What Good Security Hygiene Means: Fundamentals for Swiss SMEs

You need to understand this clearly. Security hygiene is to cybersecurity what handwashing is to health: a fundamental, often underestimated practice that makes the difference between protection and vulnerability. For Swiss SMEs, good security hygiene is not a technical luxury topic but business-critical. This article explains which basic security practices every company should implement and how they become feasible in daily operations.

What Is Security Hygiene?

Definition and Context

Security hygiene refers to the sum of fundamental, regularly performed security practices that minimise the risk of cyberattacks. Similar to how personal hygiene prevents diseases, security hygiene prevents most common attacks before they can cause damage.

Core principles:

• Consistency: Security practices must be applied regularly and consistently
• Prevention: Fend off threats before they become incidents
• Simplicity: Measures must be practical and implementable in daily operations
• Responsibility: Security is a shared responsibility of all employees

Why Security Hygiene Is Crucial

Statistics show:

• 80% of all successful cyberattacks exploit basic vulnerabilities (unpatched software, weak passwords, missing MFA)
• Average costs of a cyberattack for Swiss SMEs range from CHF 50,000 to 100,000
• Over 60% of SMEs that suffer a severe cyberattack close within 6 months

Good security hygiene would have prevented most of these attacks.

The Difference from Advanced Security

Security Hygiene (Basics):

• Password management, MFA, software updates, backups
• Cost-efficient, quickly implementable
• Protects against 80% of common attacks

Advanced Security:

• Penetration testing, SIEM, EDR, Zero Trust Architecture
• Higher costs, longer implementation
• Protects against targeted, sophisticated attacks

Important: Advanced measures are worthless without solid hygiene fundamentals. No SIEM in the world protects against weak passwords.

1. Password Management: The First Line of Defence

The Problem with Passwords

Typical mistakes in Swiss SMEs:

• “Summer2024!”: Predictable passwords with simple patterns
• Reuse: Same password for email, banking, admin accounts
• Sticky notes: Passwords on post-its on the monitor or in Excel lists
• Sharing: Passwords shared via email or chat
• Never changed: Admin passwords unchanged for years

Why this is dangerous:

Compromised passwords are the entry point for 81% of all data breaches. A single weak password can give an attacker access to critical systems.

Requirements for Secure Passwords

Modern best practices (diverging from old “rules”):

Length over complexity:

• At least 12 characters (better 16+)
• “correct-horse-battery-staple” is more secure than “P@ssw0rd!”
• Long, memorable phrases beat short, complex character combinations

Uniqueness:

• Each system gets its own, unique password
• No reuse, not even with slight variations

No regular forced changes:

• Modern recommendation: Change passwords only when compromised
• Forced changes lead to predictable patterns (Summer2024, Autumn2024…)

No unnecessary complexity rules:

• “Must contain special characters” often leads to “Password1!”
• Length and uniqueness are more important than character variety

Password Managers: The Practical Solution

Why a password manager is indispensable:

No human can remember 50+ unique, strong passwords. Password managers solve this problem by:

• Generating: Strong, random passwords for each system
• Storing: Encrypted storage of all credentials
• Autofill: Automatic filling during login processes
• Synchronizing: Availability on all devices
• Warning: Notification for compromised or reused passwords

Recommended solutions for SMEs:

1Password for Business

• Swiss data storage possible
• Team management and audit logs
• Integration into common tools
• Approx. CHF 8-12 per user/month

Bitwarden

• Open source, self-hostable
• Swiss server hosting available
• Approx. CHF 3-5 per user/month
• Good for budget-conscious SMEs

Keeper Security

• Strong zero-knowledge architecture
• Compliance certifications (ISO 27001)
• Approx. CHF 10-15 per user/month

LastPass Business (with caution)

• Widespread, but security incidents in the past
• Only recommended with additional security measures

Implementation in the Company

Phase 1: Selection and Setup (Week 1-2)

1. Select password manager based on budget, requirements, data storage
2. Start pilot group: IT team and management first
3. Define master password policy: at least 16 characters, memorable
4. Activate MFA for password manager (see Section 2)

Phase 2: Rollout (Week 3-6)

1. Train all employees (30-45 min. per group)
2. Supported migration: IT helps with transfer of existing passwords
3. Critical systems first: Admin accounts, financial tools, email
4. Browser integration: Install plugins for easy autofill

Phase 3: Enforcement (from Week 7)

1. Enforce password policy: Weak passwords must be changed
2. Regular audits: Identification of reused or weak passwords
3. Helpdesk support: Contact point for problems

Realistic effort:

• Setup: 4-8 hours (IT)
• Training: 30-45 min. per employee
• Ongoing support: 1-2 hours/month

2. Multi-Factor Authentication (MFA): The Second Barrier

Why Passwords Alone Are Not Enough

Even the strongest password can be compromised through:

• Phishing: Employees enter password on fake login page
• Keylogger: Malware records keystrokes
• Data breaches: Passwords from hacked services are sold on the darknet
• Brute-force: Automated attacks guess weak passwords

MFA protects even when the password is compromised by requiring a second factor.

Types of MFA, Differences in Security

1. SMS-based codes (weakest form)

How it works: Code via SMS to registered phone number

Advantages:

• Easy to implement
• No additional app needed
• Wide user acceptance

Disadvantages:

• SIM-swapping attacks (attacker takes over phone number)
• SMS can be intercepted (SS7 vulnerabilities)
• Dependency on mobile network

Assessment: Better than no MFA, but only acceptable as a minimum.

2. Authenticator apps (recommended standard solution)

How it works: App generates time-based codes (TOTP)

Recommended apps:

• Microsoft Authenticator: Integration into Microsoft 365, backup possible
• Google Authenticator: Simple, widespread (but no cloud backup)
• Authy: Multi-device support, encrypted cloud backup
• 2FAS: Open source, no accounts needed

Advantages:

• Works offline
• Not vulnerable to SIM-swapping
• Free

Disadvantages:

• Device loss can lead to lockout (backup codes important!)
• Onboarding somewhat more complex than SMS

Assessment: Optimal balance between security and user-friendliness for most SMEs.

3. Hardware tokens (highest security)

How it works: Physical key (USB, NFC) must be inserted/tapped

Products:

• YubiKey (5 series): CHF 50-100, NFC + USB-C/USB-A
• Feitian (cheaper alternative): CHF 20-40
• Nitrokey (open source): CHF 40-80, manufactured in Germany

Advantages:

• Phishing-resistant (key verifies domain)
• No codes to type
• Very secure against remote access

Disadvantages:

• Cost per employee
• Loss risk (backup key required)
• Not all systems supported

Assessment: Ideal for admin accounts and highly sensitive systems. Not necessary for all employees.

4. Biometric MFA (context-dependent)

How it works: Fingerprint, facial recognition (Touch ID, Face ID, Windows Hello)

Advantages:

• Very user-friendly
• Fast
• Hard to steal

Disadvantages:

• Dependent on device hardware
• Privacy concerns (biometric data)
• Not suitable for all scenarios

Assessment: Good addition, but not as sole MFA method.

Implementation Strategy for SMEs

Phased rollout:

Phase 1: Critical Systems (Week 1-2)

• Email accounts (Microsoft 365, Google Workspace)
• Admin access (servers, network, cloud admin)
• Financial tools (e-banking, accounting)

Method: Hardware token (YubiKey) for IT admins, authenticator app for others

Phase 2: Cloud Services (Week 3-4)

• Collaboration tools (Teams, Slack, Asana)
• CRM and ERP (Salesforce, Abacus)
• Data storage (Dropbox, OneDrive, SharePoint)

Method: Authenticator app

Phase 3: All Other Accounts (Week 5-6)

• Social media business accounts
• Domain registrar, hosting
• Software subscriptions

Method: Authenticator app or SMS (if nothing else available)

Training and support:

1. Onboarding session (45-60 min.):

   • Why MFA is important (with examples)
   • Install and set up authenticator app
   • Store backup codes securely (in password manager!)
   • Troubleshooting for loss

2. Provide documentation:

   • Step-by-step guide with screenshots
   • FAQ for common problems
   • Emergency contact for lockout

3. Helpdesk process:

   • Clear procedure for MFA reset (with identity verification!)
   • Escalation path for emergencies

Common Challenges and Solutions

“Employees find MFA cumbersome”

Solution:

• Explain necessity with concrete examples (phishing attacks)
• Choose user-friendly methods (push notifications instead of typing codes)
• Show that it only takes seconds

“What happens with phone loss?”

Solution:

• Backup codes generated during MFA activation and stored in password manager
• Backup device registered (second phone, tablet)
• IT helpdesk can reset MFA after identity verification

“Not all systems support MFA”

Solution:

• Prioritise systems that offer MFA
• Consider migrating systems without MFA support (long-term)
• For legacy systems: VPN with MFA as access control

“Too expensive for our budget”

Solution:

• Authenticator apps are free
• SMS-MFA is better than no MFA
• Hardware tokens only for critical accounts (IT admins)

3. Software Updates: The Underestimated Security Foundation

Why Outdated Software Is Dangerous

Known vulnerabilities are actively exploited:

• Every year, thousands of security vulnerabilities in software are discovered and reported (CVEs)
• Once a vulnerability becomes public, exploit tools often exist within hours
• Attackers automatically scan the internet for vulnerable systems

Real examples:

WannaCry (2017): Ransomware exploited Windows vulnerability for which a patch had existed for months. Worldwide damage: over $4 billion.

Log4Shell (2021): Critical vulnerability in widely used Java library. Hundreds of thousands of systems worldwide vulnerable because not patched.

MOVEit (2023): Vulnerability in file transfer software. Over 2000 organisations affected, including Swiss companies.

Common pattern: Patch was available but not installed.

Which Software Must Be Kept Current

1. Operating systems (highest priority)

• Windows: Monthly “Patch Tuesday” updates
• macOS: Regular system updates
• Linux: Distribution-dependent (Ubuntu, Debian, RHEL)
• Mobile OS: iOS, Android on all company devices

2. Browsers (very high priority)

• Chrome, Firefox, Safari, Edge
• Browsers are common attack vectors (drive-by downloads, phishing)
• Usually auto-update, but check!

3. Business applications

• Microsoft 365: Automatic updates (Office apps)
• Adobe: Acrobat, Creative Suite
• Collaboration: Teams, Zoom, Slack
• Industry software: ERP, CRM, accounting

4. Servers and infrastructure

• Web servers: Apache, nginx, IIS
• Databases: MySQL, PostgreSQL, MSSQL
• Frameworks: PHP, Node.js, .NET
• CMS: WordPress, Drupal (critical!)

5. Network hardware

• Routers and firewalls
• Access points (WLAN)
• NAS (Network Attached Storage)

6. Plugins and extensions

• Browser plugins
• WordPress plugins (common entry point!)
• CMS extensions

Update Strategy: Automation and Processes

Basic principle: As much automation as possible

Level 1: Fully automatic updates (standard for most systems)

Activate for:

• Windows workstations (automatic updates)
• macOS (automatic updates)
• Browsers (usually standard)
• Microsoft 365 apps
• Mobile devices (MDM-controlled)

Advantage: No manual intervention, rapid closure of vulnerabilities

Disadvantage: Rare incompatibilities, necessity of rollback

Best practice: Enable automatic updates, set up monitoring for failed updates.

Level 2: Semi-automatic updates (test before rollout)

Suitable for:

• Servers (production environments)
• Business-critical applications
• ERP/CRM systems

Process:

1. Notification of available update
2. Test in staging environment (if available)
3. Planned maintenance window (e.g., Sunday evening)
4. Installation with rollback plan
5. Verification of functionality

Advantage: Controlled, incompatibilities detected before production

Disadvantage: Time effort, delayed patching

Best practice: Prioritise critical security updates (e.g., actively exploited vulnerabilities), even if testing is shorter.

Level 3: Manual updates (exceptions only)

Only for:

• Legacy systems without update mechanism
• Systems with complicated dependencies
• Special hardware with vendor support

Process:

1. Regular check for available updates (monthly)
2. Planned maintenance
3. Documentation of changes

Best practice: Maintain list of all manually maintained systems, set reminders.

Patch Management Tools for SMEs

For Windows environments:

Windows Update for Business (free)

• Integrated in Windows 10/11
• Group policies for update control
• Sufficient for smaller environments (up to 50 devices)

WSUS (Windows Server Update Services, free)

• Centralised update management
• Own update server in company
• Good for 50-500 devices

Microsoft Intune (paid)

• Cloud-based management
• Updates for Windows, macOS, iOS, Android
• Approx. CHF 5-10 per device/month
• Ideal for hybrid/distributed teams

For mixed environments (Windows, Mac, Linux):

Automox

• Cloud-based, all operating systems
• Automatic patching + reporting
• Approx. CHF 3-5 per endpoint/month

ManageEngine Patch Manager Plus

• On-premise or cloud
• Windows, macOS, Linux, third-party apps
• Approx. CHF 1000-3000/year (depending on device count)

For WordPress websites:

ManageWP, MainWP

• Central management of multiple WordPress installations
• Automatic updates for core, plugins, themes
• Approx. CHF 10-50/month (depending on number of sites)

Handling End-of-Life Software

What is End-of-Life (EOL)?

Software that is no longer provided with security updates by the manufacturer.

Examples:

• Windows 7 (EOL since January 2020)
• Windows Server 2008/2012 (EOL)
• Office 2013 and older
• PHP 7.x (EOL since November 2022)
• Internet Explorer 11 (EOL)

Why this is critical:

Newly discovered security vulnerabilities are no longer patched, the system remains permanently vulnerable.

Action options:

1. Migration (recommended)

• Upgrade to current version (Windows 11, Office 365)
• New hardware procurement if necessary

2. Isolation (transitional solution)

• Take system off the internet
• Only access to specific, trusted systems
• Additional network segmentation

3. Extended support (expensive)

• Some manufacturers offer paid Extended Security Updates
• Only emergency solution, no permanent solution

Best practice: Conduct an inventory of all used software and plan EOL migrations 12-18 months in advance.

4. Backup Strategy: Insurance Against the Worst

Why Backups Are Existential

Backups are the last line of defence against:

• Ransomware: Encrypted data can be restored from backup without paying ransom
• Data loss: Hardware failures, accidental deletion, natural disasters
• Sabotage: Malicious deletion by insiders or attackers
• System failures: Rapid recovery after compromise

Without backups:

• Ransomware attack = total loss or ransom payment (average CHF 20,000 - 200,000 for SMEs)
• Recovery from backups: Costs for downtime and restoration (CHF 5,000 - 20,000)

Backups are not a “nice-to-have” but survival insurance.

The 3-2-1 Rule (and Its Modern Extension)

Classic 3-2-1 rule:

• 3 copies of data: Original + 2 backups
• 2 different media: E.g., local hard drive + cloud
• 1 offsite copy: Physically separated from original (different location)

Modern extension: 3-2-1-1-0

• 3 copies
• 2 different media
• 1 offsite
• 1 immutable copy (cannot be encrypted by ransomware)
• 0 errors in recovery tests (test regularly!)

Why the extension is important:

Modern ransomware specifically seeks backups and encrypts or deletes them. Immutable backups protect against this.

Backup Types and Their Application

1. Full backup

How it works: Complete copy of all data

Advantages:

• Simplest recovery (only one backup version needed)
• Complete redundancy

Disadvantages:

• High storage requirement
• Long backup duration

Application: Weekly or monthly as baseline

2. Incremental backup

How it works: Backs up only changes since last backup (whether full or incremental)

Advantages:

• Fast and storage-efficient
• Frequent backups possible (e.g., hourly)

Disadvantages:

• Recovery requires full backup + all incremental backups

Application: Daily or hourly between full backups

3. Differential backup

How it works: Backs up all changes since last full backup

Advantages:

• Faster recovery than incremental (only full backup + last differential needed)
• Compromise between speed and storage

Disadvantages:

• Grows steadily between full backups

Application: Daily, with weekly full backup

Recommended scheme for SMEs:

• Sunday: Full backup
• Monday-Saturday: Incremental backups
• Retention: 4 weeks daily backups, 12 months monthly full backups

What Must Be Backed Up

Critical (daily):

• Databases: CRM, ERP, customer databases
• File servers: Documents, projects, contracts
• Emails: Mailbox contents (if on-premise)
• Configurations: Server configs, network device settings

Important (weekly):

• System images: Complete system images of servers
• Virtual machines: VM snapshots
• Websites: CMS files and databases

Good to have (monthly):

• Archive data: Old projects, completed accounting years
• Software licenses and installers: For quick reinstallation

Don’t forget:

• Office 365/Google Workspace: Even cloud services should be backed up (protection against accidental deletion, ransomware)
• Password manager: Export of encrypted vault

Backup Solutions for SMEs

Local backup solutions:

Synology/QNAP NAS with backup software

• Hardware: CHF 500-2000 (depending on capacity)
• Integrated backup software (Hyper Backup, etc.)
• Snapshots and replication possible
• Good for local, fast recovery

Veeam Backup & Replication

• Standard in many SMEs (especially with VMware/Hyper-V)
• Free edition for up to 10 VMs
• Professional edition: approx. CHF 500-1000/year
• Excellent recovery options

Cloud backup solutions:

Backblaze for Business

• Unlimited cloud backups for workstations
• Approx. CHF 8-10 per device/month
• Good for decentralised teams

Acronis Cyber Backup

• Hybrid (local + cloud)
• Ransomware protection integrated
• Approx. CHF 50-100 per workload/year
• Swiss data centre available

Microsoft 365 Backup (for M365 data)

• Veeam Backup for Microsoft 365: approx. CHF 10-15/user/year
• Protects Exchange, OneDrive, SharePoint, Teams

Hybrid approach (recommended):

1. Local backup (NAS): Fast recovery, daily backups
2. Cloud backup: Offsite protection, immutable copies
3. Cost example for 20-person SME: CHF 200-400/month

Backup Testing: The Often Forgotten Step

The problem:

Many companies only discover in an emergency that their backups don’t work (corrupt files, missing data, wrong configuration).

Best practices for backup testing:

1. Regular restore tests (at least quarterly)

• Select random files/folders and restore them
• Check integrity and completeness
• Document duration and success

2. Complete disaster recovery test (annually)

• Simulate total failure of a system
• Restore complete server/service from backup
• Test on separate hardware or in test environment
• Measure recovery time (how long does restoration take?)

3. Documented restore procedures

• Step-by-step guide for restoration
• Who is responsible?
• Which credentials are needed?
• In what order are systems restored?

4. Monitoring and alerting

• Automatic notification for failed backups
• Regular reports on backup status
• Dashboard for overview

Realistic testing effort:

• Quarterly restore test: 2-4 hours
• Annual DR test: 1-2 days (can be conducted with IT partner)

5. Access Controls: Who Can Do What

The Principle of Least Privilege

Definition:

Every user and system receives only the minimally necessary rights to fulfil their tasks, nothing more.

Why this is important:

• Damage limitation: Compromised account causes less damage
• Insider risk: Even trustworthy employees should not have unlimited access
• Compliance: Data protection laws (DSG, GDPR) demand access restrictions

Example:

Accounting employee needs access to financial tools and relevant folders, but not to development code or HR data.

Role-Based Access Control (RBAC)

How it works:

Instead of individual rights for each user, roles are defined that contain bundles of rights.

Example roles:

“Marketing Team”

• Access: Shared marketing folder, social media accounts, website CMS
• No access: Finance, IT systems, customer database

“Management”

• Access: All folders (read), finance (read/write), strategy documents
• No access: Production systems (no admin rights, except with IT background)

“IT Administrator”

• Access: All systems with admin rights
• Separate account for non-administrative activities

Advantages:

• Easier management (new employees receive appropriate role)
• Consistency (all in marketing team have same rights)
• Clarity in audits

Implementation:

• Microsoft 365: Azure AD groups and roles
• Google Workspace: Organisational units and groups
• File servers: Active Directory groups
• CRM/ERP: Built-in role management systems

Privileged Accounts and Their Protection

What are privileged accounts?

Accounts with extended rights (admin, root, superuser) that control critical systems.

Best practices:

1. Separation of admin and daily accounts

IT staff should have two accounts:

• Standard account: For email, documents, normal activities (no admin rights)
• Admin account: Only for administrative tasks, separate, stronger password

Why: Compromise of daily account (e.g., through phishing) grants no admin access.

2. Hardware MFA for admin accounts

Admin accounts should be protected with YubiKey or similar hardware tokens, not just app-based MFA.

3. Privileged Access Workstations (PAW)

Dedicated, hardened devices only for administrative activities (only practical for larger organisations).

4. Logging and monitoring

All actions with privileged accounts should be logged and monitored (who did what when?).

5. Just-in-Time (JIT) admin access

Admin rights are granted only when needed and time-limited (advanced, but possible in Azure AD).

Offboarding: Revoking Access

The problem:

Departed employees with active accounts are a massive security risk.

Offboarding checklist:

On last working day:

1. Disable account (don’t delete immediately, for data handover)
2. Change passwords for shared accounts (if any, should be avoided though)
3. Remove MFA from all systems
4. Retrieve hardware: Laptop, phone, YubiKeys, access cards
5. Disable VPN access

Within 1 week:

6. Set up email forwarding (to successor or team mailbox)
7. Data handover from personal folders
8. Check cloud storage (OneDrive, Dropbox personal accounts)

After 30 days:

9. Delete account (after archiving data)
10. Release licenses (Microsoft 365, Adobe, etc.)

Critical for senior employees or IT personnel:

• Disable admin accounts first (even before notification of termination, if conflicted)
• Audit all activities of recent weeks (data downloads, changes)
• Check external accounts: GitHub, AWS, domain registrar

6. Employee Awareness: The Human Factor

Why People Are the Biggest Risk

Statistics:

Over 90% of all successful cyberattacks begin with human error:

• Phishing email opened
• Malware downloaded
• Credentials entered on fake page
• USB stick of unknown origin plugged in
• Insecure remote access

Technology alone is not enough: Even the best firewall and antivirus don’t protect against an employee who gives their password to a supposed “IT support.”

Common Attack Vectors and How They Work

1. Phishing emails

How it works: Fraudulent emails pretending to be from trusted senders (bank, CEO, IT support, supplier).

Goals:

• Steal credentials (fake login page)
• Spread malware (malicious attachments or links)
• Transfer money (CEO fraud, fake invoices)

Recognition features:

• Urgency (“Your account will be locked, act now!”)
• Unusual sender addresses (instead of @swisscom.ch → @swisscom-support.com)
• Spelling and grammar errors (but not always!)
• Suspicious links (hovering reveals different URL)

Example spear phishing (targeted):

Email supposedly from CEO: “I’m in a meeting, urgently need 20 iTunes cards for client gifts. Can you organise this?” to assistant.

2. CEO fraud / Business Email Compromise (BEC)

How it works: Attacker poses as CEO or management and demands urgent transfer.

Real example (Switzerland):

SME in Zurich receives email from “CEO” (actually fake sender address), urgent transfer of CHF 150,000 to “new supplier” needed for important deal. Accounting executes transfer, money is gone.

Protective measures:

• Four-eyes principle for transfers over CHF 5000
• Telephone confirmation for unusual requests (don’t call number in email)
• Awareness training for such scenarios

3. Malware downloads

Vectors:

• Email attachments (e.g., “Invoice.pdf.exe”)
• Fake software downloads (supposed updates, cracks)
• Compromised websites (drive-by downloads)
• Infected USB sticks

Protective measures:

• Never open attachments from unknown senders
• Download software only from official sources
• Don’t plug in USB sticks from unknown sources
• Keep antivirus activated

Building an Awareness Program

Phase 1: Initial training (2-3 hours)

Content:

• Why cybersecurity is important (with concrete, real examples)
• Typical attack methods (phishing, CEO fraud, ransomware)
• Company policies (passwords, MFA, data handling)
• Behaviour during security incidents (who to contact?)

Format:

• Presentation with examples
• Interactive elements (phishing quiz)
• Q&A session

Target audience: All employees, mandatory

Phase 2: Regular refreshers (quarterly, 30 min.)

Content:

• New threats (current attack waves)
• Lessons learned (internal incidents, anonymized)
• Reminder of best practices

Format:

• Short webinar or video
• Newsletter with tips
• Posters/infographics in office

Phase 3: Simulated phishing tests (monthly or quarterly)

How it works:

IT sends simulated phishing emails to employees to measure awareness.

Goal: Not punishment, but training

Example:

Email: “Your mailbox is full, click here to free up space.”

• Employees who click: Receive immediate notice that this was a test + short explanatory video
• Employees who react correctly (report or ignore): Positive feedback

Tools for simulated phishing:

• KnowBe4: In-depth platform, approx. CHF 20-30 per user/year
• Cofense (PhishMe): Specialised in phishing simulations
• Microsoft Defender for Office 365: Attack simulation training (included in E5)
• GoPhish: Open source, self-hosted (technical know-how needed)

Phase 4: Establish reporting culture

Goal: Employees should report suspicious emails, not hide them out of fear of mistakes.

Measures:

• Simple reporting process: Email to security@company.ch or phishing button in email client
• Positive feedback: Employees who report phishing are praised, not criticized
• Transparency: “This month we identified and blocked 5 phishing emails, thanks to everyone who reported”

Reward: Gamification (e.g., “Security Champion of the Month”) can help, but don’t overdo it.

Handling Security Incidents

Incident reporting:

Every employee should know:

• What to report? Suspicious emails, unknown logins, lost devices, accidentally opened attachments
• Where to report? security@company.ch, IT hotline, directly to IT manager
• When to report? Immediately, not only “when it’s certain”

No punishment culture:

Employees who report mistakes (e.g., “I clicked on a phishing link”) should not be punished. Only then will reporting be open.

Incident response plan (simplified):

1. Report received
2. Initial assessment: How critical is the incident?
3. Containment: Lock affected accounts, isolate systems
4. Analysis: What happened? How far is the compromise?
5. Recovery: Clean systems, change passwords, restore backups
6. Lessons learned: What went well, what needs improvement?

7. Practical Implementation: The Roadmap for SMEs

Prioritisation: Where to Start?

Quick wins (Week 1-2, immediately implementable):

1. Activate MFA for email accounts (Microsoft 365, Google Workspace)
2. Introduce password manager (at least for IT team and management)
3. Activate automatic updates for all workstations
4. Check backup status (do existing backups work? → Restore test!)

Costs: CHF 0-500 (password manager licenses) Time effort: 4-8 hours (IT) Impact: Eliminates 50-60% of common attack risks

Medium priority (Month 1-2):

5. Roll out password manager for all employees
6. MFA for all critical systems (cloud services, CRM, ERP)
7. Revise backup strategy (3-2-1 rule, add cloud backup)
8. Initial awareness training for all employees
9. Review access rights (least privilege, RBAC)

Costs: CHF 1000-3000 (licenses, cloud backup, training) Time effort: 20-40 hours (IT + employees) Impact: Eliminates 70-80% of risks

Long-term (Month 3-6):

10. Hardware tokens for admin accounts (YubiKeys)
11. Implement patch management tool (centralised update management)
12. Start simulated phishing tests (quarterly)
13. Document incident response plan
14. Standardise offboarding process

Costs: CHF 1000-2000 (hardware tokens, tools) Time effort: 10-20 hours (documentation, processes) Impact: Professional security hygiene level achieved

Budget Realism: What Does Good Security Hygiene Cost?

Example calculation for 20-person SME:

One-time costs (Year 1):

• Password manager (1Password Business): 20 x CHF 96/year = CHF 1920
• Hardware tokens for 3 admin accounts (YubiKeys): 6 x CHF 60 = CHF 360
• Initial awareness training (external trainer): CHF 1500
• Backup hardware (NAS): CHF 1000
• Total Year 1: approx. CHF 4800

Ongoing costs (from Year 2, annually):

• Password manager: CHF 1920/year
• Cloud backup (Acronis, 20 workloads): CHF 1500/year
• Phishing simulation (KnowBe4, 20 users): CHF 600/year
• Refresher training (internal): CHF 0 (IT time effort)
• Total from Year 2: approx. CHF 4000/year

IT time effort:

• Initial setup: 40-60 hours
• Ongoing support: 4-6 hours/month

Relativization:

CHF 4000/year = CHF 16 per employee/month for full security hygiene.

Cost of a ransomware attack: CHF 50,000 - 150,000 (downtime, recovery, data loss, possibly ransom).

ROI: Security hygiene pays for itself if it prevents even a single attack.

When to Involve an External Partner

Own resources are sufficient when:

• Internal IT team with security basic knowledge is available
• Time for implementation and support is available
• Standard solutions (Microsoft 365, standard tools) are in use

External partner makes sense when:

• No internal IT team: Outsourcing complete IT security to Managed Service Provider (MSP)
• Specialised knowledge missing: Complex infrastructure, specific compliance requirements
• Time pressure: Quick implementation desired
• Audit and consulting: Independent review of security status

Services of a security partner:

• Security assessment: Current state analysis, vulnerability identification
• Implementation: Rollout of MFA, password managers, backup solutions
• Managed security: Ongoing monitoring, patch management, incident response
• Training: Awareness training, phishing simulations

Once your security hygiene fundamentals are in place, a professional penetration test is the logical next step to validate their effectiveness. RedTeam Partners offers testing engagements that build on your existing baseline and identify the gaps that hygiene alone cannot close.

Costs: CHF 3000-10,000 for initial assessment, CHF 500-2000/month for ongoing management (depending on company size).

Important: Even with partner, security hygiene remains company responsibility. Partner supports but doesn’t replace own commitment.

Common Mistakes and How to Avoid Them

Mistake 1: “We implement everything at once”

Problem:

Overwhelming employees when suddenly MFA, new password manager, new policies, and training come all at once.

Solution:

Phased rollout with clear communication why each measure is important. Prioritise quick wins.

Mistake 2: “Once set up, never checked again”

Problem:

Security hygiene is not a project but an ongoing process. Systems change, new threats emerge, employees change.

Solution:

Regular reviews (quarterly):

• Do backups work? (Restore test!)
• Are all systems current? (Patch status)
• Do all active employees have correct access rights?
• Measure awareness level (phishing test)

Mistake 3: “Complexity before practicability”

Problem:

Too restrictive policies lead to circumvention (shadow IT, insecure workarounds).

Example: Password must be changed every 30 days → Employees write passwords on notes.

Solution:

Balance between security and usability. Modern approaches (long passwords without forced changes, MFA) are more secure and practical than old rules.

Mistake 4: “Technology replaces responsibility”

Problem:

Assumption that security software alone is sufficient (“We have antivirus and firewall, so we’re secure”).

Solution:

Technology + processes + people = security. All three components are necessary.

Mistake 5: “No testing of emergency plans”

Problem:

Backup and incident response plans that don’t work in emergencies because they were never tested.

Solution:

Regular drills (annual DR test, quarterly restore tests). Keep documentation current.

Good security hygiene is not a one-time project but a permanent commitment. The measures described here, password management, MFA, software updates, backups, access controls, and employee awareness, form the foundation of every cybersecurity strategy.

The most important insights:

1. 80% of attacks can be prevented with basic measures (MFA, passwords, updates)
2. Consistency beats perfection: Better simple measures consistently implemented than complex solutions half-heartedly
3. People are the key: Technology alone is not enough, awareness is crucial
4. Backups are survival insurance: Without functioning backups, a ransomware attack can be existential
5. Regularity is decisive: Security hygiene must become routine, not exception

For Swiss SMEs this means:

With manageable budget (CHF 4000-6000/year for 20 employees) and realistic time effort (4-8 hours IT support/month), a professional security hygiene level can be achieved that protects against the vast majority of cyber threats.

The first step is the most important: MFA for email accounts, a password manager, and functioning backups can be implemented within two weeks and already eliminate half of all risks.

Security hygiene is not glamorous, no groundbreaking innovation, but it’s what makes the difference in emergencies between a minor incident and an existential crisis.

---

Transparency Note: This article was created with the support of AI tools and editorially revised to provide Swiss SMEs with practical, implementable guidance for cybersecurity fundamentals. The mentioned tools and providers serve as examples, Alpine Excellence receives no commissions for their mention.