«Cybersecurity isn’t a state, it’s an ongoing process»

Sunrise: According to the 2024 Cyber Study, 24,000 SMEs in Switzerland have fallen victim to cyber attacks in the past three years alone. Nevertheless, SMEs in particular classify the risk as low. What’s your assessment of the situation? 

Nadine George-Fischli: This is a common misconception. Cyber criminals don’t differentiate between large corporations and SMEs. On the contrary – SMEs are often easier targets because they don’t have the same resources and security measures as large companies. A successful attack can threaten any company’s existence. PWC Switzerland estimates the average loss for a medium-sized Swiss company to be around CHF 6 million per cyber attack.  

Often, the vulnerabilities in companies are human in nature. Many attacks start with a simple phishing email... 

... That’s precisely why it’s essential to familiarise your employees with the potential dangers by offering training and courses. AI-based detection systems also help recognise phishing emails fast. Cyber criminals are becoming increasingly adept at making their emails look credible and authentic. In the past, one could recognise phishing emails from their incorrect spelling or grammar, or because they contained suspicious links and strange email addresses, but today they’re often deceptively realistic. What’s more, attackers are increasingly relying on artificial intelligence (AI) to optimise their attacks.  

Can you give us an example? 

Let’s take CEO fraud. In the past, attackers pretending to be CEOs sent emails requesting an urgent funds transfer. Today, AI can be used to imitate their voice and send a request like this via phone or voice message. The victims hear their supposed bosses and act accordingly – with potentially catastrophic consequences. 

So, does AI pose a serious threat to businesses? 

AI is both an opportunity and a risk. While AI-supported security solutions detect threats early on, companies are also exposed to new dangers when they use a variety of tools. Without appropriate protective measures, there’s a risk of data leaks, manipulation and attacks on the confidentiality and integrity of AI systems – for example through faked inputs or corrupted training data. 

How can companies protect their AI systems? 

Visibility plays a huge role. A strong AI defence helps companies gain an overview of which freely accessible AI tools are being used by employees. So dangerous or ethically problematic tools can be identified, tested and blocked before they cause any harm. At the same time, AI defence contributes to data-loss prevention (DLP) and ensures that sensitive data doesn’t accidentally leave the company network via AI applications. DLP is an integral part of the Secure Service Edge (SSE) solution; it ensures regulatory compliance and that reputational damage is avoided. 

What other dangers do companies face today? 

In today’s digital world, the number of applications in use is growing – and so is the need for continuous updates and security versions. This requires more and more resources to close security gaps and prevent loopholes for attacks.  

However, the resources available for IT protection are sometimes very limited. 

Organisations should adopt a risk-based approach that prioritises the most critical vulnerabilities. Automation and a robust vulnerability-management programme will help close security gaps proactively without putting too much strain on IT teams. It’s also important to enforce strong endpoint security and implement centralised identity and access management (IAM) solutions to ensure consistent user authentication across all platforms.  

And that means outside the on-premises architecture as well? 

Employees work from all sorts of places these days: in their home office, in co-working spaces or on the go. As a result, company data is accessed via private Wi-Fi networks or personal devices that may not have adequate security. Cloud services and connected Internet of Things (IoT) devices are now also an integral part of many business processes – and each of these systems comes with its own security risks that need to be addressed. Organisations need to secure on-premises systems as well as cloud applications and SaaS platforms, making it difficult to control access and enforce consistent security policies. And the dangers don’t just extend to the company’s own infrastructure.  

What else is affected? 

Attackers also exploit third-party and partner vulnerabilities to penetrate corporate networks. The fact that a company’s own supply chain is also exposed to cyber risks is often still overlooked.  

How are companies countering these threats? 

As a general rule, companies should adopt a zero-trust model: no device, no user and no application is trustworthy per se; every access is checked continually and every communication is secured. This prevents attackers from moving through the network unnoticed. A central management platform is also essential to identify potential security vulnerabilities and to manage users, devices and applications efficiently. This allows security policies to be defined and rolled out automatically to all devices, instead of having to configure them manually on each individual device. A rigorous security check of all external partners is also essential. Companies need to ensure that their service providers meet the same high standards as they do – this includes regular audits, contractual security requirements and clearly defined risk management. 

Which technologies can support this? 

An example would be Cloud Access Security Brokers (CASB) that protect against unauthorised access and data loss by monitoring cloud traffic, enforcing security policies and detecting risks in real time. As a new technology, Secure Access Service Edge (SASE) combines network features (SD-WAN) with cloud-native security features (SSE) to create a secure, location-independent connection. A multi-layered approach is crucial – a single solution is no longer enough today. Combining SASE with Managed Extended Detection and Response (MxDR) is a sensible idea. MxDR secures corporate networks, the cloud, IoT and operational technology (OT) systems through continuous monitoring and early detection of suspicious activity. Many OT systems were originally developed without any modern cybersecurity mechanisms, making them particularly vulnerable to cyber attacks. The tricky thing is that an attack on OT systems puts physical processes in industrial plants – as well as their employees – at risk.  

With all these challenges, how can a company approach cybersecurity strategically without getting bogged down in individual measures? 

The Cybersecurity Framework from the National Institute of Standards and Technology (NIST) is a tried and tested concept. It offers policies to help companies of all sizes in all industries to take a holistic approach to improving risk management within the company. In the face of growing regulatory requirements and a shortage of skilled workers, this Framework helps companies structure their security measures efficiently and adjust them to meet legal requirements.  

What action areas does the Framework identify? 

It classifies cybersecurity into five key areas: Identify, Protect, Detect, Respond and Recover. These help companies adopt a systematic approach to security, instead of just reacting to acute threats as they arise. Identify means first capturing all critical systems, data and potential vulnerabilities. Protect addresses preventive measures such as access controls, coding and firewalls. Detect ensures that threats are spotted at an early stage through continuous monitoring. Respond defines clear processes to enable a quick and effective reaction to security incidents. Recover helps organisations recover quickly from an attack and restore operations. This all results in end-to-end protection that combines prevention, detection and response. Govern describes the organisational context across all phases, which includes the overarching risk-management strategy, clearly defined roles and responsibilities, internal policies and control over all measures and their implementation. 

So the Framework is a kind of guideline for long-term security? 

Exactly. Many companies only start to address cybersecurity after they’ve experienced an attack. The NIST Framework helps companies act proactively, identify risks at an early stage and minimise damage if there’s an emergency. 

What other tips do you have for companies that want to optimise their security strategy? 

I'd advise them to invest in security before it’s too late. The cost of an attack is many times higher than the investment in prevention. However, they should remember that cybersecurity isn’t a state, it’s an ongoing process. It begins with a detailed understanding of all the IT components, data and applications used in the company – from the internal network, cloud applications and employees’ private devices right through to the entire supply chain. A systematic approach to improving one’s own IT security can only be developed and implemented once the potential sources of danger are fully known – with the target being complete all-round protection in line with the NIST Framework. In the face of a shortage of skilled workers, automated solutions and collaboration with experienced experts can help a company to manage cyber risks efficiently and optimise its security strategies continuously.