Cyber threats have not eased, yet Switzerland’s small and medium-sized firms are showing signs of fatigue. The new Swiss SME Cybersecurity 2025 report finds that awareness remains high while confidence has fallen sharply.
It is one of the most comprehensive national surveys to date, conducted with Die Mobiliar, digitalswitzerland, ASDS, the Swiss Internet Security Alliance (SISA), the Information Security Society Switzerland (ISSS), the Swiss Academy of Engineering Sciences (SATW), the University of Applied Sciences Northwestern Switzerland (FHNW), HES-SO Valais-Wallis and YouGov Schweiz. Their combined reach gives a clear picture of how Swiss SMEs view cyber risk and resilience.
Only 42 percent of respondents now feel adequately protected against attack, down from 55 percent a year earlier. Nearly a third say cybersecurity is no longer a business priority. Cost pressures and daily operational demands often take precedence.
A steady threat, a weaker response
Roughly one in 25 firms has faced a cyber incident in the past three years. One in 20 has been blackmailed; four percent lost money through fraudulent emails. Yet few feel external pressure to improve security. Only 24 percent sense clear expectations from clients or peers to invest more.
Many companies either underestimate the consequences or lack the skills and capacity to act. The result is a resilience gap — a widening space between awareness and preparation.
Where structure falls short
Most SMEs have their technical basics in place: firewalls, software updates, data backups. Organisational practice tells another story. Only 30 percent maintain an IT security plan, staff training or an incident procedure. Around 20 percent carry out regular audits.
Two-thirds rely on external IT providers, but more than half do not know whether those suppliers hold any recognised security certification such as ISO 27001. Tools without governance are a fragile shield.
What IT providers see
Among service providers, just 39 percent believe their SME clients are well protected; 14 percent say the opposite. Most providers attribute this not to a lack of available solutions, but to underinvestment and insufficient follow-through.
They report that many SMEs delay implementing recommendations or scale back security plans once immediate risks appear contained. In effect, the protection gap is often self-inflicted.
Despite this, 84 percent of IT firms expect demand for security services to grow, though only 40 percent of SMEs plan to raise spending . The imbalance suggests that awareness campaigns alone are not enough. Without consistent funding and executive attention, progress will remain slow.
Building digital resilience
The study’s authors converge on a single point: resilience is the decisive measure of safety. Financial protection alone is not enough. True protection comes from combining technology, organisation and awareness.
For SMEs, that means treating cybersecurity as part of business continuity. Define roles and responsibilities. Train staff. Test providers. Audit systems regularly. These are simple disciplines, yet together they form the architecture of resilience.
Highlights from the SME Cybersecurity Report 2025