FAQ
How long does it take to train an SME with 20 to 50 employees?
For an SME with 20 to 50 employees, the typical programme runs over 3 to 6 months:
- Week 1: set up PhishTrainer, send the first baseline phishing campaign.
- Months 1-2: Bexxo Academy access for all employees, introductory modules (30 to 45 min per module).
- Months 3-6: monthly phishing campaigns, targeted reminders for at-risk employees, progress report.
The setup is handled by Bexxo — no internal technical skills required. Monthly administration time is less than 2 hours for the HR or IT manager.
How many CVEs are published each year?
The volume of published CVEs increases every year: 25,227 in 2022, 29,065 in 2023, 40,009 in 2024, and 48,185 in 2025. In 2026, the trend continues to accelerate with more than 130 CVEs published per day. CVE Find indexes all these vulnerabilities in real time.
How much does ISO 27001 certification cost for an SME?
Between CHF 10,000 and 50,000 for a Swiss SME, depending on size and complexity. This cost includes preparation (gap analysis, ISMS implementation) and the certification audit by an accredited body. Renewal every 3 years generally costs 30 to 50% of the initial cost.
How much does a cyberattack cost a Swiss SME?
On average CHF 100,000 per incident for a Swiss SME, including business interruption, technical remediation and reputational damage. Ransomware cases can exceed CHF 500,000 if backups are compromised.
How much does a cybersecurity consulting service cost?
Our consulting engagements start from CHF 2,500 for an initial diagnosis. A full engagement (strategy + nFADP compliance + training) ranges from CHF 8,000 to CHF 35,000 depending on the size of the company and the scope. A personalised quote is provided after a free initial consultation.
How much does a network security audit cost?
Our network packages range from CHF 2,000 (Essential — vulnerability scan, simplified report) to CHF 18,000 (Premium — in-depth penetration tests, full assessment, management presentation). The Standard package (CHF 4,500) is the most requested by Swiss SMEs.
How much does a web security audit cost?
Our packages range from CHF 1,500 (Essential — 10 control points, automated scan, simplified report) to CHF 15,000 (Premium — 20 control points, in-depth penetration tests, API assessment, management presentation). The Standard package (CHF 3,000) is the most requested by Swiss SMEs.
How much does an IT security audit cost?
Our packages start at CHF 1,500 (Essential) and go up to CHF 15,000 (Premium) depending on the depth of analysis. Every audit complies with ISO 27002 and NIST CSF frameworks. Request a free quote tailored to your situation.
How to use CVE Find to track critical vulnerabilities?
Our CVE Find service allows you to filter and sort vulnerabilities according to several key criteria: CVSS score, EPSS score, membership in the KEV list, severity level, publication date, etc. These combined indicators allow you to quickly identify the most serious and most likely to be exploited vulnerabilities.
Once the filters are applied, the user can subscribe to alerts or export the data for integration into internal tools. This makes it possible to maintain active monitoring, focused on genuinely dangerous vulnerabilities, while avoiding the noise of irrelevant information.
In what situations should I request a negotiation service?
When you are facing a conflict (for example, with a supplier) or ransomware demanding a ransom payment. The negotiation service allows you to explore legal and operational options.
Is CVE Find free?
Consulting the CVE Find database on www.cvefind.com is free and accessible to all. Advanced features (personalised alerts, monitoring of specific products, SMS notifications) are available to Bexxo clients as part of our audit and monitoring packages.
Is CVE Find free?
Yes, our CVE Find service is accessible free of charge online. All users can consult CVE records, apply filters, and access enriched information (scores, exploitation status, KEV/EPSS data). The objective of the site is to democratize access to vulnerability information, without financial barriers.
Advanced functionalities (e.g., API integration, automatic export, personalized alerts) are offered as options or premium services, but the basic functionality remains open to all.
Is ISO 27001 mandatory in Switzerland?
No, ISO 27001 is not legally mandatory in Switzerland. However, the nFADP requires appropriate technical and organisational measures to protect data. ISO 27001 provides the most recognised framework for demonstrating this compliance. Some sectors (finance, healthcare) require it contractually.
Is PhishTrainer hosted in Switzerland?
Yes. PhishTrainer is 100% Swiss: developed by Bexxo (Ins, canton of Bern) and hosted on servers in Switzerland. No data transfer abroad. Your employees' data and campaign results remain on Swiss territory, in compliance with nFADP requirements. PhishTrainer optionally offers client-side encryption: data is encrypted in the user's browser before being transmitted to our servers. In practice, even our infrastructure cannot access the data in plain text — this is a maximum confidentiality guarantee that few simulation tools can offer.
Is a network audit mandatory under the Swiss nFADP?
The nFADP (Swiss Federal Act on Data Protection, in force since September 2023) requires companies to implement proportionate technical and organisational measures to protect personal data. Although it does not explicitly require an annual network audit, documentation of security measures is mandatory. In the event of a data breach, the absence of demonstrated diligence can result in fines of up to CHF 250,000 for data controllers. An audit report constitutes this proof of diligence with the Federal Data Protection and Information Commissioner (FDPIC).