Cybersecurity for Swiss SMEs: What to Watch For

Q: When Does Your Company Need a Penetration Test?

Swiss SMEs are increasingly targeted by cyberattacks. Which security measures are essential, what does professional protection cost, and when does a company need a penetration test? In the section "When Does Your Company Need a Penetration Test?" we explain the key aspects for IT and tech services in Switzerland. The complete guide provides detailed information on costs, quality criteria and selection processes.

Over 30,000 reported cyber incidents in Switzerland in 2025 alone, according to the National Cyber Security Centre (NCSC). SMEs bear the brunt: they typically invest less in IT security than large corporations, yet remain highly attractive targets for attackers.

The Most Common Threats for Swiss SMEs

Ransomware

Ransomware encrypts company data and demands a ransom for decryption. For SMEs, such an attack can threaten their very existence, as even payment provides no guarantee of data recovery.

The majority of all cyberattacks begin with a phishing email. Employees are tricked into revealing credentials or installing malware. Social engineering exploits human trust, not technical vulnerabilities.

Business Email Compromise

In this method, attackers impersonate business partners or superiors to initiate fraudulent transfers. Swiss SMEs lose millions annually this way.

Supply Chain Attacks

Attackers do not compromise the company directly but rather a supplier or software provider. Access to the actual target then comes through the existing trust relationship.

Basic Security Measures

Before investing in expensive security solutions, these fundamentals should be in place:

1. Apply Updates and Patches Promptly

Most successful attacks exploit known vulnerabilities for which patches are already available. Systematic patch management is the single most effective measure.

2. Multi-Factor Authentication (MFA)

MFA for all company access points, especially email, VPN, and cloud services, massively reduces the risk from compromised credentials.

3. Regular Backups Following the 3-2-1 Rule

3 copies of your data
on 2 different media types
with 1 copy at an offsite location

Test your recovery process regularly. A backup that does not work is worthless.

4. Employee Training

Technical measures alone are not enough. Train your employees regularly on phishing recognition, secure password handling, and reporting suspicious activities.

5. Network Segmentation

Separate critical systems from each other. If an attacker penetrates one system, they should not automatically gain access to the entire network.

When Does Your Company Need a Penetration Test?

A penetration test (pentest) simulates a real cyberattack on your IT infrastructure. It makes sense when:

You must meet regulatory requirements (financial sector, healthcare)
You process sensitive customer data
You are launching a new application or infrastructure
You want to objectively assess your current security posture
Your last pentest was more than 12 months ago

Penetration Test vs. Vulnerability Scan

A common misconception: an automated vulnerability scan is not a penetration test. The scan identifies known vulnerabilities. A pentest goes further, simulating an attacker’s approach and testing whether vulnerabilities are actually exploitable.

What Does a Penetration Test Cost?

Costs depend on scope. For a detailed cost overview, see our Guide: What Does a Penetration Test Cost in Switzerland?

Compliance and Legal Requirements

Revised Data Protection Act (revDSG)

Since 1 September 2023, Switzerland’s revised Data Protection Act has been in force. It requires, among other things:

Appropriate technical and organisational measures to protect personal data
Notification of data breaches to the FDPIC within 72 hours
Documentation of data processing activities

Industry-Specific Requirements

Additional regulations apply depending on the industry:

Financial sector: FINMA Circular 2023/1 “Operational Risks and Resilience”
Healthcare: Special protection measures for patient data
Critical infrastructure: Information Security Act (ISG)

Create an Incident Response Plan

Every SME should have an incident response plan:

Detection: How do you identify a security incident?
Containment: How do you isolate affected systems?
Communication: Who is informed (internal, customers, authorities)?
Recovery: How do you restore operations?
Post-incident review: What do you learn from the incident?

Document the plan and practise it at least once a year.

Recommended Next Steps

Conduct a review of your current IT security measures
Prioritise basic measures (updates, MFA, backups)
Assess whether a penetration test makes sense for your company
Create an incident response plan for cyber incidents
Schedule regular employee training

Transparency Note

RedTeam Partners holds the Alpine Excellence seal in the Tech Excellence category. This article was written independently and is based on publicly available information and NCSC recommendations.