Cyberattacks: effective protection for companies

The ransomware attack on the Bern-based IT company Xplain in May 2023 is regarded as one of the most consequential cyberattacks in Switzerland. Around 1.3 million data objects were stolen, including over 9,000 objects from the Federal Administration. More than half of them contained sensitive information. The victims included the Federal Office of Police (fedpol), the Federal Office for Customs and Border Security (FOCBS), various cantonal police forces, the Swiss Federal Railways (SBB) and the canton of Aargau.

Even large Swiss companies and federal agencies are not immune to professional cyberattacks.

A cyberattack can take different forms, depending on the criminals’ target. In ransomware attacks, the attackers first encrypt important company data and systems and then demand a ransom for decryption. The criminals also often steal data and threaten to publish it.

In phishing attacks, criminals obtain access data via fake emails or websites and can then gain access to the entire company network. CEO fraud and invoice fraud directly target payments by inducing employees to transfer money to false accounts. Vishing attacks use phone calls to persuade victims to install remote software, which gives the criminals full system access.

The consequences range from data loss and business interruptions to massive financial damage and reputational damage. What makes these attacks particularly critical is that many of them initially go unnoticed, while the perpetrators are systematically searching the network.

The duration of a cyberattack varies a great deal. It can take just minutes or hours for a system to be compromised, for example when an employee clicks on a phishing link or discloses access data. However, professional attackers often linger undetected in the network for weeks before they strike. They use this phase to gain administrator rights, infiltrate other systems and identify valuable data. When criminals carry out ransomware attacks, the encryption takes place suddenly, often at night or at the weekend, when nobody can react.

Recovery after an attack typically takes days to weeks. The detection time is crucial. The faster an attack is identified, the less damage it causes. The NCSC therefore recommends continuous monitoring and rapid response mechanisms.

In Switzerland, it is not the company that is liable for data breaches, but the natural person responsible – this is an important difference in relation to the EU’s GDPR. According to the revised Data Protection Act (FADP) fines of up to CHF 250,000 can be enforced against the person responsible for the organization, typically the management or the Board of Directors. The act must be intentional, although contingent intent (awareness and acceptance of a possible violation) is sufficient.

A common misunderstanding is that cyberattacks do not automatically count as “force majeure”. If basic protective measures such as two-factor authentication or firewalls have not been put in place, the attack is often classified as preventable. Since April 2025, operators of critical infrastructure must report cyberattacks to the NCSC within 24 hours. Fines of up to CHF 100,000 may be imposed in the event of an infringement. In addition to being held criminally liable, civil claims for damages can be received from affected customers or business partners. Companies should therefore implement and document appropriate technical and organizational measures.

Cyberattacks have two main objectives. Firstly, financial gain through extortion (ransomware), fraud (CEO fraud, invoice fraud) or theft of payment information. Secondly, data theft and espionage, for example of business secrets, customer data or strategic information. Sometimes, both goals are combined: data is stolen and the company is then blackmailed with it.

Responsibility for cybersecurity is shared: the management bears strategic responsibility and must take appropriate steps and provide the necessary budget. The IT department can implement technical security measures such as firewalls, anti-virus software and access controls. But the most important line of defense is the employees themselves: as over 90% of successful attacks are the result of human error (clicking on phishing links, disclosing passwords), continuous awareness-raising and training are essential. Cybersecurity is not just a job for the IT department, but an overall corporate responsibility that can only be successful if all the parties involved work together.