In Swiss SMEs, identity is no longer a background service. It is the perimeter.
The old model assumed that if you controlled the network edge, you controlled access. That assumption no longer holds true with Microsoft 365, Azure admin portals, remote work, SaaS applications, and supplier access. Today, the most important security decisions happen before a packet reaches your firewall: who can sign in, from where, on what device, with what level of assurance, and what they can do afterwards.
Microsoft’s 2024 Digital Defense Report makes this uncomfortable reality measurable: password-based attacks account for more than 99% of 600 million daily identity attacks, and Microsoft blocks roughly 7,000 password attacks per second. This is not a metaphor. Identity is the dominant attack surface.
Switzerland is not immune. The Swiss National Cyber Security Centre (NCSC) received 975,309 phishing reports in 2024, with 20,872 confirmed phishing websites – a 108% year-over-year increase in confirmed sites . Phishing is the intake mechanism. It generates the credentials that fuel password spray, token theft, and account takeover.
The pattern is clear: attackers don’t “hack” their way in - They log in.
The Verizon 2025 Data Breach Investigations Report analyzed over 22,000 incidents and 12,000 confirmed breaches. Credential abuse remains the most common initial access vector. Ransomware appeared in 44% of breaches overall. For SMBs, ransomware-related breaches reached 88%. That is not a theoretical risk category. For a Swiss SME, it is business continuity.
Even more telling: 54% of ransomware victims had their domains appear in credential dumps, and 40% had corporate emails exposed through compromised credentials. Identity compromise is often upstream of major operational impact.
If you are a CIO in a Microsoft-heavy hybrid environment, this means something practical: your most important security control is not another tool. It is how well you run identity.
This is not about incompetence. It is about drift.
We see the same patterns repeatedly:
None of this happens overnight. It accumulates. Identity becomes plumbing: installed once, adjusted occasionally, rarely reviewed strategically.
The problem is that attackers operate at industrial scale. Small configuration weaknesses are not small when automation is involved.
Microsoft reports that more than 99.9% of compromised accounts did not have MFA enabled . At the same time, Microsoft states that over 97% of credential stuffing and more than 99% of password spray attacks use legacy authentication protocols.
If legacy authentication is still allowed, you are not facing a sophisticated adversary. You are volunteering for automation.
Multi-factor authentication remains one of the highest ROI security controls available.
Microsoft research shows that more than 99.99% of MFA-enabled accounts remained secure during the study period, with overall risk reduction exceeding 99%.
But ENISA’s 2024 Threat Landscape report documents the rise of MFA fatigue attacks and adversary-in-the-middle phishing, which can steal session tokens despite MFA .
The conclusion is not “MFA doesn’t work.” The conclusion is:
For Swiss SMEs, the practical rule is simple: phishing-resistant MFA for admins first. Then expand.
In many SMEs, admin sprawl is a silent risk multiplier.
Microsoft guidance recommends requiring phishing-resistant MFA for privileged roles and creating at least 2 emergency access accounts that are cloud-only and not federated.
This is not paranoia. It is operational safety. Emergency accounts must:
If your federation breaks or Conditional Access misfires, you need a recovery path. Without it, identity hardening becomes self-inflicted outage risk. Identity governance is not about maximum restriction. It is about controlled assurance.
In Swiss SMEs, Entra ID is rarely used on its own. On-prem AD, legacy applications, federation decisions, and supplier access still shape risk. Microsoft’s identity telemetry shows that compromised or misconfigured identity infrastructure remains a material risk. The Swiss Xplain incident illustrates how supplier and identity weaknesses can cascade into national-level exposure.
Identity must be treated as Tier 0 infrastructure:
If you cannot explain your identity trust model in one whiteboard session, you do not control it.
This does not require transformation. It requires discipline.
Weeks 1–2: Measure
Weeks 2–4: Remove Cheap Risk
Weeks 4–8: Reduce Blast Radius
PwC Switzerland reports that 65% of Swiss executives prioritize cyber risk mitigation and 67% plan to increase cybersecurity budgets, yet only 20% believe they can withstand serious cyber disruption and respond quickly . That gap is not a tooling gap. It is an execution gap. Identity governance is one of the fastest ways to close it.
Not perfection.
Boring identity is a competitive advantage. If you cannot measure your identity posture monthly, it is not a perimeter - It is hope.