In September 2025, an external IT service provider for Berlin Brandenburg Airport became the target of a cyber attack. The system for passenger and baggage handling was affected, with limited functionality for check-in, boarding, and baggage processes. Anyone flying at the time could see that boarding wasn't running through the usual scanners instead, check-ins were done on iPads and baggage tags were written by hand. Naturally, normal flight schedules were barely sustainable.

American defence company in cybercriminals' crosshairs

What's particularly interesting is that the airport itself wasn't directly attacked, but still suffered the consequences through its tight integration with the IT service provider. The Collins Aerospace system is used at many airports and is a tightly woven part of critical infrastructure (KRITIS) in Europe. As a subsidiary of US defence company RTX, the team was technically prepared for attacks, yet still fell victim despite appropriate precautions. Through existing emergency plans, the team intervened quickly and the connection was severed for security reasons. While technically the right approach, this had negative operational impacts and airports had to improvise with alternative solutions until normal operations were restored. In the wake of the incident, the World Economic Forum reassessed the importance of cybersecurity and emphasised its relevance for companies in infrastructure and healthcare [WEF & WEF2].

Rising cyber attacks also affecting mid-sized businesses

It's not just international corporations suffering from cyber attacks. The BSI identifies small and medium-sized enterprises in its 2025 situation report as one of the three main target groups for cybercriminals. SMEs often have lower IT security budgets than large companies and haven't given the topic sufficient priority [BSI].

The Collins Aerospace incident and the cybersecurity team's interventions show that IT security must be viewed from two perspectives: prevention and response in an emergency.

Prevention: Protection from attacks often seems overwhelming, but with the right expertise it can be implemented quickly and strengthened further through intelligent network design. The basics are well-known and almost clichéd: firewalls, multi-factor authentication, regular security updates, and segmented networks. Yet the BSI emphasises in its current situation report that "fundamental, often free-to-implement prevention measures" are still not being taken by many German companies. As an implementation challenge, our partner Sophos reports in its State of Ransomware 2025 that around 42% of affected companies didn't have the appropriate expertise in-house [SOPHOS].

Response in an emergency: If an incident occurs, you need to react as quickly as possible. With the right procedures, response time can be improved. In this context, people often talk about incident response planning and recovery readiness. Critical here is Mean Time to Recovery (MTTR) which is the average time from detecting an incident to full restoration. Leading service providers achieve an MTTR of under two hours through automated response systems and unified monitoring. By comparison, companies with relatively low capability levels or high complexity often require over 72 hours [Palo Alto Networks].

DaPhi as IT security partner for mid-sized businesses

DaPhi helps mid-sized businesses of all types build IT security. Companies in critical infrastructure, such as healthcare and energy infrastructure, trust us with their processes and measures: from analysing critical third-party dependencies through implementing effective protective measures to tested emergency concepts with clear recovery procedures.

The BSI explicitly recommends in its 2024 situation report that mid-sized companies rely on specialised service providers for IT security, for both technical and economic reasons [BSI2]. The costs of building internal security teams significantly exceed budget frameworks for most SMEs.

Photo by Tanathip Rattanatum