More than half of all Swiss SMEs consider themselves well prepared for a cyberattack. But contingency plans and responsibilities for cybersecurity are rare. That is the sobering conclusion of a study. SMEs are certainly worthwhile targets for cybercriminal attacks.
Comprehensive protection with beem
Keep everyone and everything safe, everywhere and always, with beem: Browse securely and access company data using your smartphone and computer.
It’s a paradox: a slim majority of SMEs say they are well equipped to deal with a cyberattack. At the same time, however, the 2024 cyber study (in german) shows that there is a lack of organisational measures in particular. These include contingency plans, security concepts and security awareness training for employees. And in 44% of the SMEs surveyed, no one is responsible for IT security – even though operational risks are legally a top priority.
At the same time, the number of cyberattacks is increasing. For example, the National Cyber Security Centre (NCSC) reports that the number of identified phishing sites doubled to around 20,000 in 2024 compared to the previous year. According to the cyber study, 4% of the SMEs surveyed fell victim to a serious cyberattack last year, which equates to around 24,000 companies when extrapolated to Switzerland – not including the unreported cases. Three quarters of the victims suffered substantial financial damage.
Think SMEs aren’t targets? Wrong!
Small and Medium-Sized Enterprises often incorrectly assume that they are not worthwhile targets for cybercriminals. A look at the attackers’ approach shows that this not the case. Many cyberattacks target a broad range. Systems on the Internet are scanned on a large scale for security loopholes. Phishing e-mails are also sent to all available addresses without knowing the identity of the recipients. Cybercriminals take an unscrupulous approach: they often attack where an opportunity presents itself.
And sometimes the attackers’ objective is simply to misuse a company’s website for their own purposes. This is demonstrated by phishing e-mails that attempt to steal web hosting access data. Non-suspicious but poorly protected company websites are ideal for hosting phishing sites and improving the credibility of phishing e-mails. These are the target pages in phishing links. The NCSC also refers to this misuse. The risk of being targeted by cybercriminals does not depend directly on the size of the company.
Comprehensive protection for your locations with beem: discover now
In addition, attacks on many small, often poorly protected companies are just as worthwhile overall as an attack on a large corporation. Credit card information or patient data can easily be turned into money on the darknet.
Or cybercriminals use ransomware to encrypt SME data before releasing it again in exchange for a ransom. Criminals often keep it too – after all, a company’s own data is sometimes the most important thing for them, even if objectively it has no resale value. In addition, cybercriminals also use SMEs and their data as a gateway to attack the IT systems of large corporations.
Security loopholes and vulnerabilities in SMEs
SMEs are easy prey for cybercriminals because they often do not adequately secure their business-critical data or the reinstatement has not been tested. For example, around 90 percent of SMEs have established basic safety measures such as backups and regular updates. But only two-thirds have tested whether the reinstatement works – a key step in a backup concept.
This would be important, as otherwise many SMEs only discover that parts of the backup are missing in the event of a crisis when the data is restored. In general, prevention of successful cyberattacks – or other scenarios that could lead to business interruption – seems to be established in just a few SMEs. Only a third has an contingency plan in place, and only a quarter has a security concept that (also) includes cybersecurity measures.
Organisational measures as vulnerabilities
As a result, very few SMEs are aware of their security vulnerabilities. According to the study, only a fifth of the SMEs surveyed have each carried out an IT security audit, i.e. an audit of their own infrastructure. Such audits uncover security loopholes and identify risks. They should therefore be carried out regularly.
Changes in the IT landscape in particular, such as the switch to cloud environments, are creating new general conditions or ways of working. This can lead to new vulnerabilities in IT, such as more people working from home. A prime example: Someone uses a business laptop to access private e-mails at home in their free time – which may well constitute legitimate use. However, if the person clicks on a link in a phishing e-mail, the security of the business computer can be compromised. This makes it all the more important to raise employee awareness through security awareness training. Nevertheless, according to the study, only a third of SMEs provide regular training – about the same number as those using a password manager.
Comprehensive protection for your company
Simply secure, for everyone and everything, everywhere and always, with beem: secure surfing in beemNet, secure access to company data, defence against complex cyber attacks and comprehensive protection against data loss.
