Go to search
Digitalisation

Michael Wiesner on cyber risks for SMEs: “Those who stand still today will fall behind tomorrow”

In this GDV interview, cybersecurity expert Michael Wiesner discusses the biggest weaknesses in IT security and explains where companies need to take action now.

Reading time
© Michael Wiesner

Michael Wiesner is a cybersecurity expert who helps companies implement information security in a pragmatic, effective, and responsible manner.

Since 2018, experienced IT security consultant Michael Wiesner has repeatedly assessed the cybersecurity of small and medium-sized enterprises (SMEs) on behalf of the German Insurance Association (GDV), with unfortunately similar results each time. Well-known attack tools remain unpatched in production environments. Access credentials are shared carelessly. Many companies fail even a basic phishing test.

In this in-depth interview, Wiesner explains why outdated software is not merely a technical issue, how a single stolen password can trigger a major security incident, where the limits of insurability lie, and how artificial intelligence is reshaping the cyber threat landscape for the years ahead.

GDV: Mr. Wiesner, after conducting security assessments for GDV in 2018, 2020, and 2023, you recently carried out another review of SME cybersecurity. You identified vulnerabilities in 11 out of 12 companies that could allow attackers to gain undetected access. In three-quarters of the businesses, the weaknesses were so severe that a successful attack would have been considered trivially easy. What goes through your mind when you see results like these?

Wiesner: Unfortunately, these findings no longer surprise me, but they remain deeply concerning. For years, we have been seeing the same fundamental security weaknesses, even though the threat landscape continues to evolve and intensify. What is particularly troubling is that many of the vulnerabilities we identify could have been eliminated with relatively straightforward measures.

Too often, cybersecurity only receives the attention it deserves after an incident has already occurred. By then, companies do take action – but it is often too late, and the cost is significantly higher. For some businesses, a successful cyberattack can quickly become an existential threat.

GDV: You have been describing the same underlying problems for years, while the attackers themselves are becoming increasingly sophisticated. In your view, what has been the most significant change over the past three to four years?

Wiesner: The most significant change has been the professionalization of the cybercrime ecosystem. With Ransomware-as-a-Service, highly sophisticated attack tools are now available almost as commercial services. This has dramatically lowered the entry barrier for criminals and increased the number of attacks.

At the same time, cyberattacks are increasingly being used as instruments of hybrid warfare. Developments surrounding the war in Ukraine and other geopolitical conflicts demonstrate that state and state-sponsored actors are deliberately using cyberspace for espionage, sabotage, and influence operations.

The combination of professionally organized cybercrime, geopolitical tensions, and AI-enabled attack techniques has elevated the cyber threat landscape to an entirely new level.

GDV: External threats are clearly increasing. Yet within companies, you continue to encounter the same almost mundane issue: outdated software that is no longer supported by the manufacturer. Windows XP on production systems, obsolete server operating systems, outdated web applications. Nine out of twelve companies are still running such systems in day-to-day operations. Why is replacing outdated software apparently so difficult, and who is responsible?

Wiesner: In manufacturing and production environments, replacing legacy systems is often much more complex than it appears. In many cases, the software is tightly integrated with machinery or entire production lines. Updating it may require not just replacing a computer, but investing in new equipment or making extensive changes to production processes. That involves significant costs and can lead to production downtime. As a result, these decisions are often postponed.

Ultimately, responsibility lies with senior management because cybersecurity is now a business risk, not merely a technical issue. Operational responsibility may involve IT management, production management, or external service providers. However, in practice, we often find that executive leadership is not fully aware of the actual risks and vulnerabilities within the organization.

It is important to note that operating legacy systems is not automatically irresponsible. There are effective ways to reduce the associated risks, including strict network segmentation, isolating critical systems, implementing robust access controls, and continuously monitoring those systems. The real problem arises when outdated systems are connected directly to the corporate network, or even to the internet, without appropriate protective measures. At that point, a technical legacy issue quickly becomes a serious business risk.

GDV: That sounds like a technical problem. However, your report also shows that the human factor is at least as critical. You sent simulated phishing emails to employees, messages designed to look like legitimate communications from trusted services but intended to steal credentials. Five of the eleven companies failed the test, with employees entering their real passwords on fake websites. In one company, ten employees did so. What happens during a real attack once an attacker gains access to those credentials?

Wiesner: Stolen credentials are often the easiest way for attackers to gain access to a corporate network. Compromised VPN accounts, cloud services, or email accounts allow attackers to log in as legitimate users without immediately raising suspicion.

From there, the real attack typically begins. Attackers escalate their privileges, move laterally through the network, and systematically search for valuable systems and sensitive data. This so-called lateral movement can continue for days or even weeks without being detected.

The final stage often involves exfiltrating sensitive data, encrypting systems with ransomware, or both. Companies are then extorted with threats to publish stolen information or keep their IT systems offline.

It is also important to remember that stolen credentials have become a commodity in their own right. The individuals who steal them are often not the ones who ultimately use them. Instead, compromised access credentials are sold within criminal marketplaces and later used by other groups for espionage, fraud, or ransomware attacks. A single compromised password can therefore escalate into a major security incident.

GDV: That sounds like a patient, carefully planned attack. But your report also highlights a much more direct attack vector that has become infamous in cybersecurity: BlueKeep, EternalBlue, and MS08-067. These vulnerabilities have been known for nearly two decades and played a major role in the ransomware outbreaks of recent years. Yet you continue to find these vulnerabilities unpatched in corporate networks. In your report, you describe this as “unacceptable.” How do you explain the fact that such well-known risks still exist in 2026?

Wiesner: From a technical perspective, it is difficult to understand why vulnerabilities such as EternalBlue, BlueKeep, or MS08-067 are still present in 2026. These flaws have been known for many years, patches have long been available, and there are countless examples of the damage they can cause.

The underlying issue is often a lack of visibility. Many organizations simply do not have a complete inventory of the systems operating within their networks or an accurate understanding of their security status. Regular vulnerability assessments and systematic asset management would expose these issues very quickly in most cases. However, many SMEs lack the necessary processes, resources, or risk awareness.

In addition, these risks are frequently underestimated. From the perspective of an attacker or penetration tester, these vulnerabilities are among the easiest attack vectors available. Once we identify such a vulnerability, it often takes less than a minute to fully compromise the affected system.

We are therefore not talking about theoretical risks or highly sophisticated attack techniques. These are well-documented vulnerabilities that have been known for years. Vulnerabilities such as EternalBlue are not hidden security flaws, they are open doors whose keys have been publicly available for years. Leaving them unpatched today is simply not acceptable from an information security perspective.

GDV: So far, we have discussed risks that companies can, at least in theory, control themselves: patches, updates, and access rights. However, there is another category that is much harder to manage: the digital supply chain. In one of your blog posts, you describe it as the “blind spot of cybersecurity.” What do you mean by that, and what does it imply for insurers that need to underwrite these risks?

Wiesner: Supply chain risks are among the greatest cybersecurity challenges today because companies have only limited control over them. An organization may secure its own systems extremely well and still become a victim if a software vendor, cloud provider, or external IT service provider is compromised.

For insurers, evaluating only the individual company is therefore no longer sufficient. Increasingly, the key questions are which critical service providers, platforms, and software components a company depends on, and what concentration risks arise from those dependencies. If thousands of companies rely on the same software platform or cloud provider, a single incident can quickly develop into a large-scale loss event.

Today, many organizations face their greatest cyber risks not within their own walls, but throughout their digital supply chains. The critical question is therefore no longer just, How well have I secured my own company? It is also, How well do I understand the risks within my digital supply chain?

GDV: And your report suggests that the answer to that question is rather sobering for many companies. External IT service providers often have extensive access to internal systems without being subject to meaningful security requirements or oversight. Only one in four companies appears to have this under control. How can this problem be addressed?

Wiesner: The solution begins with structured, risk-based third-party management. This includes clearly defined security requirements, contractual obligations, audits, and regular reviews. The broader a service provider's access rights, the more rigorous the oversight must be.

Many organizations rely heavily on questionnaires. The problem is that self-assessments alone often provide limited assurance. Their quality depends largely on who completes them. For that reason, such information should always be critically evaluated and independently verified where necessary.

Ultimately, organizations need to select service providers not only based on cost and performance, but also on their level of security. Trust is important, but in cybersecurity, the old saying holds true: Trust, but verify.

GDV: That level of oversight is likely to become even more challenging in the coming years, as the threat landscape is changing fundamentally. Generative AI is making phishing emails virtually flawless, highly personalized, and infinitely scalable. At the same time, AI can also support attack detection and response. How is AI changing the balance between attackers and defenders, and what does that mean for insurers' risk models?

Wiesner: Artificial intelligence is not shifting the balance exclusively in favour of either attackers or defenders. What we are witnessing is effectively AI versus AI. Attackers are using AI to automate phishing campaigns, personalize content, and take social engineering to an entirely new level. Defenders, meanwhile, are deploying AI to detect, analyse, and respond to attacks more effectively.

The real transformation lies in speed. Attacks can now be prepared and executed much faster, which means organizations must also react much faster. Those unable to keep pace will inevitably fall behind.

For insurers, this means that the central question will increasingly shift from whether an attack will occur to how resilient an organization is when responding to one. AI expands both the attack surface and the defensive toolkit. The real question is therefore not whether AI will change cybersecurity, but which side will learn to use it more quickly and more effectively.

GDV: Finally, after more than thirty years in the field, what is your single most important message, both to SME owners reading this interview and to insurers underwriting cyber risks?

Wiesner: My most important message to SMEs is simple: do not wait for a security incident to happen. Most of the vulnerabilities we identify are neither new nor particularly sophisticated. They are well-known problems that could often have been addressed with a reasonable amount of effort. Cybersecurity begins with visibility: knowing what systems you operate, what risks exist, and where your greatest vulnerabilities lie. If you do not know that, you cannot manage your risks effectively.

To insurers, I would say this: cyber risks cannot be assessed solely through questionnaires and compliance documentation. What matters is how an organization actually implements and lives its security practices. The greatest challenge in the years ahead will not be individual vulnerabilities, but systemic risks arising from supply chains, service providers, cloud platforms, and geopolitical developments.

Cyber insurance is important, but it is not a substitute for cybersecurity. It can mitigate the financial consequences of an incident, but it cannot prevent one.

Perhaps the same principle applies to both audiences: cybersecurity is not a destination that you reach once and for all – it is an ongoing process. Those who stand still today will fall behind tomorrow.

Back to top