One morning, your files are encrypted and a ransom note appears. Ransomware no longer spares Swiss SMEs. On the contrary, they have become prime targets, because they are less well defended than large corporations. A ransomware attack can paralyse your business within hours. The good news: a handful of concrete measures dramatically reduce the risk.
Table of Contents
- How a ransomware attack works
- Why Swiss SMEs are targets
- Measure 1: 3-2-1 offline backups
- Measure 2: MFA everywhere
- Measure 3: patch management
- Measure 4: EDR and network segmentation
- Measure 5: employee awareness
- What to do during an attack
- Conclusion
- FAQ

How a ransomware attack works
Ransomware is malicious software that encrypts your data. Then criminals demand a ransom to restore access. Moreover, most current groups also steal your data before encrypting it. As a result, they threaten to publish it if you refuse to pay. This tactic is known as double extortion.
A ransomware attack never happens by chance. Indeed, it almost always follows the same script. First, the attacker finds a way in. Then they move quietly across the network. Finally, they trigger the encryption at the worst possible moment, often at night or over the weekend.
Three entry vectors dominate today:
- Phishing. A booby-trapped email pushes an employee to click or open an attachment. This is the most common vector.
- Exposed RDP access. A remote desktop service open to the internet, without MFA, becomes an easy brute-force target.
- Unpatched flaws. An outdated VPN, firewall or server offers a known, exploitable gap.
Consequently, understanding these vectors directly shapes your defence. Each measure below closes one of these doors. The following table summarises the link between entry vector and concrete countermeasure.
| Entry vector | How it is exploited | Main countermeasure |
|---|---|---|
| Phishing | Booby-trapped email, attachment or malicious link | Awareness and message filtering |
| Exposed RDP access | Brute force on an open remote desktop | MFA and closing unused services |
| Unpatched flaws | Exploitation of a known vulnerability | Rigorous patch management |
| Stolen account | Reused or leaked credentials | MFA and password rotation |
In short, no door closes on its own. Each row of this table matches a specific action you can start this very week.
Why Swiss SMEs are targets
Many business owners believe they are too small to interest cybercriminals. This is a dangerous mistake. In reality, SMEs concentrate several attractive weaknesses. They hold sensitive data, yet rarely have a dedicated security team.
According to the Swiss Federal Office for Cybersecurity (NCSC), ransomware remains a serious threat in Switzerland. During the second half of 2025, 57 ransomware cases were reported to the NCSC. This figure only reflects the incidents that were reported. The reality is therefore probably broader, since many companies never disclose their attacks.
Furthermore, attackers automate their campaigns. They continuously scan the internet for vulnerable systems. A Swiss SME is therefore just as valuable as any other target in their eyes. However, a well-prepared SME becomes far less profitable to attack. That is exactly why prevention changes everything.
Another factor makes the situation worse. Indeed, many Swiss SMEs outsource their IT to an external provider. This dependency creates a blind spot. You assume everything is handled, while backups or MFA may not be in place. Therefore, ask your provider precise questions. Ask where your backups are, whether they are tested, and who responds during an incident on a Sunday night. These answers are worth their weight in gold the day an attack strikes.

Measure 1: 3-2-1 offline backups
Backups are your last line of defence. Indeed, if your data stays recoverable, the ransom loses all its power. However, a backup permanently connected to the network will be encrypted too. It therefore offers no protection.
The 3-2-1 rule is the global reference, recommended notably by the US agency CISA. It rests on three simple principles:
- 3 copies of your data in total.
- 2 different media, for instance a disk and the cloud.
- 1 offsite copy, ideally offline or immutable.
The key word here is offline. A copy disconnected from the network, or an immutable backup that cannot be altered or deleted, resists ransomware. Moreover, test your restores regularly. A backup you never test is a false sense of security. Therefore, schedule a restore test at least every quarter.
Also think about how long a full recovery would take. Restoring several terabytes of data can take days, not minutes. Consequently, define a realistic recovery time and communicate it to management. This planning turns a chaotic crisis into a controlled procedure. In addition, document the steps so any team member can follow them under pressure.
Measure 2: MFA everywhere
Multi-factor authentication, or MFA, adds proof of identity on top of the password. As a result, even if a password is stolen, the attacker stays locked out. It is one of the most effective measures against intrusions.
CISA recommends phishing-resistant MFA for as many services as possible. In practice, enable it first on:
- Business email and Microsoft 365.
- VPN and remote desktop access.
- Administrator accounts and backup consoles.
However, not all MFA methods are equal. An SMS code is better than nothing, but an authenticator app or a physical key offers far stronger protection. Furthermore, never leave a privileged account without MFA. That is precisely what attackers look for first.
Beware of one modern trap as well: MFA fatigue. Attackers spam a user with repeated approval requests until someone taps accept out of frustration. Therefore, train your teams to reject any unexpected prompt. Moreover, prefer methods with number matching, which require the user to confirm a specific code. This small friction stops a whole category of attacks.
Recommended training
CISSP – Certified Information Systems Security Professional
Ref. ISC-CISSP
Master information security end to end and build a solid defence against ransomware. The benchmark certification for cybersecurity professionals.
Level: Advanced
Location: Geneva / Lausanne / Remote
Measure 3: patch management
Every piece of software contains flaws. Regularly, vendors release patches to fix them. However, an outdated system stays wide open. And attackers exploit known flaws within days, sometimes within hours.
Patch management means applying these updates quickly and systematically. For an SME, the approach comes down to a few reflexes:
- Inventory your exposed systems: VPN, firewall, servers, workstations.
- Prioritise critical patches, especially those exposed to the internet.
- Automate updates wherever possible.
- Set a maximum deadline for applying critical patches.
Moreover, beware of forgotten equipment. An old server or an end-of-life firewall quickly becomes a weak link. Therefore, replace or isolate any hardware that no longer receives security updates.
Finally, do not forget third-party software. Browsers, PDF readers and business plugins are all potential doorways. As a result, apply the same update discipline across your entire estate. A single neglected application can undo all your other efforts.

Measure 4: EDR and network segmentation
A traditional antivirus is no longer enough. Modern ransomware easily evades classic signatures. It uses legitimate system tools to blend in. That is why defences must evolve.
EDR to detect and respond
An EDR (Endpoint Detection and Response) monitors the behaviour of workstations and servers. As a result, it spots suspicious actions, such as mass file encryption. Then it can automatically isolate a compromised machine. This responsiveness often makes the difference between a contained incident and a full-blown disaster.
Segmentation to limit spread
Network segmentation divides your infrastructure into isolated zones. Consequently, an infected machine does not contaminate the entire network. In particular, separate critical servers, office workstations and backup systems. Moreover, restrict access rights to the strict minimum. In short, an attacker who gets in somewhere must not be able to reach everywhere.
For a small structure, this does not require a costly overhaul. Indeed, a few well-placed rules on your existing firewall already help. For instance, block direct access from ordinary workstations to your backup server. As a result, even a compromised laptop cannot reach your most valuable copies. This layered approach buys you precious time to react.
Measure 5: employee awareness
Technology cannot do everything. Indeed, phishing remains the number one attack vector, and it targets your employees. A well-crafted email can fool anyone on a tired day. Therefore, human vigilance is a defence layer in its own right.
Effective awareness rests on concrete habits, repeated over time:
- Check the sender before clicking a link or opening an attachment.
- Be wary of urgent messages that demand immediate action.
- Never share credentials by email or phone.
- Report any suspicious message to the IT team, without fear.
Furthermore, run simulated phishing campaigns. They measure the real level of vigilance and build lasting reflexes. However, focus on education, never on punishment. An employee who reports a mistake is worth more than one who hides it.
Consistency matters more than intensity here. A single yearly training session fades quickly from memory. Therefore, favour short and regular reminders throughout the year. In addition, involve management visibly, because example drives culture. When leaders take security seriously, teams follow. As a result, vigilance becomes a shared habit rather than an imposed constraint.

What to do during an attack
Despite every precaution, zero risk does not exist. If the attack strikes, every minute counts. However, panic is your worst enemy. Follow a clear plan and keep a cool head.
Here are the priorities recommended by the Swiss Federal Office for Cybersecurity:
- Isolate immediately. Disconnect infected systems from the network. The NCSC advises physically pulling out the network cable to stop the spread.
- Do not pay the ransom. The NCSC formally advises against payment. Indeed, nothing guarantees data recovery, and paying funds future attacks.
- Notify the NCSC. Report the incident to the Federal Office for Cybersecurity and file a complaint with the cantonal police.
Concretely, you can report an attack through the NCSC reporting portal. You will find the detailed steps on the official page Ransomware, what to do. Moreover, restore your systems from clean backups, never from a system that may still be infected. Finally, preserve the evidence, as it will help the investigation and your insurer.
Recommended training
CISSP – Certified Information Systems Security Professional
Ref. ISC-CISSP
Move from theory to a complete cyber-defence strategy. A benchmark course to anticipate ransomware and protect your business for the long term.
Level: Advanced
Location: Geneva / Lausanne / Remote
Conclusion
Ransomware is no longer a threat reserved for large corporations. Swiss SMEs are now on the front line, precisely because they are seen as more vulnerable. However, this vulnerability is anything but inevitable. The five measures presented here close the doors that attackers exploit.
Let us recap the essentials. 3-2-1 offline backups guarantee your survival. MFA and patching block the majority of intrusions. EDR and segmentation limit the damage. Finally, aware employees defeat phishing. Together, these layers form a solid and realistic defence, even with limited resources.
In short, ransomware protection is an ongoing project, not a box to tick. To go further and structure your strategy, a certifying course such as the CISSP gives your teams the skills they need. Because in cybersecurity, the best defence remains anticipation.
FAQ
What exactly is ransomware?
Ransomware is malicious software that encrypts your files. Criminals then demand a ransom to restore access. Most also steal your data and threaten to publish it.
Should you pay the ransom during an attack?
No. The Swiss Federal Office for Cybersecurity formally advises against paying. Nothing guarantees data recovery, and payment funds new attacks. Isolate, report and restore from your backups.
How do you protect effectively against a ransomware attack?
Combine five measures: 3-2-1 offline backups, MFA everywhere, patches applied quickly, EDR with network segmentation, and employee awareness. No single measure is enough, but together they are highly effective.
Why are Swiss SMEs targeted?
SMEs hold sensitive data but rarely have a dedicated security team. Moreover, attackers automate their campaigns and continuously scan the internet. A poorly protected SME therefore becomes an easy and profitable target.
Who should you report a ransomware attack to in Switzerland?
Report the incident to the Federal Office for Cybersecurity through its online portal. Also file a complaint with your cantonal police. Reporting supports the investigation and helps protect other companies.
