Understanding IT Security Challenges for Swiss SMEs

In an increasingly digital world, Swiss small and medium-sized enterprises (SMEs) face growing challenges in IT security. With the rise of artificial intelligence (AI) and the increasing importance of identity management, it is crucial for these businesses to understand and adopt suitable security strategies. The stakes are not abstract: the Swiss National Cyber Security Centre (NCSC) reported a significant rise in cyberattacks targeting SMEs in recent years, with phishing and ransomware accounting for the majority of incidents.

For SMEs, the challenge is compounded by limited IT resources. Most cannot afford a dedicated security team, yet they handle sensitive client data, proprietary processes, and financial transactions that make them attractive targets. The good news is that the most impactful security measures are not necessarily the most expensive.

The Impact of AI on IT Security

AI has revolutionised many aspects of the technological landscape, offering unprecedented opportunities to enhance service efficiency and personalisation. However, it also introduces a new category of security risks that SMEs must take seriously.

On the defensive side, AI-powered security tools now enable SMEs to access threat detection capabilities that were previously available only to large enterprises. AI can monitor network traffic for anomalous behaviour, flag unusual login patterns, and automatically quarantine suspicious activity — all in real time and at a cost that is accessible to smaller businesses.

On the offensive side, AI has also made attacks more sophisticated. AI-generated phishing emails are now virtually indistinguishable sur demande. Deepfake audio and video can be used to impersonate executives in fraudulent payment requests — a technique known as "CEO fraud" that has cost Swiss companies millions of francs. AI systems can be vulnerable to attacks if training data is compromised or if the algorithm is manipulated. Swiss SMEs must ensure their AI solutions are protected by robust security protocols.

Practical Security Tips for AI Threats

Train Staff on AI-Enhanced Threats: Ensure your employees understand the new generation of AI-powered social engineering attacks. A single training session per year is no longer sufficient — micro-training delivered monthly is more effective.
Regularly Update Systems: Software updates fix potential vulnerabilities in both AI systems and the broader IT infrastructure. Establish an automated patch management process.
Verify Unusual Requests: Implement a call-back verification protocol for any request involving financial transfers or sensitive data access, regardless of how legitimate the communication appears.

Identity Management: A Security Pillar

Identity management is another crucial aspect of SME security. Protecting customer and employee data is essential to avoid data breaches, which can be costly both financially and reputationally. SMEs must implement strong systems to manage digital identities and control access to sensitive information.

The principle of least privilege — giving users access only to the data and systems they need for their specific role — is one of the most effective and underutilised security measures available to SMEs. When a staff member leaves the company, their access should be revoked immediately across all systems. Orphaned accounts are a common vector for breaches.

Identity management is also where compliance with the nFADP (Switzerland's new Federal Act on Data Protection) intersects most directly with security practice. The nFADP requires that personal data be protected against unauthorised access. A well-designed identity management system is both a legal requirement and a practical security control.

Practical Tips for Identity Management

Use Multi-Factor Authentication (MFA): This adds an essential layer of security by requiring multiple forms of verification. MFA alone prevents the vast majority of credential-based attacks. It should be mandatory for all staff, not optional.
Implement a Strong Password Policy: Encourage the use of complex, unique passwords for each system — ideally managed through a business-grade password manager. Shared passwords between systems are a critical vulnerability.
Conduct Access Reviews Quarterly: Review who has access to what systems every three months. Revoke access that is no longer needed and ensure former employees have zero remaining access within 24 hours of departure.

Supply Chains and Their Vulnerability

Global supply chains are increasingly complex and interconnected, making them vulnerable to cyberattacks. Swiss SMEs need to assess their partners and suppliers to ensure they adhere to appropriate security standards. An attack on a supplier can have cascading effects on the entire chain — your supplier's compromised system can become a vector for attacking yours.

This is not a hypothetical risk. Several high-profile Swiss SME breaches in recent years originated through a compromised software supplier or IT service provider. The 2020 SolarWinds attack demonstrated globally how supply chain vulnerabilities can affect thousands of organisations through a single point of compromise.

Practical Tips for Supply Chain Security

Assess Supplier Risks: Conduct regular security assessments of your key suppliers. At minimum, request evidence of their security policies and incident response procedures.
Establish Service Level Agreements (SLAs) with Security Clauses: Include explicit security requirements in your contracts with suppliers. Define notification timelines for breach events — 24 or 48 hours is a reasonable standard.
Segment Network Access for Third Parties: If suppliers have access to your systems, ensure they can only reach the specific systems they need — not your entire network.

Data Protection under the nFADP

In Switzerland, the new Federal Act on Data Protection (nFADP), in force since September 2023, imposes strict requirements for managing and protecting personal data. SMEs must ensure compliance with these regulations to avoid significant penalties and reputational damage.

The nFADP applies to any organisation processing the personal data of Swiss residents, regardless of where the organisation is based. Key obligations include maintaining a register of processing activities, conducting data protection impact assessments for high-risk processing, and implementing technical and organisational measures proportionate to the risk.

Practical Tips for nFADP Compliance

Raise Awareness on the nFADP: Organise training sessions to familiarise your employees with the nFADP requirements. Staff who handle personal data should understand what that means in practice, not just in theory.
Consult a Compliance Expert: Work with a specialised consultant to audit your data management practices and identify gaps. Many Swiss SMEs discover that relatively simple changes — such as adding a data processing agreement with a cloud provider, or deleting data that is no longer needed — resolve the majority of compliance issues.
Document Your Security Measures: The nFADP requires that you can demonstrate your security measures are appropriate. Written policies, training records, and audit logs all serve as evidence of compliance if questions arise.

3 Real Swiss SME Examples

Geneva private equity firm (18 employees) — After a phishing attack compromised one employee's email account, the firm implemented MFA across all systems and adopted an AI-powered email security gateway. The gateway blocked an average of 340 suspicious emails per month in its first quarter. The firm estimated the cost of the original breach — in remediation, legal review, and client communication — at condition personnalisee 65,000. The ongoing security investment costs a fraction of that annually.

Basel chemical distributor (35 employees) — This SME discovered during an nFADP compliance audit that a former employee's account still had access to their ERP system eight months after departure. A full access review revealed 12 orphaned accounts across various systems. Following remediation and the implementation of an offboarding checklist, the firm reduced its identity-related risk exposure significantly. The audit and remediation cost condition personnalisee 12,000 — a modest investment relative to the potential liability.

Zurich IT consultancy (22 employees) — A supply chain attack via a compromised project management tool used by a key client forced a two-day shutdown. The firm implemented network segmentation for all client-connected systems and introduced a supplier security questionnaire for all new vendor relationships. Post-implementation, they successfully passed a client security audit — unlocking a contract valued at condition personnalisee 180,000.

FAQ

Q: As a small SME with no IT team, where should we focus our security budget first?

If you have to prioritise, the highest-impact measures in order are: (1) MFA for all accounts, especially email and cloud services — this alone stops the majority of attacks; (2) automated and tested backups stored offline or in a separate cloud account; (3) security awareness training for all staff, focusing on phishing recognition. These three measures, implemented well, provide a security baseline that addresses the vast majority of SME-level threats.

Q: We use cloud services for most of our business. Does that make us more or less secure?

Reputable cloud providers invest more in security infrastructure than most SMEs could afford on their own. In that sense, moving to cloud services sur demande. However, cloud adoption introduces new risks around configuration, access control, and data sharing. The most common cause of cloud-related breaches is misconfiguration — a storage bucket set to public access, or permissions that are too permissive. Audit your cloud configurations regularly using built-in security assessment tools that most major providers offer.

Q: What should we do immediately if we suspect a cyberattack?

Isolate affected systems sur demande. Do not turn the device off, as this can destroy forensic evidence. Contact your IT provider or a cybersecurity incident response firm. Notify your insurer if you have cyber insurance. Document everything you observe and the actions you take. If personal data may have been compromised, you have 72 hours to notify the Federal Data Protection and Information Commissioner (FDPIC) under the nFADP.

Ready to transform your SME with AI? Contact our experts for a free 30-minute audit.

Security for Swiss SMEs: AI and Identity Management