SME cybersecurity: Let’s take action!

9 Mar 2018

Event report

The conference on cybersecurity and small and medium enterprises (SMEs) was opened by a panel discussion with Mr Pierre Maudet, state councillor for security and economy, and Ms Cécile Rivière, project manager at economiesuisse.

One of the recurrent statements made about cybersecurity and the necessity for SMEs to take action in this field was that money spent on the enhancement of cybersecurity should be regarded as an investment, not as an expense. In the near future, investment in cybersecurity will likely amount to CHF 6 billion per annum in Switzerland.

Even though SMEs in Switzerland indicated to be well, or very well, prepared in terms of security, many businesses remain unaware of instances in which they were victims of cyber-attacks. Additionally, Rivière raised the point that according to a Swiss consumer study about who should be responsible for the protection against cyber-threats, up to two thirds of the people surveyed saw the protection of their information against cyber-threats as the responsibility of the company providing the online service.

The general agreement of the panellists was that SMEs in particular have to come up with their own security solutions, and that they should not – and cannot rely solely on state efforts to protect them. This consideration was made in light of the companies’ positions towards the customers with whom they establish a relationship based on trust. Moreover, the required improvements to cybersecurity should not be rushed, but rather introduced gradually. According to Rivière, even though the General Data Protection Regulation (GDPR) was not quite welcomed by many companies, SMEs should quickly come to see it as an opportunity and a chance to improve their capabilities.

On a political level, Maudet, in line with Microsoft CEO Mr Brad Smith’s video message, emphasised that Geneva should become the global capital for cybersecurity, due to its unique position and experience in the policy sphere. Maudet also spoke of the need to create a global agency for digitisation that could potentially operate out of Geneva. The state councillor also identified the lack of political awareness regarding issues related to the digital field, as a risk in the digital age.

Another panel of SME representatives, composed of Mr Nicolas Grange, associate at Grange & Compagnie SA, Mr Olivier Croset, the general director of the Dorier group, and Mr Patrick Schefer, the director of FAE, went on to speak about their experiences with breaches caused by cyber-attacks and online fraud. The common denominator was that state officials and police were largely unable to help, and that solutions had to be found through private means (i.e. cybersecurity firms, lawyers, security departments of banks).

After the SME panel, Ms Lennig Pedron, a cybersecurity expert, demonstrated the hacking of a person’s email account through ‘fishing’ and reiterated the importance of training staff members. This point was largely echoed by the audience, especially considering that, according to Pedron, 80% of all breaches can be traced back to human error.

A third panel presented the position of law enforcement and explained the limited actions they could undertake with regards to cyber-crime. The two panellists were Ms Ioulia Fasola, a criminologist for the Geneva cantonal police, and MR Patrick Ghion, chief of the forensic section of the Swiss federal police.

The closing statement was made by Mr Michael Kleiner, economic development officer at Directorate General for Economic Development, Research and Innovation. He recalled the creation of the Geneva Digital Talks in order to bring the Genevan SME community closer together, to address certain topics related to cybersecurity, and to respond to Brad Smith’s proposal for Geneva to become the cybersecurity hub of the world.

Kleiner went on to introduce the upcoming cybersecurity events in 2018 in Geneva, as well as the ICON conference which will be take place from 13 to 16 September 2018.

The conference was followed by a networking event based around four main topics:

  • Exploring the legal framework

  • Protecting computer systems

  • Lowering human errors in business practices

  • How to react to a cyber-attack?