Cybersecurity Myths That Harm SMEs
“We’re too small to be a target.” The IT manager of a 30-person engineering firm in Aarau said exactly this in a workshop in early 2025. Four months later, a ransomware attack encrypted their project files and client data. Recovery took three weeks and cost CHF 140,000. According to the KMU Cybersicherheit 2025 study (digitalswitzerland/Mobiliar/FHNW), only 30% of Swiss SMEs have IT security concepts, training, or emergency plans — and the consequences of this gap range from expensive to existential.
This guide takes apart the ten most dangerous myths and shows how to build your cybersecurity strategy on realistic risk assessments.
“Cybersecurity is a management responsibility.” — Florian Schütz, Director of the Federal Office for Cybersecurity (BACS) (Source)
Myth 1: “We’re Too Small for Cyberattacks”
This is the most widespread and dangerous misconception. In reality, SMEs are proportionally more often victims of cyberattacks than large corporations. According to the Verizon Data Breach Investigations Report, approximately 43% of all data breaches target small businesses.
The reason is simple: SMEs often offer similarly valuable data as large corporations (customer data, financial data, intellectual property) but have weaker defence mechanisms. Modern cyberattacks are also largely automated. Bots continuously scan the internet for vulnerabilities, regardless of company size.
Another aspect: SMEs are often part of the supply chain of larger companies and serve attackers as gateways to more attractive targets. In 2022, a Swiss supplier with 25 employees became the victim of a targeted attack because cybercriminals sought access to a multinational corporation through its system.
Reality: Any company with digital assets and internet connection is a potential target. The question is not whether you are interesting to attackers, but how well you are protected.
Myth 2: “Antivirus Software Is Enough”
Conventional antivirus solutions are based on signature recognition, so they only detect known threats. Modern malware and especially zero-day exploits bypass these protection mechanisms easily. A study by AV-Test Institute shows that signature-based solutions only detect about 50-70% of new threats.
Ransomware groups continuously develop their malware, test it against common antivirus products, and adapt it until it remains undetected. The Swiss ransomware incident at a Basel SME in 2023 occurred despite current antivirus software, as the ransomware variant used was only added to virus databases after the attack.
Reality: Modern Endpoint Detection and Response (EDR) solutions work behaviorally and detect suspicious activities even without known signatures. A multi-layered approach (Defence in Depth) with various security mechanisms is essential. Learn more about appropriate budget planning for such solutions.
Myth 3: “Cybersecurity Is Too Expensive”
This statement ignores the costs of a security incident. The average financial damage from a cyberattack on a Swiss SME amounts to CHF 80,000 to CHF 250,000, with indirect costs often even higher. A survey by Mobiliar Insurance shows that 15% of affected SMEs had to file for insolvency within a year after a serious attack.
Direct costs include: ransom (if paid), IT forensics and recovery, business interruption, legal advice, and possible fines for data protection violations. Add to this reputation damage, customer attrition, and increased insurance premiums.
Compared to this are the investments in cybersecurity: For an SME with 20-50 employees, appropriate spending typically ranges between CHF 15,000 and CHF 40,000 per year. This corresponds to about 5-7% of the IT budget and is thus significantly cheaper than the average damage costs.
Reality: Cybersecurity is not a cost centre but an investment in business continuity and competitiveness. The question is not whether you can afford cybersecurity, but whether you can afford its absence.
Myth 4: “Our Firewall Protects Us”
Firewalls are important, but they primarily protect against threats from outside. However, most modern attacks use legitimate channels such as email or compromised web applications that are allowed through firewalls. Additionally, insider threats, whether malicious or negligent, cannot be prevented through perimeter security.
An example from practice: A Lucerne SME with a professional firewall solution became a victim of a phishing attack. An employee opened a compromised email attachment disguised as an invoice. The malware established an encrypted connection to the outside, which looked like legitimate HTTPS traffic to the firewall. Within 48 hours, all internal systems were compromised.
Reality: Firewalls are an important building block but only one element of a full security architecture. Intrusion Detection/Prevention Systems, email security, endpoint protection, and above all employee awareness are equally critical.
Myth 5: “Cloud Services Are Insecure”
This assessment often stems from the early days of cloud computing and is mostly wrong today. Professional cloud providers like Microsoft Azure, AWS, or Swiss providers like Swisscom or Infomaniak invest massively in security and achieve a level that most SMEs could not achieve internally.
Cloud providers employ specialised security teams, implement the latest security technologies, conduct regular audits, and are certified to international standards. Additionally, customers benefit from automatic security updates and redundant data centers.
The greater risk often lies in the incorrect configuration of cloud services (misconfiguration), not in the platform’s insecurity itself. Publicly accessible S3 buckets or unprotected databases are usually the result of human error, not technical deficiencies of the cloud provider.
Reality: Professionally used cloud services are more secure for most SMEs than self-operated infrastructure. What matters is correct configuration, appropriate access controls, and understanding the Shared Responsibility Model, where both provider and customer bear security responsibility.
Myth 6: “IT Security Is a Purely Technical Topic”
This myth leads to cybersecurity being delegated to the IT department and treated in isolation there. In fact, cybersecurity is a business risk that must be understood and managed at the executive level.
Most successful attacks exploit human weaknesses. Social engineering, phishing, and credential theft work because employees are deceived, not because technology fails. A Verizon analysis shows that 82% of all data breaches involve a human factor.
Furthermore, many important security decisions are of a strategic nature: Which risks are acceptable? How much should be invested? How do we deal with third parties? These questions cannot be answered by IT alone.
Reality: Effective cybersecurity requires a all-round approach involving executive management, all departments, and external partners. A living security culture where all employees take responsibility is crucial for success.
Myth 7: “Compliance Means Security”
Many companies believe that complying with regulatory requirements or ISO 27001 certification automatically ensures sufficient security. However, compliance standards usually only define minimum requirements and are often not up to date with the current threat landscape.
A Swiss financial service provider was FINMA-compliant and still became a victim of a ransomware attack because the regulatory requirements provided for backups but did not specify their offline storage. The ransomware also encrypted the backups, which significantly delayed recovery.
Additionally, compliance requirements often focus on documented processes, not their actual effectiveness. A security manual on the shelf is of little use if the measures described are not lived.
Reality: Compliance is important and forms a good basis but does not replace a risk-based security strategy. Companies should go beyond minimum requirements and continuously adapt their measures to the current threat landscape. Learn more about ISO 27001 and its actual benefits.
Myth 8: “We Can Build Cybersecurity Internally”
For most SMEs, it is unrealistic to build all required cybersecurity competencies internally. The field is too broad and develops too quickly. From network security to threat intelligence to incident response, very different specializations are required.
The skills shortage in the cybersecurity field is considerable. According to ICT-Berufsbildung Schweiz, over 3,000 cybersecurity specialists are missing throughout Switzerland. Even if an SME could win a specialist, they would often be overloaded, have no deputy, and might switch to a large company after a short time.
In addition: Cybersecurity is not a 9-to-5 job. Attacks occur around the clock, often deliberately outside business hours. A single person or small team cannot ensure 24/7 monitoring.
Reality: Most SMEs fare best with a hybrid model: basic competencies internally, specialised expertise and 24/7 monitoring externally via Managed Security Service Providers. Compare the approaches in detail.
Myth 9: “After Training We’re Secure”
Awareness training is important, but a one-time training is not enough. Experience shows that employees become significantly more susceptible to phishing attacks again just 3-6 months after training. Cybercriminals continuously develop their tactics, and new employees join.
Additionally, many trainings convey theoretical knowledge without building practical competencies. Employees then may know that phishing exists but don’t recognise a sophisticated phishing email in everyday work under time pressure.
Reality: Effective awareness is a continuous process with regular, short training units, simulated phishing tests, and a security culture that promotes open communication. Employees should be encouraged to report suspicious activities without fearing sanctions.
Myth 10: “Backups Are Our Insurance”
Backups are essential, but modern ransomware is designed to also compromise backups. Attackers often remain undetected in the system for weeks or months and identify all backup locations before they strike. Sophisticated ransomware groups encrypt backups first, then production data.
Additionally, backups only protect against data loss, not data theft. Modern attacks often combine both (Double Extortion): data is encrypted and exfiltrated. Even if you can restore from backups, attackers threaten to publish sensitive data.
Another problem: Many companies don’t regularly test their backups. In an emergency, it then turns out that backups are incomplete, damaged, or not current.
Reality: Backups must be organised according to the 3-2-1 rule: Three copies, two different media, one copy offline or offsite. Regular restoration tests are essential. Backups alone are not a sufficient security strategy but part of a complete concept.
From Myths to Fact-Based Strategy
Overcoming these myths is the first step to an effective cybersecurity strategy. The following principles should guide your decisions:
Risk-Based Approach: Identify your most valuable assets and greatest risks. Invest where potential damage is highest.
Defence in Depth: Rely on multiple security layers. If one measure fails, others should kick in.
Continuous Improvement: Cybersecurity is not a project with an end date but an ongoing process. Stay informed about current threats and adapt your measures.
Seek Expert Advice: Use external expertise for areas you cannot cover internally. Our checklist helps with partner selection.
Prepare for Emergency: Despite all prevention, an incident can occur. A well-thought-out Incident Response Plan minimises damage. Develop your plan here.
Self-Test: How Many Myths Do You Still Believe?
Honestly reflect on which of these myths may have also influenced your decisions. The good news: Recognizing misconceptions is the first step to improvement.
Conduct a cybersecurity risk analysis, ideally with external support. A fresh external perspective can uncover blind spots not recognised internally. Many Swiss cybersecurity providers offer free or discounted initial assessments. For example, RedTeam Partners offers red team assessments scaled for SMEs, countering the common myth that such services are reserved for large enterprises.
What Actually Keeps Your SME Safe
Myths in cybersecurity are not just harmless misunderstandings, they create a false sense of security that can have catastrophic consequences in emergencies. Swiss SMEs that build their security strategy on realistic risk assessments and facts are not only better protected but also more competitive.
The threat landscape will continue to intensify, and new myths will emerge. Critical thinking, continuous learning, and willingness to question outdated assumptions are therefore decisive success factors for long-term cyber resilience.