The threat from cybercrime remains consistently high, but response remains sluggish
As in the previous year, one in twenty-five companies (4%) reported having been affected by a cyberattack in the past three years. 5% had been blackmailed, and 4% lost money due to fraudulent emails. In total, 88% of SMEs regard cybercrime as a serious problem. Nevertheless, only 24% of executives perceive incentives or expectations from their professional environment to invest more in IT security – many decision-makers simply do not realize the urgency.

Weak resilience, yet still low priority
Confidence in their own defenses has fallen significantly: only 42% of companies consider their protection sufficient in the event of an attack – a clear drop from 55% in the previous year. Overall IT-security confidence has also declined slightly: 52% of companies feel secure (2024: 57%), while 9% feel insecure. Despite this, cybersecurity continues to lose importance: in 28% of SMEs, the topic is no longer a business priority – a sharp increase compared with 18% in the previous year.

«Either companies underestimate the consequences of cyberattacks, or they lack the know-how or resources to prioritize this issue. Politics, business, and academia must work together to raise awareness,» says Franziska Barmettler, CEO of digitalswitzerland.

Organizational measures lag behind
While more than two-thirds of companies implement technical measures such as firewalls or software updates, organizational measures remain underdeveloped: only 30% of SMEs have an IT security concept, conduct training, or maintain an emergency plan. Regular IT security audits are carried out by only one in five companies.

IT service providers see room for improvement – but willingness to invest continues to decline
IT service providers also assess the situation as critical: only 39% consider their SME customers secure, while 14% regard their protection as insufficient. Accordingly, 84% expect rising demand for security solutions, while SMEs’ investment readiness continues to decline. Only 40% now plan to increase their cybersecurity measures over the next one to three years (2024: 48%).

Resilience as the key to digital security
«The results of the study make it clear: resilience is the key to protecting Swiss SMEs against the growing threats of cybercrime. It’s not enough just to feel secure – companies must be actively prepared. As an insurance partner, we see it as our responsibility not only to provide financial protection but also to strengthen our customers’ digital resilience – ideally through a combination of technology, organization and awareness,» says Simon Seebeck, Head of the Cyber Risk Competence Center at the Mobiliar.

Plea from the study partners
«The study partners call on SMEs to treat cybersecurity as a strategic issue. Greater awareness, targeted investment, and collaboration with certified IT service providers are required. The Alliance Digital Security Switzerland ADSS particularly recommends working with CyberSeal-certified partners,» says Andreas W. Kaelin, Co-Founder and Managing Director of ADSS.

Marc K. Peter from the FHNW School of Business and HES-SO Valais-Wallis School of Management recommends treating cybersecurity as a success factor in digital transformation: «Comparable to other digital topics such as AI and new work, cybersecurity belongs on the agenda of every board member and business executive.»

More information at cyberstudie.ch