🔥 A single terraform destroy - and suddenly, 15 customer systems go offline 🔥

The "Friday afternoon destroyer" has struck again.

In this two-part article, we examine one of the most significant structural infrastructure problems, as well as one of the most underestimated risks of Infrastructure-as-Code, from a management perspective. We help companies systematically minimize blast radius risks.

Because the best explosion is the one that never happens.

Infrastructure-as-Code is no longer optional. Companies that aim to run and scale their cloud infrastructure seriously rely on Terraform. But with growing success and increasing complexity, a critical question arises: how large or small should a Terraform state actually be?

A state that is too large blocks teams, slows down processes, and creates unnecessary risk. A state that is too small, on the other hand, leads to unnecessary overhead and fragile consistency. The goal is to find the right balance - not too much, not too little, but just right. Welcome to the Goldilocks principle for Terraform.

A Case from Switzerland: Data Deleted, Company Bankrupt

A respected SME, a printing company from the canton of Obwalden with 30 employees, loses all data – including backups – due to the mistake of an external service provider. The damage: over 750,000 CHF. The company is now history, and in March, bankruptcy was filed citing this incident.

The case made headlines in the press because, according to reports, the devastating damage was caused by an IT issue that should never have occurred in the first place. The causes were too fundamental and too obvious to be accepted as an acceptable risk.

This demonstrates how severe the consequences of inadequately secured IT processes can be. Especially in industries where IT infrastructures and IT workflows are not considered core competencies essential for production, such risks are not easy to recognize and avoid.  

Such risks and incidents are not just IT problems. In today's world, they affect the fundamental substance of every company.

Why Many SMEs Are More Vulnerable Than They Think

The belief that one's protection is sufficient is widespread. However, the reality in many companies looks different:

• Unclear access rights concepts: Access permissions are often granted too broadly and without control, and they are not regularly reviewed and updated
• Lack of process reliability: Critical changes are made without dual control or documented approvals
• Emergency measures without stress testing: Backups are created, but their recoverability is rarely tested
• Inadequate resilience of IT systems: The failure of individual sites or data stores impacts the entire company
• Insufficient role and responsibility assignments: In an emergency, it is unclear who must act – and who is allowed to
• Historically grown processes: Processes from the early days of the company have not adapted to today's complexity

In the age of digital business models, this represents a risk comparable to a lack of fire protection or inadequate access control: potentially existential, avoidable – and yet often overlooked.

A Critical Question of Resilience

Those who take the risk of total failure seriously should be able to answer the following questions:

• How would your company respond to a complete loss of data?
• For how long could you operate without functioning IT systems?
• What damage would occur due to production downtime, loss of reputation, and breaches of contract?
• What role does your insurance play – and where are its limits?
• How long would a complete recovery take – if it is even possible?

For many SMEs, these questions are uncomfortable – but necessary. Because they are not about technical details, but about the viability of the entire business model in a crisis.

ICT.technology: Identify, Assess and Target IT Risks

As a service provider specialized in infrastructure, cloud, and transition, ICT.technology supports Swiss SMEs in sustainably securing their IT-based business processes. Our approach is pragmatic and results-oriented – far removed from empty certification rhetoric.

Our offer for companies that want to act proactively:

1. Free initial consultation (30 minutes)
   In a confidential conversation, we analyze your situation – clearly, concisely, and without requiring any technical background knowledge.
2. Systematic risk analysis
   We assess your existing IT infrastructure, workflows, and access rights concepts with a focus on operational safety and restart capability.
3. Concrete recommendations for action
   You receive a structured report outlining identified weaknesses along with practical proposals for risk mitigation – comprehensible and in plain language.
4. Flexible implementation
   Depending on your needs, we provide selective support or take over full implementation – up to and including operation within a managed service model.
5. Note: If a managed service contract with a minimum term of 12 months is concluded, the fee for the initial risk assessment will be waived.

Prevention Instead of Crisis Management

The incident described at the beginning is not an isolated case – and that is precisely why it is a clear warning signal. A well-thought-out IT risk strategy is no longer just a technical matter, but a business imperative.

We help you ensure that protecting your company is not left to chance.

Contact us for a non-binding initial consultation:

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone: +41 79 173 36 84
Web: https://ict.technology

ICT.technology KLG is an independent Swiss service provider for infrastructure, cloud, and transition. Our focus is on robust, comprehensible security concepts that are aligned with the actual needs and resources of SMEs. We combine technical expertise with strategic consulting – and focus on sustainable solutions rather than mere formal compliance.