The nFADP (new Federal Act on Data Protection, in force since September 2023) requires organisational data protection measures, including raising employee awareness of risks. If a data breach occurs and the company cannot demonstrate that it has trained its teams, it faces fines of up to CHF 250,000. Training reports generated by Bexxo Academy serve as evidence of due diligence in the event of an FDPIC inspection.

The nFADP (in force since September 2023) requires organisational data protection measures, including staff awareness. Beyond the legal obligation, training is the most cost-effective prevention lever: 91% of cyberattacks start with a phishing email (KnowBe4), a threat entirely preventable through training.

The nDSG (Swiss Federal Act on Data Protection, in force since September 2023) requires companies to implement organisational measures to protect personal data. Staff training is explicitly recommended by the Federal Data Protection and Information Commissioner (FDPIC) as an essential organisational measure. In the event of a data breach, the absence of documented training may increase the company's liability. Bexxo provides a monitoring report that serves as proof of due diligence in the event of an FDPIC audit. Fines of up to CHF 250,000 for data controllers in the event of a breach.

In the majority of cases, no. Paying the ransom does not guarantee recovery: 56% of organisations that paid only partially recovered their data (Sophos 2024), and 80% are re-attacked within the year. Bexxo first evaluates all technical options — decryption, backups, forensic extraction — before considering any negotiation, which always remains a last resort.

Yes. The nFADP (new Federal Act on Data Protection, in force since September 2023) requires appropriate technical security measures for all personal data processed. A network intrusion causing a data leak can result in fines of up to CHF 250,000 and an obligation to notify the FDPIC.

Yes. The nFADP (new Federal Act on Data Protection, in force since September 2023) requires organizational security measures, including raising employee awareness of risks. In the event of a data breach, a company that cannot demonstrate it has trained its teams faces fines of up to CHF 250,000. PhishTrainer campaign reports serve as proof of due diligence: they document the simulations carried out, click rates over time, and the corrective actions implemented.

Yes. Although ANSSI is the French authority, its 42 IT hygiene measures are universal and particularly relevant for French-speaking Swiss SMEs. The guide is free, pragmatic and compatible with NIST CSF and ISO 27001. It is an excellent starting point for companies in French-speaking Switzerland.

Yes, unconditionally. The initial analysis is offered by Bexxo as part of our cybersecurity awareness initiative for Swiss SMEs. No credit card is required, no contract is signed. At the end of the analysis, if you are interested in additional services (in-depth audit, package, training), you will receive a detailed quote — which you are free to accept or decline. 68% of Swiss SMEs have never had a cybersecurity review (NCSC): this analysis is designed to remove that barrier.

Yes. Our audits follow the controls of ISO 27001:2022 (Annex A — technological controls) and the NIST CSF as reference frameworks. The audit report can serve as proof of due diligence in the event of an FDPIC inspection under the nFADP.

Our approach is based on reliability, excellence, and innovation. We strive to maintain a robust cybersecurity posture for our clients, while staying at the forefront of the latest technological developments.

The 5 functions of the NIST Cybersecurity Framework are: Identify (understand assets and risks), Protect (access controls, encryption), Detect (monitoring, alerts), Respond (intervention plan, communication) and Recover (restoration, lessons learned). Each function is assessed on a score from 0 to 4.

There are 6 main forms of phishing:

• Classic phishing — mass emails imitating a bank, a delivery service, or a government agency. More than 3.4 billion fraudulent emails sent every day (Forbes 2024). Often recognizable by errors and artificial urgency.
• Spear phishing — targeted attack on a specific person, with real information (manager's name, ongoing project). Accounts for 66% of confirmed breaches (Verizon DBIR 2024).
• Whaling — variant of spear phishing specifically targeting executives and managers, to access finances or strategic decisions.
• Smishing — phishing via SMS. Typically imitates a banking alert, a parcel delivery, or a public service. SMS open rates exceed 90% — this vector is growing rapidly.
• Vishing — voice phishing by phone. The fraudster impersonates IT support, a bank, or a government agency to extract information or trigger immediate action.
• BEC (Business Email Compromise / CEO fraud) — identity impersonation of a manager or partner to order a bank transfer or obtain sensitive data. The primary source of financial losses related to cybercrime: 2.9 billion USD in 2023 (FBI IC3 2024).

Key standards include ISO 27001, NIST, nLPD, GDPR, and PCI-DSS. They provide robust frameworks for securing your systems and ensuring data protection.

Beyond the immediate cost (an average of CHF 100,000 for a Swiss SME), a cyberattack leads to four lasting consequences: (1) loss of customer trust — 87% refuse to work with a compromised company (McKinsey); (2) reputational damage that is difficult to reverse; (3) legal risks under the nFADP (fines up to CHF 250,000); (4) loss of competitive advantage if strategic data has been exfiltrated.

The main challenges include the protection of sensitive data, regulatory compliance (GDPR, ISO 27001, etc.), attack prevention, and crisis management. Bexxo helps you prioritize these issues and address them effectively.