In January 2025, the CNIL issued an unprecedented call to European businesses: urgently secure large databases. This directive follows a massive wave of breaches affecting several million people in 2024, with a doubling of incidents affecting over one million records (CNIL, January 2025).
In Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) received 293 data breach notifications between September 2023 and November 2024 (FDPIC, November 2024). Today, databases represent far more than just a technical tool. They concentrate the bulk of a company’s value.
Yet nearly 80% of large-scale breaches are enabled by compromised employee accounts protected only by passwords (CNIL, January 2025). Between the proliferation of cloud environments, technical debt, and human error, these critical systems are becoming genuine points of weakness. Understanding why and how to act has become a strategic priority.
Before exploring vulnerabilities, it’s worth understanding what makes databases so central to today’s digital ecosystem.
A database is an organised system that stores, manages, and provides access to information in a structured way. Put simply, it’s a company’s digital vault. Unlike a basic Excel file, a database offers sophisticated mechanisms to guarantee data integrity, consistency, and availability.
In practical terms, think of a database management system (DBMS) like Oracle, MySQL, or PostgreSQL. These software packages organise information into tables, made up of rows and columns. Each table represents an entity (customers, products, transactions), and relationships allow this information to be cross-referenced meaningfully.
The database landscape has diversified considerably. On one hand, SQL databases (relational) like SQL Server, MySQL, and PostgreSQL still dominate the global rankings. On the other, NoSQL databases are gaining ground for their flexibility in tackling Big Data and real-time challenges.
NoSQL databases come in four main categories:
This diversification meets modern needs but multiplies attack surfaces and complicates security governance.
How is a database built? Beyond tables, a database relies on a layered architecture: hardware (servers, storage), software (DBMS), and application layers (access interfaces). Essential functions include storage, retrieval via SQL queries, updates, access control, and backups.
Each of these functions potentially represents a weak point. A poorly secured query opens the door to SQL injections. A faulty backup system exposes the business to catastrophic loss.
The first source of weakness lies in a paradox: businesses are centralising ever more critical data, creating increasingly attractive targets for cybercriminals.
The volume of data managed by businesses doubles every two years. This explosion turns databases into genuine digital treasure troves. For a hacker, compromising a single large database can provide access to millions of customer profiles, years of transactions, or industrial secrets worth fortunes.
In Switzerland, financial services and healthcare firms are particularly affected. A regional bank might manage several hundred thousand customer files. A university hospital stores medical data spanning decades. The concentration is maximum, as is the risk.
Paradoxically, while data is concentrating, infrastructure is dispersing. Databases no longer reside in a single secure datacentre. They’re spread across on-premise servers, public clouds (AWS, Azure, Google Cloud), hybrid environments, and edge devices.
This geographical and technological dispersion multiplies vulnerabilities. According to IBM, 40% of breaches in 2024 involved data spread across multiple environments (IBM Cost of Data Breach Report, July 2024). Every new access point, every API, every network connection becomes a potential entry point.
Beyond architecture, what are the real threats turning databases into critical weak points?
Compromised credentials now represent the most common attack vector in 2024, accounting for 16% of all breaches according to IBM. These attacks cost an average of $4.81 million and require the longest time to identify and contain (IBM, July 2024).
In France, nearly 80% of large-scale breaches recorded by the CNIL in 2024 were enabled by hijacking an employee or contractor account protected only by a password (CNIL, January 2025). The absence of multi-factor authentication (MFA) represents the most exploited flaw by cybercriminals.
SQL injection remains a formidable attack technique. The principle? Injecting malicious code into an SQL query via a web form or API. If the application doesn’t properly validate user input, the hacker can execute any command: data extraction, modification, even complete deletion of tables.
According to OWASP, security misconfigurations represent 30% of web application vulnerabilities identified through penetration testing (IBM X-Force, 2024). Yet prepared statements would be enough to block the majority of these attacks.
Managing security patches remains a major challenge. Businesses need to apply patches quickly, but this requires compatibility testing, involves downtime, and can cause regressions. In a context where 24/7 availability is demanded, IT teams continually postpone these critical maintenance tasks.
Meanwhile, known vulnerabilities (CVEs) are being massively exploited. In 2024, approximately 29,000 new CVEs were published, thousands of which were classified as critical or highly severe (NinjaOne, November 2025).
Security efforts focus on the production database, but what about backups? Too often, backups are stored without encryption, on poorly protected media, even accessible from the same network as the main database.
Result: hackers who compromise a backup obtain exactly the same data as if they’d attacked the database itself. Worse still, some organisations neglect restoration testing and only discover their backups are corrupted during a critical incident.
The consequences of a compromised database go well beyond technical aspects. They strike at the very heart of business sustainability.
According to the IBM Cost of Data Breach 2024 report, the average global cost of a data breach reached $4.88 million, a 10% increase from 2023 (IBM, July 2024). This figure mainly concerns the large international companies studied by IBM.
But careful: this amount varies considerably depending on organisation size. For Swiss SMEs, costs typically range between 100,000 and 500,000 Swiss francs, including forensic investigation, notification to affected individuals, legal fees, and customer loss. Even at this scale, the impact can be devastating: many SMEs never financially recover from a major breach.
The most exposed sectors remain healthcare ($9.77 million on average) and finance. For an SME with fewer than 50 employees, a breach affecting a few thousand customers can already represent several months’ turnover and threaten the company’s survival…
In Switzerland, the revised Federal Act on Data Protection (FADP), which came into force in September 2023, significantly strengthens obligations. The FDPIC received between September 2023 and November 2024 no fewer than 1,183 complaints for FADP violations and 293 data breach notifications (FDPIC, November 2024).
Beyond the figures, the reputational impact of a massive breach remains difficult to quantify. How do you measure the loss of customer trust? The difficulty in recruiting new talent? The effect on share price for listed companies?
In 2024, 63% of organisations stated they would increase the cost of their goods or services following a breach, up from 57% in 2023 (IBM, July 2024). Costs are thus transferred to consumers, fuelling an inflationary spiral.
Facing these systemic risks, what concrete actions should be implemented to protect company databases?
The CNIL was clear in its January 2025 communication: multi-factor authentication (MFA) becomes essential for all employees accessing large databases containing several million records (CNIL, January 2025).
This measure appears essential when connecting to the information system is possible from outside the organisation. The principle of least privilege must also apply: each account has only the rights strictly necessary for its function.
Data encryption must apply at three levels: at rest (stored data), in transit (network exchanges), and ideally in use. HSM (Hardware Security Module) technologies secure encryption keys, while KMS (Key Management System) solutions centralise their management.
For databases hosted in the cloud, the BYOK (Bring Your Own Key) approach guarantees that only the business controls its encryption keys. Even the cloud provider cannot access decrypted data.
Appropriate logging enables early incident detection and provides usable evidence for post-incident analysis. As soon as bulk extraction features are offered, it’s necessary to limit the volume of extractions an attacker would be able to perform.
DAM (Database Activity Monitoring) solutions analyse database activity in real time. Combined with a SIEM (Security Information and Event Management), they enable event correlation and instant alerts in case of anomalies.
Organisations that deploy AI and automation extensively in their prevention operations save more compared to those that don’t use them.
AI notably helps reduce by an average of 100 days the time needed to identify and contain a breach. Two out of three organisations in the IBM study now deploy AI and automation in their security operations centres (SOCs).
Since 90% of cyber incidents result from human errors or behaviours, training remains crucial. Human errors include using weak passwords, falling victim to phishing attacks, or inappropriately sharing credentials.
Many situations can be avoided through increased user awareness: shared login accounts, staff clicking on phishing links, malware installed on workstations.
Technology alone isn’t enough. Database security requires a cultural transformation where every employee understands their responsibility.
Who’s responsible for database security? The CISO? DBA? The business manager? Too often, this ambiguity leads to diluted responsibilities where no one truly takes ownership of the subject.
Clear governance defines everyone’s roles: data classification according to sensitivity, access policies, approval processes for new uses, regular audits. In Switzerland, the DPO (Data Protection Officer) plays a central role in this orchestration.
The Security by Design principle involves integrating security from the design phase of a project. Rather than “adding” security afterwards, system architects model threats (threat modelling), define necessary controls, and test security throughout the development cycle.
In a DevSecOps approach, security testing is automated and integrated into the deployment pipeline. Each new application version undergoes vulnerability scans before going into production.
Databases have become critical strategic assets, but also prime targets. Massive breaches are multiplying, fuelled by simple flaws: absence of strengthened authentication, dispersed infrastructures, unapplied patches. Costs are exploding.
For Swiss businesses, the challenge is twofold: dealing with complex infrastructures whilst complying with the revised FADP which imposes strict obligations. The FDPIC is intensifying its controls.
Solutions exist: multi-factor authentication, encryption, continuous monitoring, AI for detection. But technology alone isn’t enough. A security-focused culture and ongoing training remain essential. Now is the time for action: a security audit is the starting point for building robust protection.
What is an SQL database and how does it differ from NoSQL?
An SQL database organises data into structured tables with defined relationships, ideal for consistency and transactions. NoSQL uses flexible models (documents, key-value, graphs) suited to Big Data and horizontal scalability.
What are the main threats facing databases in 2025?
Compromised credentials (16% of breaches), absence of MFA (80% of large-scale breaches), SQL injections, misconfigurations (30% of vulnerabilities), unsecured backups, and targeted ransomware.
How can a Swiss SME effectively secure its databases on a limited budget?
Enable multi-factor authentication (MFA), apply patches regularly, encrypt sensitive data and backups, restrict access to what’s strictly necessary, and train staff. Open-source solutions like PostgreSQL offer native security without licensing costs.
What do Swiss and European regulations say about database protection?
GDPR requires appropriate security measures with fines up to 4% of global turnover. The CNIL has required multi-factor authentication for large databases since 2025. The revised Swiss FADP strengthens security obligations and breach notification within 72 hours.
How much does a database breach actually cost a business?
The average cost reaches $4.88 million (IBM, 2024), including investigation, notification, legal fees, fines, and customer loss. The healthcare sector records the highest costs averaging $9.77 million.
ITTA is the leader in IT training and project management solutions and services in French-speaking Switzerland.
Our latest posts
Subscribe to the newsletter
Consult our confirmed trainings and sessions
Monday to Friday
8:30 AM to 6:00 PM
Tel. 058 307 73 00
ITTA
Route des jeunes 35
1227 Carouge, Suisse
Monday to Friday, from 8:30 am to 06:00 pm.
