Cybersecurity often appears later on the priority list until the first incident happens.

However, cyber risks affect organizations of every size. In fact, small and medium-sized businesses are increasingly targeted because attackers often assume they have weaker security controls.

The good news is that building a solid cybersecurity foundation does not require a large security team or enterprise-level budgets. What matters most is starting early and implementing the right basic principles.

This guide outlines practical steps that new businesses can take to organize cybersecurity from the beginning, including important regulatory considerations in both the European Union and Switzerland.

Start with risk awareness, not technology

Cybersecurity does not begin with buying tools. It begins with understanding what your company actually needs to protect.

Every organization processes different types of sensitive information. For most new businesses, the most critical assets include:

• Customer and user data
• Internal documents and contracts
• Intellectual property and product designs
• Financial systems and payment data
• Employee credentials and access to company systems

Mapping these assets helps determine which systems are most critical to your business operations.

At the same time, companies should be aware of the most common cyber threats affecting small businesses:

• Phishing and social engineering attacks
• Credential theft and account takeover
• Ransomware
• Data leaks and accidental exposure
• Insider risks

The key principle is simple: protect what matters most first.

Build the basic security foundations

Once the most critical assets are identified, companies should establish several core security controls. These form the foundation of a basic cybersecurity program.

Identity and access management

Controlling who can access company systems is one of the most important security measures.

Every company should ensure that:

• Each employee has a unique user account
• Multi-factor authentication (MFA) is enabled wherever possible
• Access rights are based on roles and responsibilities
• Administrative privileges are limited to necessary personnel

Centralized identity management systems can significantly simplify access control as a company grows.

Password security

Weak or reused passwords remain one of the most common causes of security breaches.

Companies should avoid insecure practices such as:

• Sharing passwords through email or chat
• Storing credentials in spreadsheets
• Reusing the same password across multiple services

A business password manager allows companies to store and share credentials securely while enforcing strong password policies.

Device and endpoint security

Employee devices often serve as the entry point for cyber attacks.

Companies should implement basic device security measures such as:

• Automatic operating system and software updates
• Disk encryption on laptops and workstations
• Endpoint protection or antivirus solutions
• Company-managed devices whenever possible

These measures significantly reduce the risk of malware infections and unauthorized access.

Secure data handling

Organizations should define simple rules for handling different types of information.

For example:

• Classifying information as internal, confidential, or public
• Storing sensitive data in secure cloud environments
• Encrypting sensitive data where appropriate
• Maintaining reliable backup procedures

Even basic data classification policies can greatly reduce accidental data exposure.

Create basic security policies

Even small companies benefit from clearly defined cybersecurity policies.

These do not need to be complex or lengthy documents. Instead, they should provide clear guidelines for employees.

Common examples include:

• Password policy
• Access management policy
• Device usage policy
• Data handling guidelines
• Incident reporting procedures

The most important factor is that these policies are understood and consistently applied.

Train employees early

Technology alone cannot prevent security incidents. Human error remains one of the largest cybersecurity risks.

Employees should receive basic security awareness training that covers:

• Recognizing phishing emails
• Safe password practices
• Responsible use of cloud services
• Handling sensitive information
• Reporting suspicious activity

Introducing cybersecurity awareness during employee onboarding helps establish a strong security culture from the start.

Implement logging, monitoring, and backups

Organizations also need visibility into their systems and the ability to recover from incidents.

Basic security monitoring includes:

• Logging system and application activity
• Tracking user access to critical systems
• Monitoring administrative actions

Equally important is a reliable backup strategy.

Companies should:

• Maintain regular data backups
• Store backups securely
• Periodically test data restoration procedures

Backups are often the most effective defense against ransomware attacks.

Understand regulatory requirements

Cybersecurity is increasingly influenced by regulatory frameworks. New businesses should understand the legal environment in which they operate.

Requirements differ depending on jurisdiction. Below is a brief overview of the most relevant frameworks in the European Union and Switzerland.

Cybersecurity and data protection in the European Union

Companies operating in the EU must comply with several regulations related to cybersecurity and data protection.

General Data Protection Regulation (GDPR)

The GDPR governs how organizations collect, process, and store personal data.

Key requirements include:

• Implementing appropriate technical and organizational security measures
• Protecting personal data against unauthorized access or disclosure
• Reporting certain data breaches to supervisory authorities

GDPR applies not only to EU-based companies but also to organizations outside the EU that process EU residents’ data.

NIS2 Directive

The NIS2 Directive strengthens cybersecurity requirements for organizations operating in critical or important sectors.

Companies covered by NIS2 must implement:

• Risk management measures
• Incident detection and response capabilities
• Mandatory reporting of significant cyber incidents

Even organizations not directly covered by NIS2 may be affected through supply chain relationships.

Cyber Resilience Act (CRA)

The EU Cyber Resilience Act introduces cybersecurity requirements for products with digital elements.

Manufacturers of software and connected devices must ensure that their products are:

• Secure by design and by default
• Maintained with security updates
• Transparent about vulnerabilities
• Supported with structured vulnerability handling processes

The CRA significantly increases security expectations for software vendors operating in the EU market.

Cybersecurity and data protection in Switzerland

Switzerland maintains its own legal framework for cybersecurity and data protection.

The most relevant regulation is the revised Federal Act on Data Protection (revFADP).

This law requires organizations to:

• Protect personal data against unauthorized access
• Implement appropriate technical and organizational security measures
• Notify authorities in the event of certain data breaches

Compared to EU regulations, the Swiss framework is generally principle-based and flexible, focusing on adequate protection rather than prescriptive technical requirements.

Nevertheless, companies handling personal data must still implement strong security controls and transparent data processing practices.

Choosing the right security tools

Once policies and basic processes are in place, organizations can support them with appropriate technology.

A typical security stack for small and medium-sized businesses may include:

• A business password manager
• Identity and access management systems
• Endpoint protection solutions
• Secure cloud collaboration platforms
• Backup and recovery solutions
• Logging and monitoring tools

Security tools should support well-defined processes rather than replace them.

Start small, improve continuously

Cybersecurity maturity does not happen overnight. Instead, it develops gradually as companies grow.

A practical approach includes:

• Establishing baseline security controls
• Reviewing risks periodically
• Improving policies and tools over time
• Conducting occasional security assessments

Continuous improvement is far more effective than attempting to implement complex security programs all at once.

Conclusion

Cybersecurity is no longer just an IT concern — it is a fundamental business requirement.

For new companies, building a security foundation early can prevent costly incidents, protect customer trust, and support regulatory compliance.

By focusing on identity protection, secure password management, employee awareness, and basic security policies, organizations can significantly reduce their cyber risk.

Cybersecurity does not need to start with complexity.

It starts with clear priorities, practical controls, and continuous improvement.