See what attackers see — Carletto checks its digital exposure

Karin, can you tell us a bit about Carletto?

Carletto is a family-owned B2B toy distributor with offices in Switzerland and Germany. We supply retailers across the DACH region with around 80 brands and more than 13,000 products — including Steiff, HABA, and Sigikid, as well as Pokémon and our own Game Factory label, which offers around 120 board games. Our products are sold through retailers like Migros, Manor, Digitec, and Amazon. Carletto has been in business for over 35 years, and employs around 100 people.

Do you have your own IT department?

We have a small in-house IT team that handles ERP processes. Our overall infrastructure and IT security — firewalls, servers, hosting — is managed by our long-standing external IT partner.

Why did you decide to run an Attack Surface Analysis (ASA)?

Cybersecurity has been on our radar for quite some time. As they say: it's not a matter of if, but when you'll be attacked.

We operate two webshops and have numerous interfaces, VPN connections, and systems that are accessible via the internet. We wanted to understand: what’s actually visible from the outside? Are there outdated test systems, misconfigured domains, or other vulnerabilities we may not even be aware of?

The ASA seemed like an efficient starting point — an automated scan, followed by expert validation by GObugfree’s security specialists. Our goal was to get an independent assessment of whether the externally managed parts of our infrastructure were properly secured.

Why was getting an independent review important to you?

We knew we needed an external perspective on our systems. As an SME, we can’t cover every area of IT security ourselves, so having a neutral assessment is helpful. We trust our IT partner — they manage our firewalls, maintain our systems, and apply patches. But there’s always a level of uncertainty: has everything really been implemented the way it should be? The ASA gave us the chance to carry out an independent reality check.

What did you think of the results?

We were very happy with the results. The report was clearly structured, and we quickly saw where there was a need for action — and what was already well implemented. What stood out to us was that the report didn't just list of technical issues, it also included clear and practical recommendations.

It was also a great awareness tool — both internally and in disciussions with our IT partner. Have an external partner verify whether everything is truly up to date creates transparency and builds confidence.

Were there any surprises?

Yes — a few things came to light that we hadn’t been aware of. Nothing critical, but that’s exactly what the test was for. For example, a DNS record still pointed to an outdated IP address, which we corrected. A legacy FTP server was also decommissioned. It wasn’t about major vulnerabilities, but rather about getting a clear picture of what can others see about us online.

How else are you using the results?

We submitted the report to our cyber insurance provider as evidence that we’re actively addressing security. Internally, we prioritized and implemented the recommendations. It was a pragmatic and resource-efficient way for us to get a better understanding of our digital risk exposure.

Would you recommend the ASA to others?

Definitely. Especially for companies without their own security specialists, it’s an efficient entry point. You quickly get a clear picture of your attack surface and actionable suggestions for improvement — without having to launch a major project. You can never do enough when it comes to security, but it has to be cost-effective. For us, it was the right step.