Daily Digital Hygiene: 7 Essential Practices for Every Employee
Digital hygiene refers to the set of daily micro-habits that protect an organization against cyber threats, in the same way that washing hands protects against infections. According to the Cyber Security Report 2024 from the Federal Office for Cybersecurity (FOCS), more than 60% of cybersecurity incidents affecting Swiss SMEs are linked to avoidable human errors. The good news: the seven practices presented here only take a few seconds per day and do not require any specific technical skills.
Key figure: According to the FOCS, the median cost of a cybersecurity incident for a Swiss SME exceeds CHF 50,000 — a sum that these 7 simple practices can help avoid.
1. Always lock your session when you step away
An unlocked computer is the digital equivalent of an office left open with all client files visible. In an SME environment where visitors, interns, and service providers regularly circulate, a few seconds are enough for a malicious person to copy sensitive data or send a message in your name.
How to do it?
- Windows PC: shortcut Windows + L — instant lock
- Mac: shortcut Command + Control + Q — instant lock
- Automatic: configure locking after 2–5 minutes of inactivity (ask your IT service provider to deploy it on all workstations)
Golden rule: You leave your workstation? You lock it. No exceptions.
2. Verify the sender before opening an email or attachment
Phishing is the most common attack technique against Swiss SMEs. Fraudulent emails perfectly imitate official communications — logos, tone, layout — and the difference lies in the details: a slightly modified sender address (e.g., accounting@your-company.ch instead of accounting@yourcompany.ch), a subtle mistake, or an unusual sense of urgency.
Checklist before opening a suspicious email
- Verify the complete email address of the sender (not just the displayed name)
- Hover over links without clicking to see the real URL
- If in doubt, call the sender directly by phone to confirm
- Never validate a change of bank details solely by email
In Switzerland, the revised DPA (Data Protection Act, in force since September 2023) requires companies to report any data breach within 72 hours. A successful phishing attack can therefore lead to serious legal consequences, in addition to direct financial losses. Tools like PhishTrainer allow you to train your teams to recognize these attempts in a controlled environment.
3. Use strong and unique passwords for each service
A strong password is a string of at least 16 characters combining upper and lower case letters, numbers, and symbols, without any dictionary words. Using the same password on multiple services is like using the same key for your house, your car, and your safe: if it is compromised once, everything is exposed.
Comparison of approaches
| Approach | Security | Ease of use | Recommended? |
|---|---|---|---|
| Same password everywhere | ❌ Very weak | ✅ Easy | No |
| Different memorized passwords | ⚠️ Medium | ⚠️ Difficult | Partial |
| Password manager | ✅ High | ✅ Easy | Yes |
| Manager + 2FA enabled | ✅✅ Very high | ✅ Easy | Strongly recommended |
Solutions like Proton Pass (Swiss hosting) automatically generate and store complex and unique passwords for each service. Also, enable two-factor authentication (2FA) on all your critical accounts: even if a password is stolen, access remains blocked without the second factor.
4. Update your tools and applications regularly
Security updates fix known vulnerabilities that cybercriminals actively exploit. According to Microsoft, 85% of successful cyberattacks exploit flaws for which a patch already existed but had not been applied. In an SME, a single un-updated workstation can be enough for a ransomware to spread to the entire network.
What to update, and when?
- Operating system (Windows, macOS): as soon as the update is available
- Web browser: enable automatic updates
- Office suite (Microsoft 365, LibreOffice): weekly
- Antivirus: daily (automatic)
- Business applications: according to the publisher's recommendations
Practical tip: schedule restarts for updates outside of working hours (e.g., Friday evening at 8 PM) to avoid interrupting your activity.
5. Regularly clean your downloads folder
Each file downloaded from the Internet represents a potential entry point for malware. A PDF received by email, an invoice downloaded from a website, an Excel file sent by a partner: all can contain malicious code. An unmanaged downloads folder accumulates files whose origin is no longer remembered — and which you risk opening inadvertently months later.
Recommended weekly routine (5 minutes)
- Move important files to their final location (project folder, client folder)
- Delete all unnecessary temporary files and archives
- Verify that no document containing sensitive data (HR, financial, clients) remains in an unsecured location
For Swiss SMEs processing personal data, this practice falls directly within the obligations of the revised DPA, which requires data to be kept only for the time strictly necessary and under appropriate security conditions.
6. Log out of online services after use
Staying permanently connected to all your professional tools creates an unnecessary attack surface. If someone accesses your computer during your absence — a colleague borrowing your workstation, a visitor left alone for a few moments — they immediately have complete access to your email, your CRM, your accounting tools, all under your identity.
Best practices by situation
| Situation | Recommended action |
|---|---|
| Shared computer or third-party workstation | Never check « Stay connected » — explicitly log out after each use |
| Your own workstation, end of day | Log out of sensitive services (banking, payment, HR) |
| Short break at the office | Locking the session (practice #1) is sufficient |
| Teleworking on an unsecured network | Use a VPN + log out after each session |
Also, close unnecessary tabs in your browser: each service active simultaneously represents an additional opportunity for compromise.
7. Regularly back up your work and verify backups
Data backup is the last line of defense against ransomware, hardware failures, and accidental deletions. According to Veeam's Data Protection Trends Report 2024, 76% of organizations that suffered a ransomware attack were able to recover their data thanks to backups — compared to only 13% for those who paid the ransom.
The 3-2-1 rule: the reference standard
- 3 copies of your data
- 2 different media (e.g., local disk + cloud)
- 1 offsite copy (cloud or remote server)
Solutions like Swiss Backup from Infomaniak allow you to comply with this rule while keeping the data in Switzerland, in accordance with the requirements of the revised DPA. Also, consult our guide on the security and backup plan for SMEs.
Critical point often neglected: an untested backup is not a backup. Schedule a monthly restore test of at least one representative file to verify that your system actually works.
Summary: the 7 digital hygiene practices
| # | Practice | Frequency | Time required |
|---|---|---|---|
| 1 | Lock your session | Each time you leave your workstation | 2 seconds |
| 2 | Verify the sender of emails | For each suspicious email | 30 seconds |
| 3 | Use a password manager + 2FA | One-time configuration, then automatic | 1 hour (setup) |
| 4 | Install updates | As soon as available | 10 minutes |
| 5 | Clean the downloads folder | Weekly | 5 minutes |
| 6 | Log out of sensitive services | Daily (end of day) | 2 minutes |
| 7 | Verify backups | Monthly | 10 minutes |
Frequently Asked Questions
Is technical training required to apply these practices?
No. The 7 practices presented here are designed to be adopted by any employee, regardless of their technical level. No specific computer skills are required.
Are these practices sufficient to protect a Swiss SME?
These 7 practices cover the most frequent attack vectors and provide a solid foundation. For complete protection, they must be supplemented by technical measures (firewall, antivirus, network segmentation) and organizational measures (security policy, incident response plan). Bexxo supports Swiss SMEs in this global approach.
How to raise awareness of digital hygiene across an entire team?
The most effective method combines short training (30 minutes), phishing simulations with tools like PhishTrainer, and regular reminders. Studies show that repeated training reduces the click rate on phishing links by 65% on average (Proofpoint, 2024).
Does the revised DPA impose these practices on Swiss SMEs?
The revised DPA (in force since September 2023) requires companies processing personal data to implement appropriate technical and organizational measures to protect them. Practices #2 (anti-phishing), #3 (passwords), #5 (data cleaning), and #7 (backups) directly address these obligations.
If you want to go further in raising awareness among your teams, do not hesitate to contact Bexxo. We support Swiss SMEs in implementing cybersecurity practices adapted to their reality — without technical jargon and with concrete solutions.