper controls. Among companies using cloud services, 31% said they had experienced an operational interruption after a cyber incident, compared with 14% of businesses that do not use cloud solutions.

The contrast points to a more complex picture than a simple shift of systems off-site. Cloud services may improve resilience when they are professionally secured, but they can also widen the number of possible entry points if basic safeguards are not maintained.

Human factor

The survey found that staff remain the main route into corporate systems. Phishing emails were the most common attack method, cited by 64% of companies that had been attacked in the 12 months before the survey.

Emails carrying malware were the second most common route at 47%, followed by the accidental downloading of malicious software from the internet at 30%. The findings reinforce the view in the cyber insurance and security sectors that awareness and training remain as important as technical controls.

The study also highlighted the emergence of threats linked to artificial intelligence, especially those aimed at manipulating people rather than systems.

"CEO-Fraud oder Deepfake-basierte Täuschungen werden im Jahr 2026 von einem relevanten Anteil der Unternehmen als ernsthafte Risiken wahrgenommen", Bertram said.

According to the survey, 7% of respondents had already encountered CEO fraud or payment fraud, while 27% saw it as a relevant risk. Deepfake attacks had affected 4% of companies, and 24% regarded them as a relevant threat.

Despite those concerns, attitudes towards artificial intelligence were more positive than negative. A majority of 55% saw AI as an opportunity, while 21% considered it more of a risk to their business.

Some respondents also linked AI to stronger internal defences. The study found that 26% believed AI strengthens their company's cyber resilience, compared with 11% who said it weakens it. Views became more favourable as company size increased, while smaller businesses were generally more sceptical.

Overall, the survey shows a mid-market that has become more accustomed to cyber risk, but not immune to it. Even with lower average losses, a severe incident remains a potential existential shock for many smaller firms, especially when human error, weak processes or overconfidence in outsourced systems create openings that attackers can exploit.