In 2023, Swiss businesses faced a 61% increase in cyberattacks. How can one guard against such a threat? We discuss this with Sandro Nafzger, an "ethical hacker" and co-founder of Bug Bounty Switzerland.
The trend is sure to fuel discussions at the Swiss Cyber Security Days, which will take place from February 20th to 21st in Bern: from 2019 to 2023, Switzerland dropped from 14th to 27th place in the National Cybersecurity Index. This international indicator measures the resilience of different countries to cyber threats. This decline, particularly pronounced, notably affects businesses: in 2023, cybersecurity provider Check Point reported a 61% increase in cyberattacks. Additionally, one in three SMEs states having experienced an attack, with serious damages occurring in 11% of cases. How can one raise awareness among employees and mitigate the risks of such a threat? Expert Sandro Nafzger provides advice.
Why is Switzerland falling in cybersecurity rankings?
Sandro Nafzger: The challenges associated with the digital world are progressing rapidly. Technologies like AI tend to increase the frequency and severity of attacks. However, Switzerland is not adapting its responses quickly enough, or at least not as agilely and swiftly as in other countries. This is likely explained in large part by cultural aspects, particularly related to high-quality standards. Our fear of making mistakes tends to deprive us of many innovations or slow down their adoption.
Successful attacks are often a result of human error. How does this factor stand as the primary weakness for businesses?
Nafzger: It's too easy to blame the users. If employees, for example, regularly click on malicious links but the company fails to react, it means the issue is also of a technical nature. It's important for an organization to achieve a high level of resilience. Prevention measures must go beyond simple training or awareness operations.
Whether they are human or technical, vulnerabilities are the breeding ground for cyberattacks. It's about constantly anticipating to identify and fix them. Recommended as part of our national cybersecurity strategy, ethical hacking in the form of "Bug Bounty Programs" - in other words, "bug rewards" - involves offering rewards to developers and experts who spot vulnerabilities before hackers do.
Why are Swiss SMEs preferred targets?
Nafzger: Large enterprises are often more lucrative targets, but they typically have the skills and resources needed to protect themselves well. Therefore, cybercriminals often find it worthwhile to target smaller businesses. Their ideal targets are companies with enough funds to entertain extortion but are not yet adequately protected. Many Swiss SMEs fall into this category and consequently find themselves increasingly exposed each day.
Are certain economic sectors more affected than others?
Nafzger: The threat is increasing in all areas. Therefore, it would be a serious mistake for a company to believe that its size or sector protects it from a cyber-attack. However, certain sectors must particularly protect themselves well. These include healthcare, which deals with sensitive data, the public sector, and critical infrastructure essential to the country's survival. Another essential aspect concerns third parties and supply chains. Companies must secure their entire ecosystem, which also includes their external partners and suppliers. This involves imagining new forms of collaboration that go beyond the internal organization of the company.
Several recent crises have left a lasting impression. Are companies truly aware of the extent of the threat?
Nafzger: Unfortunately, most companies have not yet realized that they are becoming increasingly vulnerable. They often learn this the hard way, after a cyberattack. Bug Bounty Switzerland was created to prevent such situations. Through the legal cyberattacks we conduct with our ethical hackers, we promote this awareness, of course without causing any damage.
Is it possible for an SME to ensure a high level of protection?
Nafzger: Absolutely. It's often the companies with limited resources that make the smartest decisions. With good organization and a minimum of technical protection, SMEs can already accomplish a lot. Working closely with their teams and developing collective intelligence also allows them to improve a little more each day.
The new generative AI tools are becoming more widespread. Do they create new specific risks?
Nafzger: AI is a fantastic accelerator of speed and efficiency. These new tools are obviously used on both sides, both for attacking and protecting computer systems. We also use AI for our collaborative platform on vulnerabilities. This allows us to make our solution even more effective.