Cybersecurity for Swiss SMEs: The Complete Guide
Digital transformation brings not only opportunities but also significant risks. Swiss SMEs are increasingly targeted by cyberattacks, and the threat landscape continues to intensify. According to the National Cyber Security Centre (NCSC), over 34,000 cyber incidents were reported in Switzerland in 2023, a 15% increase compared to the previous year. This guide provides a complete overview of all relevant aspects of cybersecurity for Swiss SMEs.
Why Cybersecurity Is Existential for SMEs
Many SMEs believe they are too small to be targeted by cyberattacks. This dangerous misconception can have existential consequences. In reality, SMEs are attractive targets for cybercriminals precisely because of their often weaker security measures and limited resources.
The average cost of a cyberattack on a Swiss SME ranges from CHF 80,000 to CHF 250,000, with indirect costs such as reputation loss and business interruption often even higher. A study by Lucerne University of Applied Sciences shows that 43% of Swiss SMEs have already been victims of a cyberattack, with the actual number likely much higher.
The Threat Landscape in Switzerland
Swiss businesses face specific cybersecurity challenges. As a financial hub and centre for pharmaceutical and technology companies, Switzerland is particularly in the focus of international cybercriminals. Ransomware attacks have increased massively in recent years, with ransom demands averaging CHF 45,000.
Particularly concerning is the rise of targeted attacks (Advanced Persistent Threats) on medium-sized companies that possess valuable data but often lack the security infrastructure of large corporations. Supply chain attacks, where cybercriminals penetrate through compromised suppliers, represent a growing threat.
Regulatory Requirements in Switzerland
The regulatory environment for cybersecurity in Switzerland is developing rapidly. The new Data Protection Act (revDSG), which came into force in September 2023, places increased requirements on data security and obliges companies to report serious data protection violations to the Federal Data Protection and Information Commissioner (FDPIC).
For companies in regulated industries such as financial services, healthcare, or critical infrastructure, additional regulations apply. The Financial Market Supervisory Authority (FINMA) has formulated clear expectations for the cybersecurity of financial institutions, and even smaller financial service providers must increasingly meet these standards.
The planned implementation of the EU NIS-2 Directive is expected to also have implications for Swiss companies that work with EU partners or operate in the EU. Preparation for these developments is therefore essential.
The Six Pillars of an Effective Cybersecurity Strategy
A complete cybersecurity strategy for Swiss SMEs rests on six pillars, which are covered in detail in this guide:
1. Realistic Risk Assessment Beyond Myths
Many decisions in SMEs are based on myths and misconceptions. “We’re too small for attacks,” “Antivirus software is enough,” or “Cybersecurity is too expensive” are widespread errors that make companies vulnerable. A realistic risk assessment begins with debunking these myths and an honest analysis of the actual threat situation.
Learn more about the most common cybersecurity myths and how to overcome them.
2. Strategic Budget Planning
The question “What should cybersecurity cost?” is central for many SMEs. The answer is not simple, as it depends on numerous factors: company size, industry, risk situation, and regulatory requirements. As a guideline, experts recommend 3-7% of the IT budget for cybersecurity, although this proportion can vary by industry.
More important than a blanket percentage is a risk-based approach: What would a security incident cost, and how much should we invest to minimise this risk? Structured budget planning considers not only tools and technology but also training, external expertise, and incident response capacities.
Find detailed guidance on cybersecurity budget planning here.
3. The Right Resource Strategy: Internal vs. External
One of the most important strategic decisions for SMEs is whether to build cybersecurity internally or source it externally as a managed service. Both approaches have advantages and disadvantages, and often a hybrid solution is the optimal path.
Internal IT teams know the company environment precisely but are often overwhelmed with day-to-day business and lack specialised cybersecurity know-how. Managed Security Service Providers (MSSPs) offer expertise and 24/7 monitoring but require trust and careful selection.
Compare the approaches in our detailed guide.
4. Certifications and Standards
ISO 27001, the international standard for information security management systems, is increasingly becoming the market standard. Many large companies require ISO 27001 certification from their suppliers, and public tenders also often require this.
But is the effort worthwhile for an SME? Certification typically requires 6-18 months of preparation and costs between CHF 30,000 and CHF 100,000, depending on company size and starting situation. However, the benefits go beyond pure market access: implementing a systematic security management system significantly reduces risks and creates internal clarity.
All details on effort, costs, and benefits of ISO 27001 certification.
5. Preparing for the Worst Case: Incident Response
Despite all preventive measures, no company can guarantee one hundred percent security. The question is not if, but when a security incident occurs. Response speed and quality are then decisive.
An Incident Response Plan defines clear responsibilities, communication channels, and action steps for various scenarios. Regular exercises, so-called Tabletop Exercises, ensure that the team is able to act in an emergency. The first 24 hours after an attack are often decisive for the extent of damage.
Develop your Incident Response Plan with our practical guide.
6. The Right Partner Selection
For most SMEs, external expertise is essential. However, selecting the right cybersecurity partner is complex. The market is opaque, services vary greatly, and quality differences are difficult for laypersons to recognise. CREST-certified providers like RedTeam Partners offer an independently verified standard of quality for penetration testing and red teaming, which can serve as a useful benchmark during evaluation.
Important criteria are not only technical competence but also industry experience, references, certifications, transparency, and cultural fit. A good partner acts not as a pure service provider but as a strategic advisor who understands the business and develops customised solutions.
Use our thorough checklist for partner selection.
Industry-Specific Characteristics
Cybersecurity requirements vary considerably between industries. Healthcare providers must protect particularly sensitive patient data and are subject to strict regulatory requirements. Manufacturing companies are increasingly threatened by attacks on production facilities (Operational Technology). Financial service providers are under particular scrutiny from regulators.
Swiss SMEs should know and implement industry-specific best practices and standards. Industry associations such as SwissBanking, H+ (Swiss Hospitals), or Swissmem often offer valuable resources and exchange platforms.
Cantonal Differences and Support
Some cantons offer support for SMEs in the area of cybersecurity. For example, the Canton of Zurich has established a cybersecurity contact point that provides free advice to SMEs. Various economic development agencies also offer workshops and consultations.
The State Secretariat for Economic Affairs (SECO), in cooperation with the NCSC, has developed information materials specifically for SMEs. These free resources provide a good starting point for companies looking to improve their cybersecurity.
The Human Factor: Awareness and Training
Technology alone is not enough. Most successful cyberattacks exploit human weaknesses. Phishing emails, social engineering, and careless behavior by employees are still the most common entry points.
Regular awareness training and simulated phishing tests increase vigilance and significantly reduce risk. Employees should not be understood as a weak point but as the most important line of defence. An open security culture where mistakes can be reported without fear of sanctions is crucial.
Technological Fundamentals
Certain basic technical measures should be implemented by every SME:
- Multi-Factor Authentication (MFA) for all critical systems
- Regular backups with offline or cloud storage
- Patch management for timely closure of security gaps
- Endpoint protection beyond conventional antivirus software
- Network segmentation to limit attack surfaces
- Security Information and Event Management (SIEM) for detecting anomalies
- Encryption of sensitive data at rest and in transit
These measures form the foundation on which further security strategies are built.
Cyber Insurance: Sensible Addition?
Cyber insurance is becoming increasingly popular but does not replace solid security measures. However, it can cushion the financial consequences of an attack. Premiums vary greatly depending on industry, company size, and existing security measures.
Before taking out cyber insurance, companies should carefully examine which damages are covered, which exclusions apply, and which security measures the insurance requires. Insurers often require a certain security level as a basic prerequisite.
The Path to Cyber Resilience
Cyber resilience goes beyond pure cybersecurity. It means not only preventing attacks but also the ability to quickly regain operational capability after an incident. This includes solid business continuity plans, regular tests of recovery capability, and an organisational learning culture.
Swiss SMEs that approach cybersecurity strategically not only protect their company but also create competitive advantages. Customers and partners increasingly value secure business relationships, and a solid cybersecurity posture can become a differentiating feature.
Next Steps
Developing a thorough cybersecurity strategy may initially seem overwhelming. It’s important to proceed systematically and start with the basic measures. The six cluster guides of this guide offer practical instructions for each aspect:
- Debunk cybersecurity myths
- Plan budget strategically
- Develop resource strategy
- Evaluate ISO 27001 certification
- Prepare incident response
- Find the right partner
Your company’s digital security is not a one-time task but a continuous process. With the right strategy, appropriate investments, and competent support, even smaller SMEs can achieve a high level of security and successfully prepare for growing cyber threats.