In 2026, cybercrime no longer primarily targets large corporations — it has shifted towards Swiss SMEs: less protected, just as profitable. This article explains why your business has become a priority target for organised cybercriminal groups, what Swiss law now requires of you in terms of data protection, and which five concrete vulnerabilities leave the door open to a cyberattack. You’ll also find a five-step action plan — realistic and actionable without a dedicated IT team — a cyber risk self-assessment checklist, an FAQ, and a glossary of essential terms. The goal: move from a reactive posture to a deliberate strategy — before the next cyber incident becomes yours.
Table des matières
Cybercrime has shifted towards Swiss SMEs
What the revDPA requires of your business — and what’s at stake
The 5 vulnerabilities exposing SMEs to cyberattacks
Reducing your cyber risk: 5 actionable steps without a dedicated IT team
Checklist: assess your cyber risk exposure in 5 minutes
Cybersecurity FAQ for Swiss SMEs
Glossary
Cybercrime has shifted towards Swiss SMEs
In 2024, more than 60% of documented cyberattacks in Switzerland targeted companies with fewer than 250 employees. This is no coincidence — it reflects a structural shift in organised cybercrime, with direct consequences for SMEs.
For years, hacking groups primarily targeted large corporations: quick results, substantial payoffs. But big players fought back — in-house SOCs, dedicated security officers, segmented network architectures. By 2026, launching a cyberattack against a systemic bank requires resources that most criminal groups simply can’t mobilise.
SMEs now offer the best effort-to-gain ratio on the market. The Federal Office for Cybersecurity (FOCS) recorded over 30,000 cyber incident reports in 2023, rising steadily for three consecutive years. Among documented cases: law firms paralysed for weeks by an attack, fiduciaries held to ransom, industrial SMEs whose manufacturing plans were encrypted and sold to foreign competitors.
Cyber threats targeting Swiss businesses have grown more sophisticated and more discreet. Attackers are no longer seeking visibility — they’re after quick, traceless payouts. And they’ve worked out that your systems are accessible, your teams rarely trained, and your backups rarely tested.
You don't need to be a strategic target to fall victim to a cyberattack. You simply need to hold data that has value — customer data, banking access, intellectual property, or access to third-party systems — and be less well protected than your digital neighbours. That's the calculation criminal groups make, in seconds, scanning the internet continuously.
What the revDPA requires of your business — and what's at stake
The revised Federal Act on Data Protection (revDPA), in force since 1 September 2023, has fundamentally changed the obligations of Swiss SMEs when it comes to cyber risk. It no longer recommends caution — it mandates it, with penalties for non-compliance.
Article 8 of the revDPA requires any business processing personal data to implement appropriate technical and organisational measures to ensure its security. In the event of a cyber incident that could pose a risk to the individuals concerned, notification to the Federal Data Protection and Information Commissioner (FDPIC) must be made without delay — emerging case law is converging on a 72-hour window.
For an SME that falls victim to a cyberattack, this creates a dual exposure:
- Direct operational damage: business interruption, data loss or theft, system reconstruction costs
- Risk of administrative sanction: if security measures were insufficient or if FDPIC notification was omitted
For businesses active on the European market, the GDPR adds another layer, with penalties of up to 4% of global annual turnover — a ceiling that applies regardless of company size.
In the event of an attack, your SME is simultaneously exposed on two fronts: the immediate operational impact, and legal liability if your security measures prove inadequate. revDPA compliance isn't a bureaucratic formality — it's legal protection against the consequences of a cyber incident.
The 5 vulnerabilities exposing SMEs to cyberattacks
The majority of cyberattacks on Swiss businesses don’t exploit unknown vulnerabilities. They rely on well-documented weaknesses — systematically overlooked for lack of time or awareness. Here are the five most common, ranked by severity.
1. Shared, never-rotated passwords
One set of credentials used by multiple employees for years: this scenario applies to the majority of Swiss SMEs. For a hacking group, a single compromised account is enough to gain full access to sensitive data — and the intrusion can go undetected for weeks.
2. No two-factor authentication (2FA)
Without 2FA, a password alone is enough to take control of an email account, VPN, or cloud tool. Setup takes less than a day and reduces the risk of compromise via credential stuffing by 99% — one of the most widespread hacking techniques, which involves automatically testing millions of combinations from stolen databases.
3. Untested backups — or none that actually work
Many SMEs believe they have backups. In reality, they have copied files that have never been tested in a real restoration scenario. When ransomware encrypts an entire system on a Friday evening, that’s the worst time to find out — and paying the ransom becomes the only apparent option.
4. Employees with no phishing training
Phishing remains the number one entry vector for cyberattacks on Swiss SMEs. The sophistication of lures has exploded with generative AI: emails impersonating known suppliers, fake PDF invoices, text messages posing as a colleague travelling abroad. Your teams are your first line of defence — and, without regular training, your most vulnerable link.
5. Unpatched software and websites
Every unapplied security update is an open window. Automated tools continuously scan the internet to identify vulnerable software versions — including poorly maintained CMSs like WordPress, or outdated business applications. Your systems advertise themselves, without you being specifically targeted.
These five vulnerabilities share one thing in common: none of them require a complex technical solution to fix. They require a decision, a process, and — for vulnerability #4 — ongoing training. Most cyber incidents affecting Swiss SMEs could have been prevented by these fundamental measures.
Reducing your cyber risk: 5 actionable steps without a dedicated IT team
Managing cyber risk as an SME isn’t about securing everything at once — it’s about prioritising actions by their effort-to-protection ratio, and progressing step by step. These five actions are ordered for an SME without internal IT resources, starting with the most critical measures.
Step 1 — Map your critical assets
(1 day, no tools required)
Before any investment, identify what a cyberattack on your business could compromise most damagingly: customer data, contracts, banking access, intellectual property. This mapping exercise — achievable on a spreadsheet — underpins every decision that follows.
Step 2 — Enable 2FA on all remote access
(1 to 2 weeks)
Business email, VPN, cloud tools, business applications: no remote access should operate without two-factor authentication. At the same time, deploy a professional password manager and audit active accounts — delete those belonging to employees who have left the company, an entry point exploited in many cyberattacks.
Step 3 — Apply the 3-2-1 rule for your backups
Three copies of your data, on two different media, with one offsite (secure cloud or physical storage disconnected from the network). Test a full restoration at least once a year, under real conditions. This simple rule is the most effective response to ransomware — it makes paying the ransom unnecessary.
Step 4 — Train your teams continuously, not just once
An annual training session isn’t enough against constantly evolving cyber threats. Short e-learning modules (15 to 30 minutes), regularly deployed on phishing recognition, risky behaviours, and internal alert procedures, deliver measurable results — without blocking out half a day of meetings, and with no technical prerequisites for participants.
Step 5 — Write a one-page cyber incident response plan
What do you do if you detect a cyberattack targeting your infrastructure on a Monday morning? Who do you call first? How do you isolate compromised systems? When do you notify the FDPIC? A one-page document answering these questions can make the difference between a managed crisis and a chaotic one — it requires no technical expertise, just one hour of preparation.
For an SME with fewer than 100 employees, working with a Managed Security Service Provider (MSSP) is often more effective and less costly than hiring internally. It provides access to specialist cybersecurity expertise, continuous monitoring, and rapid incident response — at a predictable cost.
Checklist: assess your cyber risk exposure in 5 minutes
Six questions are enough to identify your priority risk areas. Answer honestly.
- All my remote access is protected by 2FA
- My backups have been tested with a real restoration in the past 12 months
- My employees have completed cybersecurity training this year
- I know who to contact in the event of a cyber incident within the first hour
- My software, website, and operating systems are up to date
- I have a list of the personal data processed and the associated protective measures (revDPA requirement)
Result: 2 or more “no” or “I don’t know” answers indicate a level of cyber risk exposure that warrants immediate action. Every week without corrective measures is a week in which your protection against a cyberattack relies on luck rather than strategy.
Explore our e-learning courses on cybersecurity and data protection (revDPA), designed for Swiss SME teams. Compliant with revDPA requirements, accessible with no technical prerequisites.
FAQ — Cybersecurity for Swiss SMEs
What is ransomware, and why are Swiss SMEs particularly exposed?
Ransomware is malicious software that encrypts a company’s data and demands a ransom to restore access. Swiss SMEs are particularly exposed because they combine three factors that make them attractive to cybercriminal groups: systems that are often less protected than those of large corporations, genuinely valuable data, and teams rarely trained to detect the early signs of an attack in progress.
Does the revDPA apply to small businesses, even without an IT department?
Yes. The revDPA applies to any business processing the personal data of natural persons, regardless of size or sector. A ten-person SME managing a customer database is subject to the same security and incident notification obligations as a large corporation.
What does a cyberattack actually cost a Swiss SME on average?
According to data from the FOCS and cyber insurers active in the Swiss market, the average cost of a ransomware incident for an SME falls between CHF 50,000 and CHF 200,000 — factoring in business interruption, system reconstruction, legal fees, and crisis communications, independent of any ransom payment.
Is website hacking a real threat for an SME without an e-commerce site?
Yes. Website hacking doesn’t only target online shops. A compromised business website can serve as an entry point to the hosting environment, a distribution tool for malware targeting your visitors, or a vector for reputational damage. Unpatched CMSs — WordPress above all — are among the most exploited targets by hacking groups across Europe.
What should you do in the first minutes of a cyberattack on your systems?
Immediately isolate any suspected devices from the network (unplug the network cable or disable Wi-Fi) — without switching off the machines, to preserve forensic evidence. Then contact a specialist incident response provider. If personal data is involved, prepare notification to the FDPIC without delay — ideally within 72 hours.
Glossary
Cyberattack
A malicious act aimed at compromising, stealing, altering, or destroying data or computer systems. In Switzerland, the FOCS centralises cyberattack reports and publishes annual statistics.
Cyber incident
Any IT security event with a real or potential impact on the confidentiality, integrity, or availability of an organisation’s data or systems. A cyber incident may result from an external attack, human error, or technical failure.
Cybercrime
The full range of criminal activities conducted via or targeting computer systems: fraud, ransomware, industrial espionage, hacking for financial gain.
Ransomware
Malicious software that encrypts a company’s data and conditions its recovery on payment of a ransom in cryptocurrency. The primary cyber risk vector for SMEs in 2026.
Hacking / Cyber hacking
Unauthorised intrusion into a computer system, for purposes of espionage, data theft, sabotage, or extortion. Organised hacking groups are increasingly targeting SMEs, seen as less well defended than large corporations.
Phishing
A cyberattack technique that deceives a user via a fraudulent message (email, SMS) into disclosing sensitive information or triggering the installation of malicious software.
Cyber risk
An organisation’s exposure to the potential consequences of a cyber incident: data loss, business interruption, reputational damage, regulatory sanctions. Cyber risk assessment is the prerequisite for any security strategy.
Website hacking
The compromise of a website for malicious purposes: code injection, redirection to fraudulent sites, theft of visitor data, or use of the server as a base for further attacks.
2FA (Two-Factor Authentication)
A security mechanism requiring two distinct proofs of identity to access an account: typically a password and a temporary code sent to a mobile device. A fundamental measure against credential stuffing attacks.
MSSP (Managed Security Service Provider)
An external provider delivering managed cybersecurity services: continuous monitoring, incident detection, attack response — without requiring an in-house security team.
3-2-1 Rule
The benchmark backup strategy: 3 copies of data, on 2 different media, with 1 stored offsite or disconnected from the main network. Essential protection against ransomware.