Cookies

This website uses cookies that require your consent.

Skip to content

"How fit are Swiss companies in terms of ICT security - and what can they expect?"

Information and communication technologies (ICT) have long been the backbone of modern companies - especially in critical infrastructures. But how well are Swiss companies positioned in terms of cyber security? Which sectors are under particular pressure? And how can the path to a minimum ICT standard be achieved in practice?

We spoke to Michael Gempp, ICT security expert at CTE. He helps companies set up robust OT and IT infrastructures and knows the challenges first-hand.

What exactly does the ICT minimum standard cover - and why is it so important for companies?

The ICT minimum standard defines the basic requirements for information and communication technology - i.e. IT and OT - for organizations with increased protection requirements. The aim is to achieve a uniform minimum level of cyber security. This is particularly essential for operators of critical infrastructures, as an incident can have far-reaching consequences. But other sectors will also benefit: The standard is a pragmatic guideline for systematically improving your own security situation.

How do you go about reviewing a company's ICT security situation?

We start with a structured inventory - both technically and organizationally. We look at existing systems, processes, interfaces and responsibilities. With a structural analysis, we evaluate the current status in comparison to the requirements of the ICT minimum standard. From this, we derive specific measures - prioritized, practical and tailored to the company.

You don't have to implement everything immediately - but you need to know where you stand.
Michael Gempp, IT System & Security Architect CTE AG

Which sectors are particularly affected or under particular pressure?

Especially companies with a high dependency on automated processes or networked control systems - i.e. energy suppliers, transport companies, waterworks, healthcare institutions or the manufacturing industry. In these areas, it is not only availability that is critical, but also the integrity and traceability of the systems. Regulations such as CySec-Rail or industry-specific requirements also increase the pressure to act.

Where are the most common security gaps - and why do they often go unnoticed?

Many vulnerabilities have their origins in a lack of organization: a lack of responsibilities, unclear processes, insufficiently documented systems. This has an impact on the technical conditions and allows security gaps that are then exploited. In OT, security is too often seen as a purely technical issue, but there is a lack of comprehensive security management. And because nothing "visibly" happens in everyday life, people underestimate how vulnerable they actually are.

Graphic ICT minimum standard with the five main areas.
The five areas of the ICT minimum standard form independent fields of action for cyber security. We implement specific sub-areas of these for our customers as required.

How realistic is it to implement the ICT minimum standard as an SME?

Absolutely realistic. Although the standard sets out clear requirements, not everything has to be implemented immediately or in full depth. It is important that companies know where they stand - and that they know their risks. With a targeted assessment and a realistic action plan, many things can be improved step by step without overburdening the company.

Where is the journey heading? What developments do you see in the field of ICT security in the coming years?

The pressure will increase - due to new regulations, but also due to the increasing dependence on digital processes. IT and OT are growing closer together, which increases the requirements for security and governance. In future, companies will have to be increasingly prepared for audits, verification and structured processes. Those who are prepared now will have a clear advantage later.

What is your personal advice to companies that want to address this issue now?

Don't wait and see. Even if the topic seems complex - a structured start helps enormously. You don't have to solve everything immediately, but you do need to get started: For example, with a realistic overview of your own situation and a plan on how to minimize risks in a targeted manner. Investing today will save you effort tomorrow.

Would you like to know where you stand in relation to the ICT minimum standard?

Book a non-binding consultation with Michael Gempp, IT Systems Engineer.

Please contact us.
Other exciting topics from our everyday life:

Security Solutions

Stable operation without downtime - including protection against cyber attacks? Use external resources for legal requirements such as NIS2 Kritis.
Solution
OT security in production