Cybersecurity for SMEs: Think holistically, start pragmatically

The cybersecurity chain

Rolf Wagner from FortIT summed it up with a powerful image: security breaks at its weakest point. A cybersecurity chain consists of several links, including organisational, technical, human and physical measures. If only one area is considered, the overall picture remains incomplete. This perspective is particularly relevant for SMEs. An effective security programme does not emerge overnight. What matters is understanding your current situation, prioritising risks and starting where the greatest need for action lies.

Cybersecurity is not a static state. It must be reviewed, adapted and developed over time. What is sufficient today may no longer be enough tomorrow. New systems, new suppliers, new regulatory requirements and new attack methods all change the risk landscape.

Cybersecurity needs structure

A structured information security management system can help. It provides a framework for addressing risks deliberately, clarifying responsibilities, implementing measures in a traceable way and making progress visible over time.

An ISMS is, in some ways, comparable to managing your own health. Both IT systems and people require conscious risk management, preventive measures and long-term discipline. Those who only react when something hurts are often too late. Those who take care of things continuously remain more resilient.

Cybersecurity is teamwork

Cybersecurity is a shared responsibility. Management defines security objectives, risk appetite and the resources required. Procurement and supplier management include security requirements when working with partners and service providers. Project teams need to consider protection needs and security measures throughout the entire lifecycle. Common sense remains important, but it does not replace structure. Clear roles, processes and controls create accountability and make progress measurable. Cyber insurance does not change this. It can help absorb financial consequences, but it does not replace a company’s own security measures. Organisations need to understand their risks, address them appropriately and be able to show, in the event of an incident, that they have taken due care seriously.

People remain a decisive factor

Pascal Zaugg, CEO of IT-SAFETY, opened his talk by showing why phishing is more than an abstract risk for him. He spoke about a cyberattack on a company where he was working as IT manager at the time. The malicious file was most likely introduced through a phishing email and remained undetected in the system for an extended period. The consequences were serious: the company, with more than 100 employees and several locations in Switzerland, was affected across the board and unable to work for around 24 hours.

The example shows how quickly a single email can turn into a company-wide incident. Many cyberattacks do not begin with highly complex technology, but with a decision under pressure: a click, an approval, a login or a seemingly trustworthy email.

Cybercrime remains a real risk

The figures presented during the talk underline the relevance of the topic. In Switzerland, a voluntary report of a cyber incident is submitted to the National Cyber Security Centre every 8.5 minutes. The number of unreported cases is likely much higher. Digital crime has increased by 35 percent, phishing attacks by 56 percent, and more than 90 percent of cyberattacks begin with phishing.

Phishing is becoming harder to spot

Phishing emails are no longer as easy to recognise as they once were. One particularly striking example was a modern SharePoint phishing attack. At first glance, everything appears trustworthy: a genuine Microsoft sender, a genuine SharePoint link and a genuine one-time code. The actual deception begins only afterwards. MFA is not simply bypassed; it is used live as part of the attack.

That is why sending employees through a mandatory training session once a year is not enough. Security awareness needs regular practice. Employees need to recognise suspicious patterns, make better decisions in day-to-day situations and know what to do when something feels wrong.

Awareness works through repetition

Pascal showed, using a customer example, that regular awareness training can have a measurable impact. Over the course of one year, the risk was reduced by 75 percent. For SMEs, this is an important message: the human factor is not an uncontrollable risk. It can be strengthened in a targeted way.

He closed his talk with the statement: “The question is no longer whether an attack is technically possible. The question is whether a company remains able to act under pressure.” This ability to act was also at the centre of the next talk: backup resilience.

Backups under attack

Florin Gruber, CISO at Backup ONE, opened with a striking statistic: 96 percent of ransomware attacks now also target backups (source: Sophos “State of Ransomware 2025”). It is logical, but still sobering. Attackers know that if a company can reliably restore its data, extortion loses much of its power. That is why backups themselves are increasingly becoming a target.

For SMEs, this means that having a backup is important. But the decisive question is whether recovery actually works when it matters.

Backup is not the same as recovery

Many companies back up their data. Fewer regularly test whether they would actually be able to operate again after an attack, system failure or human error. This is where a dangerous gap can emerge between perceived security and actual resilience.

Backup resilience therefore means more than storing data. It involves clear recovery objectives, protected backup environments, regular testing and clarity on which data and systems must be available first in an emergency.

SMEs do not need to solve everything perfectly at once. But they should know which data is business-critical and whether they can reliably restore it in the event of an incident.

Five practical questions for backup resilience

Florin highlighted five points that SMEs can review in concrete terms:

• Is there at least one immutable backup copy?
• Is recovery tested regularly, at least once a year?
• Are cloud data backed up independently of the respective vendor?
• Are backup administrator accounts separated from daily user accounts and protected with MFA?
• Is there a documented emergency plan that has been tested under normal operating conditions?

What does an attacker see from the outside?

After risk management, awareness and backup, Nadine Anderson from GObugfree spoke about the external technical perspective: which weaknesses would be visible and exploitable from an attacker’s point of view?

Often, the issue is not highly complex attack methods, but practical weaknesses: permissions that are not implemented cleanly, system settings that allow too much access, outdated software or functions that can be used differently than originally intended.

This is where ethical hackers can help. They use the mindset of attackers, but work legally, transparently and with the company’s clear permission. For SMEs, this external perspective is particularly valuable: it brings in specialist knowledge, reveals risks that are difficult to see from the inside and helps distinguish concrete vulnerabilities from theoretical concerns.

A focused security check as a pragmatic starting point

For many SMEs, a focused security check is a pragmatic way to start with external security testing. The GObugtest is a compact security check carried out by a selected ethical hacker. Together, a clear scope is defined, such as an online shop, customer portal or specific application. This keeps the test manageable and resource-efficient.

Depending on the scope, the testing phase lasts two to four days. Afterwards, companies receive concrete results, prioritised findings and recommended actions. The goal is clarity: what is relevant, what is critical and which measures should be addressed first?

One practical example is Maestrani. The Swiss chocolate manufacturer had its online shop tested by ethical hackers. Like many SMEs, Maestrani works with several web domains, outsourced IT systems and external partners. The report helped classify security risks in a traceable way and served as a basis for discussions with the board of directors.

Traceability is becoming more important

Regulatory expectations around structured vulnerability management are also increasing. Not every regulation applies directly to every SME. Still, the direction is clear: companies are increasingly expected to show that they actively assess risks, document them and implement measures in a traceable way.

For financial institutions, this is particularly pronounced under DORA. For manufacturers of digital products, the Cyber Resilience Act is becoming relevant. Customers, partners, insurers and boards are also asking similar questions more frequently. Companies that understand their risks, prioritise measures and document progress are better prepared.

Think holistically, start pragmatically

The key message from CyberTalks Zurich was clear: SMEs should look at cybersecurity holistically and start pragmatically.

That means asking several questions:

• Where are our greatest risks?
• How well prepared are our employees?
• Can we restore our data in an emergency?
• What does an attacker see from the outside?
• Which measures will bring the greatest value for our company right now?

Cybersecurity is not a one-time task. It is an ongoing process. But this process does not have to be overwhelming. What matters is regularly reassessing your current situation, setting priorities and becoming more resilient step by step.