Four people are seated at a table in a meeting room, while a presenter speaks in front of a screen.

Security Switzerland 2026: What the report means for SMEs

Security Switzerland 2026: What the report means for SMEs

Yannick H.,

Too Long; Didn't Read

The 2026 NDB situation report reads like a topic for intelligence services, but it affects Swiss SMEs more directly than it seems. Hybrid warfare usually does not target companies personally. It hits them because they are useful as infrastructure, a supplier, or a transit point. Anyone who understands this will ask themselves a better question than "Are we a target?" before making their next investment. Namely: What use could we be to an attacker?

ODCUS Blog-Artikel Titelbild

«Switzerland Security 2026». Even the title sounds like something that only concerns others. Like intelligence services, diplomacy, army. Like a world that has little to do with your company in Baar, Winterthur, or Lugano.

Precisely that is the way of reading it that will benefit you the least.

The NDB (Federal Intelligence Service) published its situation assessment on June 25th, and the core message is sobering: The security situation has deteriorated further, and there is no all-clear signal. This is no reason to panic, but a good opportunity to take a proper look. Most people skim through a document like this, look for the word «threat», and internally tune out after «espionage» and «terror». The more useful word is further down. It is «platform».

Why «affected» means something different than you think

Russia is at the center of the threat to Switzerland, writes the NDB, and relies primarily on hybrid warfare. These are activities in the gray zone, below the threshold of an armed attack, whose originators can rarely be clearly identified.

For a business, this gray zone is the actual sticking point. You do not get a clear moment where someone shouts «It’s cyber war now». There is no headline saying: from today on, you are in the crosshairs. The threat is permanent, silent, and without a sender. You cannot react to something like that when it happens. You can only position yourself beforehand so that it matters less.

And then there is the sentence that almost everyone overlooks: Russia is abusing IT infrastructure in Switzerland for cyber sabotage abroad and is presumably using the country to prepare sabotage actions in Europe. Translated, this means: your server, your hijacked M365 account, your poorly maintained interface are interesting, even if no one wants to harm you specifically. Interesting as a tool against someone else. This has nothing to do with you as a person.

Added to this is the interdependence. Europe's infrastructures are closely linked, and an attack on a central hub hits several countries at once. An attack can therefore hit a Swiss supplier because other companies depend on them. This has little to do with the size or prominence of the supplier. We described this pattern in our post on Supply Chain Security: the weakest point of a supply chain is rarely the one everyone is watching.

If you manufacture something: the risk lies with your customer

One section of the report should make every Swiss machine and component manufacturer sit up and take notice. Switzerland remains a target for proliferation and sanctions evasion. Russia is covertly procuring goods and technologies for its armaments production via third countries, and this is how machine tools purchased in Switzerland have found their way to Russia.

This is not an espionage issue. This is a sales issue.

The customer with the clean order, the correct billing address in an unsuspecting country, who pays generously and asks no questions, may not be the end customer. Anyone who does not know who they are actually delivering to carries a risk that has nothing to do with IT and yet can have serious legal and financial consequences. The good news: this is manageable. It does not require a new system, just a few good questions in sales before the goods go out.

The honest question for manufacturing companies is therefore less «Is our network secure?» and more «Do we know where our products ultimately end up?». The NDB and SECO (State Secretariat for Economic Affairs) are raising awareness among companies exactly for this. It is worth not dismissing this as bureaucracy, but reading it as what it is: an indication that due diligence starts with the customer, not just at customs.

If you build on knowledge: espionage targets minds

According to the report, state actors from Russia, China, Iran, and North Korea are specifically targeting authorities, research, and high technology. The espionage threat comes mainly from Russia and China, partly via disguised bases in diplomatic missions where dozens of suspected intelligence officers work.

If your company is working on something that is hard to copy – a process, material expertise, an edge in research – then that is precisely the target. The path there rarely leads through a movie-like hack. It leads through people: the intern with extensive access rights, the researcher at the conference, the laptop in the hotel in a country where you had better not leave a laptop unattended.

For such companies, information security is not a compliance checkmark, but protection for the competitive edge that sustains the business. And the biggest lever is delightfully down-to-earth: knowing who has access to the truly valuable data, and deliberately keeping this circle small.

Zugriff auf die wichtigsten Daten bewusst klein halten

What affects everyone: the gray zone and AI

Two lines in the report affect practically everyone, regardless of industry and size.

The first is disinformation. According to the NDB, the German-language branch of the Russian state medium RT spread around a quarter more reports about Switzerland in 2025 than in the previous year, with a clear underlying tone: Switzerland in decline. Anyone who weakens trust in institutions weakens a country's resilience. For a business, this is closer than it sounds. The very same tools that destabilize a country work on a small scale against your company: the fake change of supplier with a new account number, the deceptively real voice message from the CEO that no one in accounting questions.

And this is where the second line comes into play. The report notes that artificial intelligence amplifies radicalization and propaganda and is already being used by extremists themselves. The same mechanism makes fraud cheaper and more convincing. A credible phishing email in flawless German costs almost nothing today. The same goes for a cloned voice for a call to accounting. The threshold at which an attack on a medium-sized company becomes profitable is thus dropping noticeably. You haven't become more important. It has just become cheaper to deceive you.

This sounds unpleasant, but it is highly manageable. What helps against such deception is unspectacular and has been known for a long time: a second channel before money flows, and a culture in which double-checking is not seen as mistrust, but as routine. There is no need for a new tool to achieve this, just a clear agreement within the team.

What actually remains

The NDB paints a picture that is easy to push aside because it is so large. World order, superpowers, war. At this level, an SME can achieve nothing, and that is true.

On one's own level, however, things look different. In this environment, you will rarely be the primary target. But you can be the convenient detour. The supplier with access. The unsecured node through which an attack on someone else runs. This is the real message of the report for the business world: today, «affected» usually means «usable», not «targeted».

Anyone who accepts this stops waiting for the big bang and starts asking the unspectacular questions. Who has access to what, and why do they still have it? To whom are we actually delivering? What would it cost if the node everyone relies on stood still for three days? These are not intelligence service questions. These are questions for the management team.

Crucially: the right answer is not panic. A situation report describes what is possible, not what is probable for your specific business, and cyber risk is just one business risk among several (we have contextualized that here). It is about something much more sober: knowing once and for all how useful your company would be to someone who isn't even targeting you.

If you cannot answer this question clearly, that is a good reason to take a structured look at it. That is exactly what we are here for. No alarmism, no new list of tools. Just an honest assessment of where you stand.

Join us on the journey

Effortlessly schedule a conversation and discover how we bring success in the digital world to your company.

Two men are sitting together in a cozy setting, smiling and enjoying a conversation over drinks.

Join us on the journey

Effortlessly schedule a conversation and discover how we bring success in the digital world to your company.

Two men are sitting together in a cozy setting, smiling and enjoying a conversation over drinks.
Abstract design featuring vibrant purple and blue gradients with geometric shapes and lines.
The text reads: "Let’s begin our digital journey."
Contact us!

Grabenstrasse 15a

6340 Baar

Switzerland

+41 43 217 86 70

Copyright © 2026 ODCUS | All rights reserved.

Abstract design featuring vibrant purple and blue gradients with geometric shapes and lines.
The text reads: "Let’s begin our digital journey."
Contact us!

Grabenstrasse 15a

6340 Baar

Switzerland

+41 43 217 86 70

Copyright © 2026 ODCUS | All rights reserved.