Passwords remain the Achilles’ heel of many Swiss companies. In 2024–2025, incidents such as the phishing attack on the Zurich Insurance Group and the ransomware waves with Akira and Black Basta showed vividly how compromised credentials can lead to data loss, operational disruptions and reputational damage.
Why password security must be a board-level priority
Passwords remain a primary entry point for attackers. According to the 2024–2025 Trend Report, a ransomware wave hit many Swiss firms, with stolen or weak passwords and missing multi-factor authentication (MFA) repeatedly identified as points of entry. The example of Zurich Insurance Group in early 2024 also makes it clear: phishing is enough to compromise employee accounts and expose sensitive customer data. For CISOs, CTOs and security engineers, this means password policy and authentication measures must be discussed at board level and embedded as part of risk management.
Technical measures alone are not enough. In addition to strong, unique passwords, automated password managers, MFA, the management of privileged access and continuous monitoring are central building blocks. Government statistics and industry analyses show that organisations that implement these measures consistently are significantly more resilient to credential-based attacks (NCSC/Statista).
Concrete risks: SSO, central administration and backup processes
Central identity and access platforms simplify operations – but entail systemic risks. The outage of the SSO platform Onelog in October 2024 demonstrates how a compromised or poorly managed authentication system can disrupt access for thousands of users and lead to the complete deletion of user data. For companies this means: SSO must be paired with robust backup and recovery concepts, strict access management and regular security testing.
Furthermore, registered phishing volumes and the rising use of AI for deceptively real emails show that awareness programmes and penetration tests are not optional. The English SPIE reporting as well as reports of massive phishing waves show that attackers deliberately target employee passwords to gain initial access.
Practical measures for companies: What works immediately
Clear action points can be derived from the incidents of 2023–2025 that can be implemented technically and anchored organisationally:
1. Enforce strong password policies and reduce password reuse. Use policies that mandate minimum length, complexity and prohibit password reuse via password managers. Automated managers reduce human error and facilitate rollout across large user groups.
2. Multi-factor authentication (MFA) mandatory for all privileged and critical access. Many ransomware and data exfiltration cases could have been prevented or at least made more difficult through comprehensive MFA. Implementation should be complemented by monitoring and contingency plans.
3. Privileged account management (PAM). Minimise persistent administrative rights, implement just-in-time privileges and enable session logging. This reduces the attack surface even if credentials are compromised.
4. Regular penetration tests and red-team exercises. The Zurich Insurance case shows: phishing-backed account takeovers remain real. Simulated attacks help identify process gaps and sharpen awareness measures (Zerberos analysis).
5. Backup and recovery strategies for authentication data. The Onelog outage shows the need to keep authentication data and user accounts resilient. Regular backups, segregated recovery plans and the ability to activate alternative authentication paths are essential.
Organisational execution: Training, governance and measurability
Technology must be accompanied by clear governance. Define responsibilities for password security, measure compliance with automated scans and report regularly to the executive board. Awareness programmes should train phishing resilience and promote the use of password managers. Combined measures reduce the risk of account compromise and associated consequential damage, as documented in several cases in 2024 (SPIE analysis).
Technology trend: Zero Trust and automated tools
Zero Trust architectures, which by default make no trust assumptions about networks or identities, reduce the impact of compromised passwords. The combination of identity federation, conditional access, MFA and PAM delivers defence in depth. Automated password managers and — where appropriate — predefined secrets management solutions minimise manual intervention and lower the risk of human error.
Practice also shows: investments in technical controls pay off. Studies and surveys, including the Cisco Cybersecurity Readiness Index, indicate that around 45 percent of Swiss companies were affected by cyber incidents in the past twelve months — many triggered by insecure credentials and missing MFA (Cisco reference / angestellte.ch).
Conclusion
Password security is not a pure IT matter – it is a central business risk factor. The incidents in Switzerland from 2023–2025 (Zurich Insurance, SSO outage Onelog, ransomware waves) show that compromised credentials can lead to massive operational and regulatory consequences. For CISOs, CTOs and security engineers, the task is to link technical measures (MFA, PAM, password managers, Zero Trust) with organisational anchoring (governance, reporting, training). Only then can credential-based attacks be sustainably contained.
Password and identity hardening – your next step
If your organisation does not yet have a consolidated identity strategy, start with an inventory of privileged accounts, the introduction of a password manager and the organisation-wide requirement for MFA. Complement this with regular phishing tests and a well-prepared incident response plan. External expertise can help close gaps quickly and establish governance processes (CMM360 analysis).
Contact your security team or an experienced service provider to create a pragmatic roadmap — before accounts are compromised and the damage outweighs the investment in prevention. Further insights and statistics can be found in the linked sources on the Swiss threat landscape (SPIE, Zerberos, Netzwoche).
Key takeaway – act now
Strengthen your identity and password strategy: mandatory MFA, deployment of password managers and PAM, Zero Trust principles, regular penetration tests and consistent employee training. Only then will you reduce the risk of compromised accounts and the associated consequences for your company.
