FAQ
Is cybersecurity training mandatory for SMEs under the nFADP?
The nFADP (new Federal Act on Data Protection, in force since September 2023) requires organisational data protection measures, including raising employee awareness of risks. If a data breach occurs and the company cannot demonstrate that it has trained its teams, it faces fines of up to CHF 250,000. Training reports generated by Bexxo Academy serve as evidence of due diligence in the event of an FDPIC inspection.
Is cybersecurity training mandatory for SMEs?
The nFADP (in force since September 2023) requires organisational data protection measures, including staff awareness. Beyond the legal obligation, training is the most cost-effective prevention lever: 91% of cyberattacks start with a phishing email (KnowBe4), a threat entirely preventable through training.
Is cybersecurity training mandatory under Swiss nDSG?
The nDSG (Swiss Federal Act on Data Protection, in force since September 2023) requires companies to implement organisational measures to protect personal data. Staff training is explicitly recommended by the Federal Data Protection and Information Commissioner (FDPIC) as an essential organisational measure. In the event of a data breach, the absence of documented training may increase the company's liability. Bexxo provides a monitoring report that serves as proof of due diligence in the event of an FDPIC audit. Fines of up to CHF 250,000 for data controllers in the event of a breach.
Is it necessary to pay the ransom to recover data?
In the majority of cases, no. Paying the ransom does not guarantee recovery: 56% of organisations that paid only partially recovered their data (Sophos 2024), and 80% are re-attacked within the year. Bexxo first evaluates all technical options — decryption, backups, forensic extraction — before considering any negotiation, which always remains a last resort.
Is my network subject to the nFADP?
Yes. The nFADP (new Federal Act on Data Protection, in force since September 2023) requires appropriate technical security measures for all personal data processed. A network intrusion causing a data leak can result in fines of up to CHF 250,000 and an obligation to notify the FDPIC.
Is phishing simulation useful for nFADP compliance?
Yes. The nFADP (new Federal Act on Data Protection, in force since September 2023) requires organizational security measures, including raising employee awareness of risks. In the event of a data breach, a company that cannot demonstrate it has trained its teams faces fines of up to CHF 250,000. PhishTrainer campaign reports serve as proof of due diligence: they document the simulations carried out, click rates over time, and the corrective actions implemented.
Is the ANSSI guide applicable in Switzerland?
Yes. Although ANSSI is the French authority, its 42 IT hygiene measures are universal and particularly relevant for French-speaking Swiss SMEs. The guide is free, pragmatic and compatible with NIST CSF and ISO 27001. It is an excellent starting point for companies in French-speaking Switzerland.
Is the analysis really free and without commitment?
Yes, unconditionally. The initial analysis is offered by Bexxo as part of our cybersecurity awareness initiative for Swiss SMEs. No credit card is required, no contract is signed. At the end of the analysis, if you are interested in additional services (in-depth audit, package, training), you will receive a detailed quote — which you are free to accept or decline. 68% of Swiss SMEs have never had a cybersecurity review (NCSC): this analysis is designed to remove that barrier.
Is the audit compliant with ISO 27001 and nFADP standards?
Yes. Our audits follow the controls of ISO 27001:2022 (Annex A — technological controls) and the NIST CSF as reference frameworks. The audit report can serve as proof of due diligence in the event of an FDPIC inspection under the nFADP.
What are Bexxo's core values?
Our approach is based on reliability, excellence, and innovation. We strive to maintain a robust cybersecurity posture for our clients, while staying at the forefront of the latest technological developments.
What are the 5 functions of the NIST CSF?
The 5 functions of the NIST Cybersecurity Framework are: Identify (understand assets and risks), Protect (access controls, encryption), Detect (monitoring, alerts), Respond (intervention plan, communication) and Recover (restoration, lessons learned). Each function is assessed on a score from 0 to 4.
What are the different forms of phishing to know about?
There are 6 main forms of phishing:
- Classic phishing — mass emails imitating a bank, a delivery service, or a government agency. More than 3.4 billion fraudulent emails sent every day (Forbes 2024). Often recognizable by errors and artificial urgency.
- Spear phishing — targeted attack on a specific person, with real information (manager's name, ongoing project). Accounts for 66% of confirmed breaches (Verizon DBIR 2024).
- Whaling — variant of spear phishing specifically targeting executives and managers, to access finances or strategic decisions.
- Smishing — phishing via SMS. Typically imitates a banking alert, a parcel delivery, or a public service. SMS open rates exceed 90% — this vector is growing rapidly.
- Vishing — voice phishing by phone. The fraudster impersonates IT support, a bank, or a government agency to extract information or trigger immediate action.
- BEC (Business Email Compromise / CEO fraud) — identity impersonation of a manager or partner to order a bank transfer or obtain sensitive data. The primary source of financial losses related to cybercrime: 2.9 billion USD in 2023 (FBI IC3 2024).
What are the essential cybersecurity standards?
Key standards include ISO 27001, NIST, nLPD, GDPR, and PCI-DSS. They provide robust frameworks for securing your systems and ensuring data protection.
What are the lasting consequences of a cyberattack for a business?
Beyond the immediate cost (an average of CHF 100,000 for a Swiss SME), a cyberattack leads to four lasting consequences: (1) loss of customer trust — 87% refuse to work with a compromised company (McKinsey); (2) reputational damage that is difficult to reverse; (3) legal risks under the nFADP (fines up to CHF 250,000); (4) loss of competitive advantage if strategic data has been exfiltrated.
What are the major cybersecurity challenges for businesses?
The main challenges include the protection of sensitive data, regulatory compliance (GDPR, ISO 27001, etc.), attack prevention, and crisis management. Bexxo helps you prioritize these issues and address them effectively.