Yes. Based in Ins (Canton of Bern), our team supports SMEs across French-speaking Switzerland and beyond. Our audits can be conducted remotely or on-site, in French, German and English.

Yes, our CVE Find service integrates the KEV (Known Exploited Vulnerabilities) status maintained by CISA. If a vulnerability is confirmed to be actively exploited in the wild, it is marked as such on the corresponding CVE record, with a link to the official source.

This allows users to immediately identify urgent threats without having to manually cross-reference data with other databases. The KEV status is updated regularly and can also be used as a filtering criterion in the interface.

Yes, in the vast majority of cases. Even if an attacker obtains your password via a phishing page, they cannot log in without the second factor (SMS code, authenticator app, physical key). MFA blocks 99.9% of automated account attacks (Microsoft 2024). The only exception is real-time phishing (MITM / Adversary-in-the-Middle attack) which intercepts the MFA code in the same instant — this vector remains marginal for SMEs. The recommendation: enable MFA on all professional accounts without exception.

Yes. WordPress powers 43% of websites worldwide and is by far the most targeted CMS by attackers. Vulnerabilities often come from third-party plugins, outdated themes and misconfigurations. A Bexxo audit checks all of these points, not just the WordPress core.

Yes, if your website collects personal data, processes payments or is accessible from the internet. 73% of websites have at least one critical vulnerability (source: Bexxo, internal data). The nFADP (Swiss Data Protection Act) requires companies to document their security measures — an audit provides this proof. In the event of a data breach, the absence of diligence can result in fines of up to CHF 250,000.

No — the audit covers identification, classification and the action plan. Fixing the vulnerabilities is a separate service, which can be carried out by your internal teams based on the report, or by Bexxo on a quoted basis. This separation guarantees the objectivity of the audit: the auditor cannot have an interest in finding more vulnerabilities than actually exist. All our packages include assistance in understanding the report and taking the first corrective measures.

No, the nFADP (new Swiss Data Protection Act) does not impose any specific standard. It requires 'appropriate technical and organisational measures'. ISO 27001, NIST CSF or the Swiss ICT Standard are the most recognised frameworks for demonstrating this compliance in the event of an FDPIC inspection.

Three essential measures: regularly tested offline backups, multi-factor authentication (MFA) on all critical access points, and anti-phishing training for your employees. Bexxo offers all three services in its audit packages.

91% of cyberattacks start with a phishing email (Deloitte). Our white paper on phishing provides concrete cases and practical recommendations. For ongoing training, our PhishTrainer platform simulates realistic attacks and reduces the click rate by an average of 75%.

The effectiveness of cybersecurity training can be measured concretely using behavioural indicators:

• Click rate on simulated phishing — before/after training. A good programme reduces this rate by more than 70% within 6 months.
• Reporting rate — the number of employees who actively report a suspicious phishing attempt.
• Academy completion score — percentage of completed modules and quiz results.
• Trend over time — PhishTrainer dashboard with 12-month history.

These metrics are available in the Bexxo dashboard and can be exported for nDSG compliance reports.

Two options: direct access to the online platform (academy.bexxo.ch) with account creation for your employees and a tracking dashboard; or tailored in-person training at our premises in Ins (BE) or directly at your company. Contact us via the form on this page for a free, no-commitment consultation — we will define the programme best suited to your size and objectives together.

Theoretical training alone is not enough: studies show that employees forget 70% of training content within the week following the session (Ebbinghaus, replicated in numerous e-learning studies). The most effective approach combines simulation and corrective training: send real simulated phishing campaigns (via PhishTrainer), identify employees who click, then automatically redirect them to targeted training (Bexxo Academy). This method reduces the click rate by 60 to 70% in six months (Proofpoint 2024). Regular simulations (4 to 6 per year) maintain the level of vigilance over time.

The main warning signs are: a sender address slightly different from the original (e.g. support@rnazonl.com instead of @amazon.com), a sense of urgency or threat pushing you to act quickly, a request for your password or banking information, a link URL that does not match the expected site (hover before clicking), spelling or formatting errors. Warning: AI-generated emails are now perfectly written — grammar alone is no longer enough to detect them.

We identify the stakes and room for maneuver, assess the risks, and prioritize dialogue to achieve the best possible outcome, while limiting costs and legal risks.

We conduct a comprehensive assessment of your situation, identify any discrepancies, and propose a concrete action plan to align your practices with the required standards.