FAQ
Are Swiss SMEs more exposed than large companies?
Yes. SMEs are prime targets precisely because they have fewer security resources than large organisations, while still handling sensitive data. In Switzerland, 40% of cyberattacks directly target SMEs (NCSC). Unlike large companies, they often have neither a dedicated IT team, nor a tested continuity plan, nor a sufficient remediation budget — which explains why 60% of them cease operations within 6 months of a serious incident.
Are smishing (SMS) and vishing (phone) as dangerous as email phishing?
Yes, and they can be more effective, precisely because people expect them less.
Smishing (SMS): SMS have an open rate above 90%, compared to 20 to 30% for emails. Messages typically imitate a delivery alert (postal service, DHL), a banking warning, or a government message. The link redirects to a fake login page. On mobile, the URL is often truncated and difficult to verify.
Vishing (voice): the attacker calls their victim directly, posing as IT support, a bank, or Microsoft. Real-time pressure and the human voice bypass the usual defenses. AI-generated voice deepfakes can now imitate the voice of a known colleague or manager.
The golden rule in both cases: never provide sensitive information following an unsolicited message or call — call the organization back directly via a known official number.
Are technical prerequisites required to follow a training course on Bexxo Academy?
No. Bexxo Academy's learning paths are designed to be accessible to all levels, from employees with no IT background to IT managers. Each path adapts to the participant's profile. Short modules (10 to 20 minutes) integrate easily into a working day without disruption.
Are there any famous examples of zero-day exploits?
Yes, several famous zero-day exploits have marked the history of cybersecurity. One of the most well-known is Stuxnet, a malware discovered in 2010, designed to sabotage nuclear centrifuges in Iran. It exploited several zero-day vulnerabilities in Windows, revealing the level of sophistication of certain offensive cyber operations.
Another example: WannaCry, a ransomware that struck hundreds of thousands of computers in 2017, exploited a Windows vulnerability revealed by the Shadow Brokers group. Although a patch had been released just before the attack, many systems were not up to date, showing that patch management remains a weak link. These examples are a reminder of the devastating impact that unpatched vulnerabilities can have.
Are these resources really free?
Yes. All our white papers, templates and guides are 100% free. Some exclusive content simply requires following our LinkedIn page and subscribing to our newsletter (max. 2 mailings/month, unsubscribe in one click). No credit card is required.
Are you subject to the nFADP after a ransomware attack?
Yes. The nFADP (new Federal Act on Data Protection, in force since September 2023) requires notification to the FDPIC as quickly as possible if a personal data breach presents a high risk to the individuals concerned. A ransomware attack that has accessed or exfiltrated personal data triggers this obligation. Bexxo supports companies through this regulatory process as part of its intervention.
Can I adapt your templates to my organisation?
Yes, each template is designed to be personalised. The documents are in PDF format with clearly identified sections to adapt (company name, scope, responsible parties). Bexxo can also support you with personalisation as part of a compliance audit.
Can a pentest disrupt production?
Yes, a penetration test can potentially disrupt production, but this depends heavily on the methodology used, the level of aggressiveness authorized, and the maturity of the infrastructure being tested. For example, exploiting certain vulnerabilities can cause service restarts, access blockages, or performance degradation.
That's why it's essential to define a clear framework before any test, including authorized time slots, systems to exclude (or duplicate in a test environment), and backup measures. Professional pentesters apply non-destructive techniques, but close communication with the IT team remains essential to anticipate and manage potential impacts.
Can a pentest identify a zero-day vulnerability?
A pentest can sometimes reveal a zero-day vulnerability, but it is not guaranteed. Pentests primarily rely on known vulnerabilities (CVEs, misconfigurations, risky practices), but it is possible that a manual test, a particular attack logic, or intuition may lead to the discovery of a previously unknown vulnerability.
However, the discovery of zero-days during a pentest remains rare and depends on the depth of the analysis, the experience of the testers, and the complexity of the system being tested. For this reason, some very advanced pentests include fuzzing or code audit phases specifically aimed at finding zero-days, particularly in high-stakes contexts (defense sector, finance, critical infrastructures).
Can several frameworks be combined (ISO, NIST, ANSSI, ICT)?
Yes, these frameworks are complementary. At Bexxo, we recommend a progressive approach: start with the Swiss ICT Standard or the ANSSI guide, structure with the NIST CSF, then aim for ISO 27001 certification. Each step reinforces the previous one without starting from scratch.
Can the network audit report be used for ISO 27001 certification?
Yes. Our audits follow the controls of ISO 27001:2022 (Annex A — technological and physical controls) and the NIST CSF as reference frameworks. The audit report constitutes documentary evidence of due diligence for ISO auditors, the FDPIC and your business partners.
Can you recover data if we have no backup?
Yes, in many cases. Our data recovery experts — the same teams as SOS Data Recovery, active since 2006 — can extract data directly from physical media (hard drives, SSDs, servers, NAS) using advanced forensic techniques. Ransomware encrypts files, it does not necessarily destroy them at the physical level. The recovery rate depends on the type of ransomware and the condition of the media.
Do you need an internal CISO or can you outsource?
For a Swiss SME, outsourcing the CISO function (vCISO — Virtual CISO) is often more cost-effective than a full-time hire. Bexxo can fulfil this role: defining the security policy, attending management meetings, handling incident management and reporting — at a cost suited to your size.
Does Bexxo consulting cover nFADP compliance?
Yes. nFADP compliance (new Federal Act on Data Protection, Switzerland) is integrated into all our consulting engagements. We analyse your data processing activities, identify gaps, implement the required technical and organisational measures and provide you with the documentation needed in the event of an FDPIC inspection.
Does Bexxo operate throughout Switzerland?
Yes. Based in Ins (Canton of Bern), our team supports SMEs across French-speaking Switzerland and beyond. Our audits can be conducted remotely or on-site, in French, German and English.