A recent headline touts a spectacular figure: 99.03% of 2,773 cyberattacks were allegedly neutralized in six months, with 245/253 forensic analysis requests processed. On paper, that sounds reassuring — except for one problem: the primary source for this claim needs verification. In the public sources reviewed, that exact statistic does not appear.
And even if the number were accurate, it doesn’t automatically reflect your reality: an elevated protection performance “at the state level” doesn’t make an SME immune. What matters to you is operational reality: your endpoints, your access controls, your backups, your vendors… and your ability to recover when an attack hits.
The SME Opportunity: good news if true — but indirect
If confirmed, the figure sends a positive signal: defenses and response capabilities for critical infrastructure appear to be maturing. For an SME, the downstream effects can be tangible:
- Stronger dependencies: your suppliers (telecom, power, public services, certain operators) may now be better protected.
- Incident-first culture: the volume of forensic requests suggests digital investigation is becoming standard practice, not a luxury.
- Market acceleration: as the ecosystem hardens, best practices (MFA, segmentation, immutable backups, EDR) become more accessible and industrialized.
But beware: those headline numbers say nothing about your actual exposure. Many leaders fall into the trap of reading national “weather” while their company lives in a different micro-climate of risk.
Stay Vigilant: three common traps behind big percentages
- Unverified source: without an official release (ANSSI, ministry, etc.), the figure remains an assertion. Before amplifying it internally, demand the original reference.
- Loose definition of “attack”: a reported or detected event isn’t necessarily a confirmed incident. Conversely, many SME incidents never get reported upward.
- Scope likely excludes SMEs: these stats may reflect reporting from critical entities. Public data for businesses shows roughly 15% have experienced incidents and 62% feel underprepared.
Business translation: your risk is measured less by the number of attacks “neutralized” and more by your downtime», your recovery capability, and your level of readiness when an incident lands at 8:42 on a Monday morning.
Compliance snapshot
NIS2 is in force and may apply if you’re a designated essential/important operator — or if you sit in the supply chain of a covered organization. Even if you fall outside the strict scope, your customers may be subject to NIS2 and will demand assurances.
On data protection, a GDPR audit is advisable whenever you collect or store incident-related information (logs, accounts, emails, digital evidence) — and to manage notification obligations. In Switzerland, the same logic applies under the nLPD. The takeaway: don’t handle incident response ad hoc; the technical response quickly becomes a compliance matter.
Conclusion & Cohesium support
Whether the “99.03%” figure is exact or not, the golden rule stands: SME cybersecurity is won through hygiene, governance, and preparedness. Big statistics soothe nerves, but ransomware doesn’t read press releases.
Instead of patchwork fixes, Cohesium AI can help with a tailored cyber strategy & security audit: evaluate your security posture (including NIS2 exposure where relevant), pinpoint governance gaps, and build a prioritized, ROI-driven roadmap. We also design your incident response process and, when needed, establish a framework for forensic audits so you can investigate fast and cleanly when the moment comes. Contact us to discuss custom integrations or a strategic audit — Contact us.