Cyber-resilience: Swiss SMEs put to the test of business continuity

Cyberattacks are no longer just a matter for IT specialists. For a Swiss SME, the real question becomes a very practical one: how long can the business continue to invoice, produce, deliver, pay salaries or respond to its customers if its systems go down? Cyber-resilience measures precisely this ability to absorb a digital shock, maintain essential functions and get back up and running without losing control.

Recent developments suggest we need to take a more systematic approach to this risk. The Federal Office for Cyber Security recorded 65,000 cyber incidents in 2025, compared with 63,000 in 2024, according to data cited by the Salon de l’entreprise. At the same time, only 42 per cent of Swiss SMEs say they feel sufficiently protected against cyberattacks in 2025 – 13 percentage points lower than in 2024 – according to the Confederation’s SME portal. This decline in the sense of security is a significant indicator: businesses know that technical tools are no longer enough, but many have not yet translated this realisation into business continuity measures.

Resilience is not limited to blocking attacks

In many businesses, cybersecurity is still associated with visible measures: antivirus software, firewalls, strong passwords, updates and backups. These elements remain essential. But cyber-resilience goes further. It is based on a less comfortable assumption: despite these safeguards, an incident may still occur. We must therefore ask ourselves which activities absolutely must continue, which systems support them, what data is required, and who makes which decisions in the first few hours.

This is the value of the cyber-resilience assessment developed by BACS, as presented by news.save.ch. According to this source, the tool is based on the CSRM cybersecurity and resilience methodology and enables organisations to carry out a self-assessment against six resilience objectives. What sets it apart is that it does not focus solely on IT in the strict sense, but on the organisation’s critical processes and their dependencies on IT and operational systems.

For an SME, this shift in perspective is crucial. An inaccessible server does not have the same impact depending on whether it halts production, the till, order-taking, payroll or simply a secondary application. A cyberattack becomes a management issue as soon as it prevents the company from honouring its commitments, meeting its deadlines or maintaining the trust of its customers and partners.

Measures do exist, but all too often they are piecemeal

One of the findings highlighted by news.save.ch is that, in many organisations, cyber resilience still relies on isolated measures rather than a comprehensive, process-oriented approach. In other words, a company may have purchased security solutions without having properly tested its ability to operate in degraded mode.

This fragmentation is reflected in the available figures. According to the study cited by La Mobilière, only 32 per cent of SMEs regularly organise cybersecurity training and 30 per cent have a contingency plan. Yet these two elements are at the heart of resilience. Properly configured technology reduces risk; trained staff reduce avoidable errors; and a contingency plan reduces the need for improvisation when time is of the essence.

Training should not be viewed as a one-off theoretical session. In the day-to-day reality of an SME, risk often arises from routine actions: opening an attachment, confirming a change to bank details, sharing access credentials, clicking on a link, using a personal device, or responding too quickly to a request that appears to come from a line manager or a supplier. Awareness-raising must therefore be tailored to the teams’ specific tasks: administration, accounts, sales, human resources, logistics and management.

The contingency plan, for its part, must clarify responsibilities. Who contacts the IT service provider? Who decides to isolate a system? Who informs staff? Who speaks to customers if a delivery is delayed? Who checks whether personal data is affected? Without prepared answers, an SME risks wasting precious hours, or even making contradictory decisions under pressure.

The cost of a system outage goes beyond the IT bill

The cost of a cyberattack is not limited to cleaning up systems or replacing hardware. According to figures cited by the Salon de l’entreprise, a single day of complete downtime costs an SME with thirty employees between 5,000 and 50,000 francs. This range highlights a point that is often underestimated: the impact depends on the business model, the level of digital dependency, profit margins, contractual deadlines and the seasonality of the business.

In a service-based business, an outage can prevent staff from recording their hours, accessing client files or issuing invoices. In an industrial or craft-based business, it can disrupt planning, connected machinery, supplier orders or traceability. In the retail sector, it can affect payments, stock management or the online shop. Even once operations resume, there is often a backlog of work to catch up on: re-entering data, checks, follow-ups, explanations to customers, and coordination with banks, insurers or the relevant authorities.

Accounting and payroll deserve particular attention. They involve sensitive data, deadlines and financial flows. A breach of access, payment fraud or the unavailability of the accounting system can quickly disrupt cash flow and relations with staff. Without turning the finance manager into a cyber security expert, it is prudent to involve them in the analysis of critical processes.

The legal framework adds a time constraint

Operational resilience must also be considered in the light of reporting obligations. According to the research report, the Information Security Act has been in force since 1 January 2024 and requires operators of critical infrastructure to report cyber-attacks within 24 hours of becoming aware of them. The sectors mentioned include, in particular, energy, water, food, health, finance, transport, telecommunications and public administration.

Not all SMEs fall directly within the scope of this obligation. However, many may be suppliers, subcontractors or partners of organisations subject to stricter requirements. Within a supply chain, regulatory pressure is often passed down through contracts, security questionnaires, audits or business continuity requirements. A small business may therefore be asked to demonstrate how it protects its data, access controls and essential services.

The new Data Protection Act adds another dimension. The report notes that Article 24 requires personal data breaches to be reported to the Federal Data Protection and Transparency Commissioner as soon as possible after they are discovered. In practice, this means being able to quickly identify whether personal data has been affected, understand the scale of the incident and document the decisions taken. This is not just an IT issue, but also a matter of data governance.

Swiss companies operating within the European Union must also keep an eye on the NIS2 Directive. The report emphasises that, although it falls under EU law, it may affect Swiss groups with subsidiaries in the EU or providing services to the EU, particularly via contractual chains. Here again, the aim is not to draw general conclusions, but to assess the company’s specific situation with the relevant specialists.

Moving from a technical inventory to a crisis scenario

A useful assessment rarely begins with a list of tools. It begins with the activities that the company cannot afford to halt for any length of time. Which services must be maintained as a priority? Which data is essential? Which staff members have critical access rights? Which service providers step in in the event of a breakdown? Where are the backups located and how are they restored? These simple questions often reveal previously unrecognised dependencies.

The approach can remain proportionate. A small organisation does not need a system designed for a multinational. What it does need, however, is a minimum level of clarity: an inventory of key systems, controlled access rights, tested backups, a response procedure, an up-to-date contact list, a plan for internal communication and regular staff awareness-raising. Cyber insurance can also be considered, not as a miracle solution, but as a potential means of transferring financial risk, with terms and exclusions that should be read carefully.

The benefit of the resilience-based approach is that it makes the subject more accessible to senior management. Rather than focusing solely on software, it links cyber risk to business continuity, cash flow, reputation, contractual obligations and data protection. It also helps to prioritise investments: an SME with limited resources must first address the vulnerabilities that directly threaten its critical processes.

Cyber resilience is therefore not a state that is achieved once and for all. It is built up, tested and updated as the business changes its software, service providers, markets or organisational structure. The available figures point to a persistent threat and declining confidence; the legal framework is driving the need to respond more quickly. For Swiss SMEs, the correct approach is now to treat a cyberattack not as an unlikely incident, but as a business management scenario to be prepared for with the same seriousness as a financial or operational risk.