awsmtech.ch

Cybersecurity in Business: The 5 False Certainties That Expose Sensitive Sectors

Cybersecurity in Business: The 5 False Certainties That Expose Sensitive Sectors

 

Law firms, fiduciaries, private clinics, private banks, international NGOs: in the sectors we support every day in French-speaking Switzerland, data is not just a simple IT asset. It is professional secrecy, a patient file, a client mandate, sensitive financial information. Yet a recent analysis published by Swisscom on IT security among SMEs highlights a reality we also observe in the field, audit after audit: most organizations that suffer a security incident were convinced, until the day of the attack, that they were properly protected.

This gap between the feeling of security and the actual level of protection is the real blind spot in business cybersecurity. It is almost never a matter of unwillingness, but rather a lack of verification, poorly defined responsibilities between the company and its IT provider, and assumptions that are never challenged.

Here are the five most common false certainties, and how we address them at AWSMTECH for clients who, by the very nature of their activity, cannot afford mistakes.

1. “Our data is backed up”

This is the most widespread certainty, and also the most dangerous. A backup exists in almost every organization we encounter. But a backup only has value if it has been tested under real restoration conditions, if it is isolated from the main network to withstand ransomware that could also encrypt the backups, and if the restoration time is compatible with the reality of the business.

For a law firm or a notary office, losing access to files for three days is not merely inconvenient: it can engage professional liability toward clients and legal deadlines. For a private clinic, it can directly affect continuity of care.

What we systematically verify: backup frequency, isolation, actual restoration time tested under real conditions, as well as coverage of all critical systems — not only files, but also email systems, business databases and server configurations.

2. “Our passwords are strong”

A complex password is still useless if it is stolen through phishing, reused on a compromised third-party service, or intercepted on an infected workstation. Password strength does not protect against credential theft. Only multi-factor authentication can effectively strengthen this protection.

In highly confidential sectors — wealth management, private banking, fiduciary services — access to email or document management tools is often the most direct entry point into the entire information system.

What we deploy: mandatory multi-factor authentication across all critical access points, a strict privileged access management policy, and real-time detection of suspicious logins.

3. “Access rights protect our data”

Many organizations apply generic access rights inherited from the company’s history rather than from a genuine security logic. As a result, an employee may have access to client files, HR data or financial information that is unrelated to their role.

If a single workstation is compromised, the entire scope of data accessible to that employee may potentially be exposed. For an NGO or an international organization operating in several countries, with remote teams and sometimes high staff turnover, this issue becomes central.

Our approach: applying the principle of least privilege, periodically reviewing access rights, and strictly separating sensitive environments — finance, HR, client files — through an architecture designed from the initial IT assessment.

4. “We update regularly”

The word “regularly” often hides a very uneven reality: some workstations are up to date, others are forgotten, business software is never patched for fear of incompatibility, and network equipment sometimes runs for years without firmware updates.

Known vulnerabilities are exploited by automated attackers only a few days after publication. The issue is therefore not only to perform updates, but to know exactly what needs to be corrected, within what timeframe, and with what level of priority.

What we implement: a complete inventory of the IT environment, automated and supervised patch management, as well as monitoring of critical vulnerabilities with contractually defined correction deadlines — not left to individual goodwill.

5. “We have a firewall”

A firewall effectively protects a clearly defined network perimeter, typically an office. But hybrid work, business travel and the use of mobile devices have largely dissolved this perimeter.

A notary accessing files from home, a wealth manager travelling, or an NGO team spread across several continents: in all these cases, the office firewall alone no longer protects very much.

Our response: security designed around identity and devices, not only the local network, through our secure workstation and managed mobility solutions.

The real problem is almost never technical

What these five points have in common is that they are almost never caused by a lack of tools, but by a lack of clarity about who is responsible for what. Many companies mistakenly believe that signing a contract with an IT provider automatically transfers responsibility for compliance.

This is not the case. Under the nLPD, as well as under the GDPR for organizations processing data from European residents, responsibility for data protection remains with the company’s management, regardless of the level of operational delegation to an IT partner.

A provider can execute, secure and document. But governance remains with the client.

This is precisely why we built our approach around three pillars: cybersecurity and compliance, IT assessment and audit, and outsourced CTO / CISO services.

These three dimensions make it possible to technically secure the infrastructure, objectively measure the real level of protection, and steer security with a clear strategic vision.

Five questions to ask your IT partner today

You do not need to be a technical expert to assess your real exposure. A few simple questions are often enough to open the discussion and identify areas of uncertainty.

When was our backup last tested — not simply saved, but actually restored?

Is multi-factor authentication enabled on 100% of our critical access points?

Who exactly has access to what within our organization — and has this list been reviewed in the past 12 months?

Is there a complete inventory of our equipment and software, with formal update monitoring?

Does our security protect the user and the device wherever they are — or only the office?

If any of these questions does not receive a clear and immediate answer, it is a sign that an audit is needed.

Our conviction at AWSMTECH

The organizations we support — law firms, notary offices, fiduciaries, private clinics and healthcare providers, private banks and wealth management firms, NGOs and international organizations — all share one thing in common: they cannot afford mistakes.

A data breach, service interruption or compliance failure is not just a technical incident. It is a reputational, legal and sometimes human risk.

This is why our role is not limited to installing tools. We clarify responsibilities, document what is in place, test what is supposed to work, and give our clients real — not assumed — visibility over their level of protection.

Want to know where your blind spots really are? Our experts can carry out an audit of your infrastructure and nLPD/GDPR compliance, then provide you with a clear action plan, prioritized according to the real risks of your activity.

Scroll to Top