Interview with Florian Schütz

swissVR Monitor: How has the importance to businesses of cyber resilience changed over recent years? And how do you rate the general level of cyber threat in 2023?

Florian Schütz: Over recent years, we have seen an increase in awareness of cyber security, and many companies are now aware of cyber risks. However, their response varies: some are taking cyber security very seriously and putting the necessary measures in place, while others are doing little, if anything, to protect themselves in this area.

Reports to the NCSC of cyber-related incidents are currently running at a high level – around 700 per week, on average. One reason for this is greater public awareness, but we are also seeing a slight increase in the number of cyber attacks. Attacks involving fraud are particularly frequent at the moment: fake extortion emails threatening recipients with legal action if they do not comply currently account for about one-third of all reports to the NCSC.

We’ve also been seeing a slight uptick in the number of ransomware attacks over recent weeks, and it is likely that the numbers will continue to rise. One reason for this is that the war in Ukraine initially slowed down ransomware attacks as some groups of hackers turned their attention away from extortion to engage with the war. However, it’s highly likely they now need to get back to raising money, so we expect ransomware attacks to pick up again.

swissVR Monitor: We hear less in the media about cyber resilience in small and medium-sized enterprises (SMEs). Are SMEs less vulnerable to cyber attacks than larger companies?

Florian Schütz: All companies are at risk, regardless of size and sector. However, many SMEs lack the financial and human resources to take effective cyber security measures, so their expertise and infrastructure is limited or even non-existent.

It’s also the case that cyber criminals make a cost-benefit analysis, aiming to cause as much damage as possible with the least possible effort. From that perspective, SMEs are an obvious target, because it is easier to attack their IT systems than the more complex IT infrastructure maintained by large companies. Many SMEs are also reluctant to go public about a cyber attack, often because they are concerned about reputational damage. Large companies, though, are increasingly taking a different view, and a number have recently gone public, attracting media coverage.

swissVR Monitor: What steps do you advise companies to take to improve or increase their cyber resilience?

Florian Schütz: Cyber security needs to be taken seriously at the most senior level in the company! It is vital that senior management discusses the issue and that every company has a risk management strategy for cyber-related incidents in place. Management must also be aware of and document any residual risk and ensure that the finance is available to devise and implement crucial measures. Companies may feel that this involves substantial investment, but the changes don’t have to be implemented in one go. It’s important, though, that companies prioritise, with an absolute focus on keeping systems up to date: most successful ransomware attacks target known weaknesses for which patches are available but have not been applied.

As well as basic protection, creation of back-ups and regular updating, it is also important that companies raise their employees’ awareness of cyber security. Cyber attacks often start not with the company IT infrastructure but with a single individual who works for the company. Such social engineering, as it’s known, is designed to persuade staff to open an unsafe email attachment, for example, or divulge their password.

swissVR Monitor: What are the government and the NCSC doing to support companies with their cyber resilience?

Florian Schütz: The NCSC website offers lots of guidance and checklists to help companies protect themselves against cyber attacks and sets out what to do if an attack does take place. The NCSC also provides regular updates via its website and social media channels, such as LinkedIn, on new types of attack, security vulnerabilities and so on.

For its part, the Swiss government has worked with a number of partners to launch a nationwide awareness raising campaign, known by its German acronym as S-U-P-E-R. The campaign focuses on five specific aspects of cyber security: backing up data, updating programs and apps regularly, keeping antivirus and malware systems up to date, using strong passwords for log-ins and reducing vulnerability. The site provides a host of tips for companies wanting to protect themselves against cyber threats.

swissVR Monitor: Switzerland’s new data protection legislation comes into force on 1 September and will take effect immediately, without a transitional period. How will the new legislation change the position for companies in relation to cyber resilience?

Florian Schütz: The new Federal Act on Data Protection will ensure that Swiss legislation is compatible with European law. This is important because it will ensure that the EU can continue to recognise Switzerland as a third country with an appropriate level of data protection; without this, additional measures would be needed to continue to transfer data across borders. The new legislation is therefore important for Switzerland as a business hub and for its competitiveness.

The measures the new legislation sets out, such as the requirement to notify data security breaches promptly to the Swiss Federal Data Protection and Information Commissioner (FDPIC), will make a major contribution to increasing cyber resilience.