• 06/02/2025
  • Technical contribution
  • Management, Awareness and Compliance

Cyber risk check

How a new standard helps small companies to realistically implement cyber security.

Small companies are particularly at risk when it comes to cyber attacks - and at the same time are often undersupplied with resources, expertise and guidance. With DIN SPEC 27076, also known as the Cyber Risk Check, a practical standard is now available that addresses precisely this issue: realistic, efficient and eligible for funding.

Find out more about how you can master IT regulation

The challenge: cyber security in SMEs

Ransomware, phishing, data theft - the threat situation is alarming. According to Bitkom, the annual damage caused by cyber attacks in Germany amounts to over 178 billion euros. Small and micro businesses are particularly affected. 88% were attacked last year, 74% reported digital data theft.
However, many of these companies do not have their own IT department, hardly any time and limited budgets. Traditional standards such as ISO 27001 or BSI basic protection are often too complex and costly.

The solution: the cyber risk check

The ‘mIT Standard sicher’ project has developed a new consulting standard - especially for small businesses. DIN SPEC 27076 offers:

  • 27 requirements in 6 subject areas
  • Guided implementation by IT service providers
  • Results report with risk score and recommendations for action
  • Funding opportunities of up to 80

The focus is not on completeness, but on relevance and feasibility. The aim is to close the biggest gateways - especially against ransomware and phishing.
 

The top 5 measures for more security

  1. Make cyber security a top priority
    Take responsibility, clarify responsibilities, provide resources.
  2. Sensitise employees
    Regular training, simulated phishing attacks, clear communication.
  3. Establish a backup concept
    Regular backups and tests to remain capable of acting in an emergency.
  4. Carry out updates consistently
    Outdated software is a gateway - activate automatic updates.
  5. Deactivate macros
    Switch off by default, clearly regulate exceptions.
Relevant providers for your cyber security check

How the cyber risk check works

The process is simple and efficient:

  1. Initial meeting for preparation
  2. Status discussion with semi-structured interview
  3. Evaluation by the IT service provider
  4. Results report with score, recommendations and funding advice

The process can be carried out online, takes just a few hours and is eligible for funding - e.g. via the BAFA programme ‘Promotion of business consultancies for SMEs’.

For IT service providers: How to become part of the network

Anyone wishing to offer the Cyber Risk Check needs:

  • At least 1 year of experience in IT security audits
  • 3 reference projects with small companies
  • Participation in a training course on DIN SPEC 27076 (e.g. via the BSI)

After successful training, a listing in the BSI service provider directory is possible - over 700 providers are currently registered there.

In an emergency: CYBERsicher emergency assistance

The cyber security transfer centre for SMEs offers another powerful tool in the form of CYBERsicher emergency assistance: Companies can request help quickly and anonymously in the event of a suspected attack
and receive feedback from qualified service providers in the shortest possible time.


________________________________________


Conclusion: Realistic security for SMEs

The cyber risk check is not a gold standard - but a seahorse of cyber security: a well-founded, practical introduction for small companies. It provides orientation, lowers barriers to entry and makes progress measurable. For many companies, it is the first step towards a more secure digital future.

More info on the topic? Watch the recording now!

And save a note now: 

IT Security Talk: Regulation and Standards

26.06.2025 | live, digital and free of charge

This time our guests are:

  • noris network AG
  • Ali Tschakari from Bitkom provides insights on the topic of ‘AI regulation - a brake on innovation or a signpost for secure applications?’
  • Karsten U. Bartels LL.M., Attorney AG IT-Recht will present: ‘IT service providers and increasing customer requirements according to NIS2, DORA, CRA, etc.’
Register for free and be part of it!
Editorial note:
This article is based on the corresponding presentation during the IT Security Talk on the topic of regulation on 27 May 2025 and was created with the support of KI. 

Author