Digital security

How prepared are you? Are your organizational and technical measures ready for a cyberattack?

360° analysis and guidance

What does it mean for your organization ? How much would it cost you? On average, the National Cyber Security Center in Switzerland receives a cyber incident report every 10 minutes. Small and Medium-sized organizations suffer an average damage per cyber-attack from CHF 50k to 10 Mio.

Founded in 2015, Bhive.ch has been active for over 9 years in digital security. More than 50 organizations improved their resilience with us in 2023. You also want to gain confidence in your level of cyber protection to sustainably protect your business, your customers and your partners? Contact us to establish an offer. Be with us for your success.

NotYour.Business — by Bhive.ch

360° vision

Our work involves identifying the risks and priorities concerning security in the organization's activities. Our services are customized to each client's specific cybersecurity threats to reduce the impact or possibility of a breach. The diagnosis covers both organizational and technical contributions. Supporting consulting in the implementation phase enables the organization to reach the targetted protection level. The training of collaborators on the cybersecurity landscape and practical best practices rounds up our offer to support responsible security management for individuals, organizations, and authorities in Switzerland.

  • Diagnosis

    We assess organizations' cybersecurity maturity, identify vulnerabilities and provide a roadmap of all the priority measures to implement at the organizational and technical level to protect the confidentiality, integrity, and availability of information.

  • Solutions

    We provide guidance and follow-up in implementing measures when customers wish to be accompanied in their internal steps and with the solutions providers.

  • Training

    Our team, with its international expertise, provides training, sharing of best practices, and smishing campaigns when employee awareness is required.

Paving your way to resilience & success !

Path to success

Pave the way to a bullet proof working environnement as a baseline for your future successful and resilient business.

Organizational measures

Organizational measures that increase information security

1/10

Risks identified by management

The company's management has an overview of its activities and the dependencies on IT. What would be the consequences if the availability of specific information is no longer guaranteed? In case of data theft, which data are the most critical? Do we have recent backups? What financial impact could this have? What preventive measures are in place to reduce the probability or impact of such a failure?

2/10

Continuity plan

Operations must be able to continue even in the face of a significant blow. A cyber attack is a risk that must be managed, like a power outage, natural disaster, or break-in. Of course, the IT infrastructure is essential to the smooth running of the business. Therefore, it is crucial to have defined a strategy to temporarily ensure a minimum of the activity or, at worst, rebuild each system.

3/10

Definition of responsibilities

All collaborators are responsible for the smooth running of the business and are the company's first line of defense. Trained employees will behave appropriately in case of malicious attempts (e.g., in case of suspicious e-mails, who to contact). Caring exercises or tests are used to evaluate the effectiveness of the measures taken and to adapt them if necessary.

4/10

Awareness of employees

An awareness of the dangers of the digital world makes it possible to be receptive to good practices. Proper use brings benefits both in the workplace and in private life. Therefore, employees should be aware of the new threats in the information security field and encouraged to be cautious when using e-mails and surfing the Internet.

5/10

Phishing / smishing test

The theory is nice, but the practice is even better! Only facts allow us to take concrete actions. Phishing is constantly increasing in all its forms and is by far the most widespread cybercrime. Therefore, it is advisable to conduct a phishing campaign regularly and take concrete action based on link click rate.  

6/10

Suppliers

No proper suppliers' equipment quality, no chance. The responsibilities of IT service providers must be clearly defined and contractually established to leave no doubt. It is better to clarify the scope of each activity upstream than to discover afterward that no one was responsible for the backups.

7/10

Control your online information

An easy way for criminals to obtain information about potential victims is to access public information. Therefore, it is a good practice to consider the benefits of putting certain information online versus the risk it might pose to your contacts and yourself.

8/10

Online payment

To limit risk, use a computer dedicated to digital payment orders where no one is surfing the internet or receiving emails. Strictly adhere to established processes for control and authentication. Set up your accounts according to their intended use.

9/10

Regulatory framework

Be prepared. During an attack, there is enough to deal with. Every organization must comply with data protection regulations. Confidential information must be encrypted during transmission and storage. The legislative framework also imposes an obligation to communicate to the parties affected by the attack and the authorities.

10/10

Authentication

Design your password policy to meet the minimum resistance while achieving your protection goals. Passwords should be 12 characters long, including lowercase, uppercase, numbers, and special characters. If possible, use two-factor authentication.

Technical measures

Technical measures that strengthen the security of the IT infrastructure

1/10

Backups

Calling for help only works if plan B exists. A regular data backup should be in place, and the organization should keep them for several years. Backups must be stored on an external offline medium to prevent them from being encrypted in case of a ransomware infection.

2/10

Protection

Take sufficient precautions. The organization should install anti-virus and frequently analyze alerts. Each computer must have a firewall. Likewise, security updates must be automatically installed as soon as they become available to avoid malware exploit vulnerabilities. Critical data must be encrypted

3/10

Access rights

Only access what you should. Premises containing computer equipment must be secured against physical access by unauthorized persons. The segmentation of the company network into different domains prevents a gateway into a subnetwork from becoming a systemic problem. Each employee should only have access to the data they need daily.

4/10

Content management systems (CMS)

Don't be forced to be closed! Content management system updates should be done automatically as soon as they become available. Your IT manager should install a web application firewall (WAF). If your organization's website is critical to your operations, protection against attacks aimed at making a service inaccessible (distributed denial of service DDoS) is wise.

5/10

Audit trails

The IT manager must regularly check log files of critical systems, such as business software, firewalls, or mail servers, for suspicious usage. These files should be kept for at least a year and be part of the backups for traceability purposes.

6/10

IT infrastructure and lifecycle

The organization must maintain a comprehensive inventory of devices connected to the work network(s). Beyond business considerations, security must be part of the purchasing criteria throughout the lifecycle.

7/10

Emails

Emails remain the most used entry point for malware and fraud attempts. Vigilance is therefore required, and a few precautions upstream are just as valuable. Be sure to block attachments that may contain macros, as this is a widespread way to spread malware.

8/10

Remote access

When collaborators or IT providers need access to the remote work network, they should access it through a virtual private network (VPN) protected by two-factor authentication. The WiFi network must be encrypted (WPA2) and protected by a strong password. The guest WiFi network must be different from the organization's work network.

9/10

Cloud storage services

Confidential and sensitive data should not only be available in the cloud but also stored on a local drive. For example, ensure that the data hosting is in a country where the data protection legislation suits you and that the data access and backup conditions meet your IT security needs.

10/10

Computer vulnerabilities (internal, external, web scans)

Do not leave a door open without even realizing it! The scans are part of the control means and allow for highlighting the open doors, whether at the network level accessible from inside the work network, on public IP addresses of the infrastructure accessible from outside the work network, or on web pages.