Cyber Security for Companies: A Guide for Small and Medium Businesses in Bosnia and Herzegovina

Cyber security for companies in Bosnia and Herzegovina does not mean expensive equipment and a ten-person department. For a small or medium-sized business, basic protection comes down to a few measures that cover the bulk of the risk: two-factor authentication, regular offline backups, keeping systems updated, employee training and an incident response plan for when something goes wrong. Most successful attacks on smaller companies do not rely on advanced techniques; they exploit basic gaps that can be closed on a limited budget.

Owners of small and medium-sized enterprises (SMEs) in Bosnia and Herzegovina often believe they are too small to be a target. That is a mistaken assumption. Automated attacks do not choose victims by size, but by vulnerability. An accounting firm in Mostar, a manufacturing company in Zenica or a web shop in Banja Luka are just as exposed as a large corporation, and they usually have weaker protection and fewer resources to recover.

Why small and medium businesses in Bosnia and Herzegovina are especially exposed

Smaller companies are an attractive target because they hold valuable data but have limited protection. They access bank accounts, client records and business partners, yet rarely have a dedicated security team. An attacker with an automated tool does not stop to consider whether a company is from Sarajevo or Tuzla; it scans the internet and attacks anything with an open vulnerability.

Several factors make the situation in the region even worse:

• Reliance on a single "IT person" who maintains everything but is not a security specialist.
• Outdated systems that are never updated because they "work fine" and nobody wants to touch them.
• A weak security culture where passwords are shared via messages and suspicious emails are opened without a second thought.
• The lack of an incident plan, so when an attack happens the company improvises instead of responding according to a defined procedure.

The impact of a single successful attack can be greater for a small company than for a corporation: days of downtime, loss of client trust and recovery costs that sometimes exceed the annual profit.

The most common threats companies actually face

Phishing and business email compromise

The most common entry point is an ordinary email. The attacker poses as a supplier, a bank or a director and requests a payment, a login on a fake page or the opening of an attachment. Business email compromise (BEC) is especially dangerous because it requires no malware at all; it only takes someone trusting the sender and making a payment to the wrong account.

Ransomware

Ransomware encrypts all files on the network and demands a ransom. For a company without proper backups, this means a complete standstill. Paying the ransom does not guarantee the return of the data and only funds further attacks, which is why offline backups are a key line of defence.

Weak and reused passwords

When the same password is used across multiple services, a single data breach at a third party opens the door to all of the company's accounts. Without two-factor authentication, a stolen password is enough for full access.

Vulnerabilities in publicly exposed systems

Websites, online stores, VPN access points and internet-facing servers are scanned constantly. An unpatched component with a known vulnerability can be exploited automatically, without any interaction from employees. This is precisely where penetration testing helps, by uncovering gaps before an attacker does.

Practical steps: what to do first

The good news is that the bulk of the risk is covered by measures that are within reach of smaller companies too. Here is a sensible order to start in, moving from the highest impact toward more sophisticated measures.

1. Enable two-factor authentication (2FA) on email, banking apps and all critical services. This is the cheapest measure with the greatest impact.
2. Set up backups following the 3-2-1 rule: three copies of the data, on two different media, with one of them off-site and isolated from the network. Test regularly that the data can actually be restored.
3. Update everything: operating systems, applications, websites and network equipment. Most attacks exploit vulnerabilities for which a patch already exists.
4. Train your employees to recognise phishing and suspicious requests. People are the most common and cheapest target, but also the best first line of defence when they are well informed.
5. Limit privileges: nobody needs administrator rights unless they are required for their day-to-day work. Fewer privileges mean less damage when an account is compromised.
6. Create an incident response plan: who to call, which systems to shut down first, how to notify clients. A plan written in advance saves hours of panic.

What it costs and how to allocate the budget

Security is not a single expense but a series of decisions that scale with the size of the company. The table below shows approximate levels of investment based on a company's size and exposure. The figures are indicative and meant for planning, not as a fixed quote.

Company profile	Priority measures	Relative investment
Micro company (up to 10 employees)	2FA, backups, updates, basic training	Low, mostly time and inexpensive tools
Small business (10-50)	All of the above + centralised device management, annual security review	Moderate, with an external partner as needed
Medium business (50-250)	All of the above + 24/7 monitoring (SOC/MDR), penetration testing, response plan	Higher, justified by the value of the data and downtime

The key is to tie investment to actual risk. A company that takes online payments and stores card data has a different risk profile than a carpentry workshop. A vulnerability assessment helps direct money where it matters most, instead of buying expensive equipment that solves a problem the company does not have.

A plan for the first 30 days

If you are starting from scratch, there is no need to do everything at once. A concrete plan for the first month delivers visible results and builds the right foundation for everything else. A suggested week-by-week schedule:

• Week 1 - inventory and access: list which systems, applications and online accounts the company uses and who has access to them. Disable the accounts of former employees and remove access that is no longer needed. You cannot protect what you do not know you have.
• Week 2 - 2FA and passwords: enable two-factor authentication on email, banking and critical business services. Introduce a password manager so that every account has a unique password.
• Week 3 - backups and updates: set up automated backups following the 3-2-1 rule and perform a test restore to confirm the backup actually works. Update operating systems and applications.
• Week 4 - people and plan: hold a short employee training session on phishing and write a simple incident response plan with contacts and first steps.

After this first month, a company already covers most of the basic risks. All more advanced measures, such as continuous monitoring or penetration testing, are built on this foundation, not instead of it.

When to bring in an external partner

A company can introduce many of these measures on its own. There are, however, areas where it pays to engage specialists, because they require knowledge and tools that make no sense to build in-house:

• Penetration testing that simulates a real attack and uncovers vulnerabilities before an attacker does. Useful before launching a new application or as an annual check.
• Monitoring and response (MDR/SOC) that watches systems 24/7 and reacts to suspicious activity, because attacks do not happen only during business hours.
• Incident response when an attack has already occurred and you need to quickly contain the damage, preserve evidence and get the business back up and running.
• ISO 27001 preparation if the company works with clients who require formal security standards.

For companies in Mostar and the wider Herzegovina region, a local partner has the advantage of understanding the regulatory and business context of Bosnia and Herzegovina. If you are not sure where your current exposure lies, a short penetration testing questionnaire helps assess the scope and priorities before any investment.

Data protection and obligations toward clients

Beyond defending against attacks, companies in Bosnia and Herzegovina also have obligations regarding the data they process. If you store personal data of clients, employees or suppliers, it is your responsibility to keep it safe in an appropriate way. This is not just a legal matter but a matter of trust: a client who finds out their data has leaked rarely comes back.

In practice, this means a few things worth putting in order before something happens:

• Know what data you have and where it is stored. Without that record, it is impossible to assess what would be lost in the event of a breach.
• Restrict access only to those who genuinely need it. The fewer people and systems that touch sensitive data, the smaller the attack surface.
• Have a procedure for reporting an incident in case of a breach, including notifying affected parties when necessary.

Companies that work with larger clients or in regulated sectors are increasingly asked to prove the maturity of their security, most often through a standard such as ISO 27001. Preparing for such a standard is not just paperwork, but an opportunity to bring order to processes and turn security from improvisation into a system.

The most common mistakes to avoid

When introducing cyber security measures for companies, smaller businesses regularly repeat the same mistakes:

• Buying tools without a strategy: antivirus and firewalls are useful, but they do not cover the human factor or poor configurations.
• Backups that are never tested: a backup that cannot be restored is worthless, and that is usually discovered at the worst possible moment.
• Neglecting training: the most advanced technology falls to a single employee who clicks on a fake email.
• Delaying until an incident happens: reactive security is always more expensive than preventive security.

Security is a process, not a project with an end date. Threats change, the company grows, systems change, so periodic review remains necessary even after the basics are in place. If you want a concrete assessment for your company, contact the NeoBit team for a no-obligation conversation.

Frequently asked questions

Is my small company really a target for cyber attacks?

Yes. Most attacks on smaller companies are automated and do not choose victims by size, but by vulnerability. Smaller companies are often a more attractive target because they hold valuable data and have access to money, but weaker protection than large companies. Size offers no protection.

What is the first and most important security measure for a company?

Two-factor authentication (2FA) on email and critical services provides the greatest protection at the lowest cost. Right alongside it come regular offline backups and keeping systems updated. These three measures close off a large share of the most common attacks.

How much does cyber security cost for a small business in Bosnia and Herzegovina?

Basic measures such as 2FA, backups and updates are mostly a matter of time and inexpensive tools, not a large investment. Costs only rise with more advanced services such as continuous monitoring or penetration testing, which pay off for companies with greater exposure. Investment should be tied to actual risk.

When does a company need penetration testing?

Penetration testing is useful before launching a new web application or service, as an annual exposure check, and when a company handles sensitive data or payments. It uncovers vulnerabilities before an attacker can exploit them. A short questionnaire helps assess the scope before starting.

Related guides: Cyber security in Bosnia and Herzegovina - the complete guide · Employee security: the weakest link in cyber defence · How to choose a cyber security company - 7 criteria for 2026