Economic Impact of Cybersecurity Regulations and Breaches on Small to Medium-Sized Businesses

This thesis explores the economic impacts of cybersecurity threats on small and medium sized enterprises (SMEs) in Switzerland, providing practical recommendations for enhancing cybersecurity management in these organizations. The study highlights a pressing issue: while awareness of cybersecurity risks is growing among Swiss SMEs, their capability to respond strategically and sustainably is still inadequate.

Through a combination of literature analysis, expert interviews, and a survey of SMEs, this study provides theoretical insight and a clear picture of the current state of cybersecurity in Swiss SMEs. While awareness of cyber threats is increasing, the study shows that implementation remains fragmented, reactive, and in many cases, insufficient. Basic technical measures, such as antivirus software and backups, are standard, but more strategic practices, such as formal incident response plans, employee training, and investment evaluation models, are often lacking.

The results reveal that the consequences of cyber incidents extend far beyond immediate financial losses. Operational downtime, reputational damage, and customer trust erosion represent indirect costs that, for many SMEs, can be more damaging than the attack itself. Alarmingly, nearly half of surveyed SMEs could not confirm whether they had been affected by a cybersecurity incident, indicating a lack of monitoring and internal reporting structures. These findings underline a critical vulnerability in detection and response readiness.

Although many SMEs recognize the importance of cybersecurity, actual investment remains low, most spend less than 5% of their IT budgets on it. Helpful models like Gordon-Loeb and ROSI are rarely utilized, often due to limited expertise or data, resulting in underfunded and misaligned security efforts. Regulations such as GDPR, the revised FADP, and NIS2 raise awareness but are often perceived as complex and costly, especially without tailored support for SMEs.

In response to these challenges, this thesis introduces a Foundational Cybersecurity Framework designed for Swiss SMEs. The framework is non-technical, adaptable, and aligned with the economic realities of small businesses. It includes six key pillars: (1) risk and asset analysis, (2) vulnerability assessment, (3) cost-benefit evaluation through Gordon-Loeb and ROSI, (4) governance and dedicated personnel, (5) employee training and cybersecurity culture, and (6) incident detection and response planning. By applying this framework, Swiss SMEs can move from reactive to proactive cybersecurity Page 4 management, ensuring better protection against evolving threats and more strategic use of limited resources.

The framework offers a practical foundation that empowers SMEs to strengthen resilience, align with legal requirements, and build long-term trust with customers, partners, and regulators. Ultimately, this thesis underscores that cybersecurity is not just a technical concern but a business-critical issue. SMEs that fail to address it holistically risk significant operational and reputational harm. However, those who act strategically and early can turn cybersecurity into a competitive advantage.

In my view, the future of cybersecurity for Swiss SMEs presents significant challenges and promising opportunities. One of the biggest concerns is the growing shortage of qualified cybersecurity professionals, which will likely intensify as threats become more complex and regulatory demands evolve. Many SMEs will struggle to recruit or retain dedicated experts, especially in a competitive labor market.

However, I also see potential in non-technical improvements, particularly in cybersecurity awareness, strategic planning, and employee training. If SMEs focus on improving internal governance, fostering a security culture, and assigning roles and responsibilities, much progress can be made without significant new investments. Many of the most effective measures, like structured training, better incident response planning, or applying frameworks like the one I proposed, are relatively affordable but highly impactful.

I believe that if cybersecurity is treated as a management and leadership topic, not just an IT issue, Swiss SMEs can significantly improve their security posture. With the right mindset and a practical approach, even resource-constrained firms can build resilience, protect their operations, and turn cybersecurity into a business strength rather than a burden.