Blog, Tech: 27.01.26Cybersecurity and compliance: a strategic alliance to build resilience - Interview with Nicolas Vernaz, Redstone Consulting SA

Phishing, ransomware, artificial intelligence. Threats are evolving, human weaknesses persist, and businesses, particularly SMEs, remain on the front line. In this context, compliance and cybersecurity can no longer be treated as separate topics.

On the occasion of Cybersecurity Awareness Month, Synergix gives the floor to Nicolas Vernaz, founder of Redstone Consulting SA and expert in data protection and regulatory cybersecurity. A look back at an exemplary collaboration and a clear-eyed, no-compromise assessment of digital security in companies.

In 2019, Synergix mandated Redstone to conduct a GDPR audit. The objective was to establish a comprehensive overview of compliance with European data protection regulations. The results highlighted several areas for improvement.

What truly set this collaboration apart, however, was Synergix’s approach: strong responsiveness and an ability to turn recommendations into concrete actions without delay.

This approach is rare. It reflects a genuine internal culture of compliance and a rapid understanding of the challenges involved.

This responsiveness and rigour enabled a smooth transition to the new Swiss Federal Act on Data Protection (nLPD), with only a minimal gap to address.

“The preparatory work carried out in 2019 allowed us to approach the nLPD with confidence. The adjustments required were minimal.”

Synergix relied on templates provided by Redstone to structure its documentation.

“It was targeted support, not project management. We validated their deliverables, occasionally reviewed contracts or sensitive documents. But their autonomy made all the difference.”

Key takeaway: achieving compliance is not simply about filling in a register template. It is a structured, documented, auditable and, above all, sustainable process.

For several years, two types of attacks have dominated the cyber threat landscape:

• Phishing, in all its forms
• Ransomware, which encrypts systems and demands a ransom

Artificial intelligence has transformed these attacks. Some companies now receive phone calls using highly convincing synthetic voices.

Nicolas Vernaz notes an increased sophistication of attacks: “Sometimes we are chatting with a bot on WhatsApp without realising it. AI has made things far more complex.”

The impact is very real: “I do not have a single client who has not suffered an attack in the past 18 months. It has become systemic.”

Ransomware remains a recurring scourge: “Everything is encrypted and a ransom is demanded in bitcoin. But today it goes further. There is often also data exfiltration.”

These intrusions have major legal consequences, particularly when personal data is involved.

Whether it is clicking on a malicious link, using a weak password or bypassing procedures under pressure, the human factor remains the main vulnerability.

Between 95 and 99 percent of cyberattacks exploit human error. This is a constant.

Even the strictest control processes can be bypassed in emergency situations: “Some companies require dual validation for payments, but in urgent cases this rule is sometimes ignored, and that is precisely when the vulnerability appears.”

With the rise of AI, employees are even more exposed: “Attacks are more credible and more targeted. Even trained profiles can fall into the trap.”

Nicolas also stresses the role of corporate culture: “Training alone is not enough. You need living processes, regular alerts and involvement at all levels of the organisation.”

Compliance is not an optional extra or a strategic ‘nice to have’. It is a legal obligation. In a digital context, sanctions can be financial, legal and reputational. What distinguishes mature organisations is not that they comply, but that they do so in a structured, documented and traceable way.

A strong compliance posture makes it easier to manage a cyber crisis. Conversely, without rigour in cybersecurity, compliance remains theoretical.

He insists on the notion of foundations: “To secure systems properly, you first need to document well, structure well and classify well. These are compliance basics, but they are also cybersecurity fundamentals.”

Rigour above all: achieving compliance is not about ticking a few boxes. It is a rigorous, demanding and often lengthy process, and that is precisely what gives it value. True compliance is based on procedures, evidence, documentation and regular updates.

There are simple measures, with very modest costs, that can be implemented quickly.

Here are the “quick wins” highlighted by Nicolas Vernaz:

• Next-generation antivirus solutions
• Disk encryption
• Free online training
• Ongoing staff awareness initiatives

“These actions cost almost nothing per workstation, yet their effectiveness is proven.”

He also highlights a common pitfall regarding passwords: “By imposing overly strict rules, you often achieve the opposite effect. Employees end up writing passwords on a post-it note or reusing them across multiple accounts.”

The right balance? “A strong password of 12 characters, renewed twice a year, combined with a good centralised password manager.”

At Synergix, these practices were implemented progressively, with the support of internal IT teams.

According to Nicolas, there has been no major technological disruption in recent years, but rather increasing accessibility to tools that were once reserved for large organisations.

What was reserved for large enterprises ten years ago is now achievable for some SMEs. This is a significant step forward.

This is particularly true for outsourced Security Operations Centres (SOCs): “These tools centralise logs, detect anomalies and trigger automatic alerts.”

These services are now available in SaaS mode, at prices affordable for mid-sized organisations. An opportunity that many SMEs are still unaware of.

The true driver of an effective cybersecurity strategy is executive commitment. As long as these issues are seen as technical or secondary, progress remains limited. Cybersecurity has become a governance issue and a full-fledged resilience factor.

“The tipping point is top management involvement. As long as cybersecurity is seen as just another cost line, nothing moves.”

According to Nicolas Vernaz, this change in posture is essential to unlock resources, define clear governance and embed digital security into long-term priorities.

“It is no longer a question of if an attack will occur, but when. I was saying this twelve years ago. Today, it is self-evident.”

At Synergix, we believe in active, useful compliance and in practical, adapted and accessible cybersecurity.

Our collaboration with Redstone is part of this approach. Together, we have shown that it is possible to combine rigour, autonomy and efficiency. Without unnecessary complexity. Without piling on layers. But by acting in a structured way.

You do not become more secure by multiplying tools. You become more secure by aligning processes, people and objectives.

Simplifying complexity also means this: enabling every organisation, at its own level, to be better prepared.