As its digital services expanded, Physiotopia Basel GmbH had a greater need for more transparency in its IT security. Thanks to Cyber-Risk Discovery from Sunrise Business, the SME managed to identify and remedy its IT vulnerabilities within just a few days. 

Customer

Physiotopia Basel GmbH* is a physiotherapy centre with around 20 employees. The practice offers traditional physiotherapy treatments and is increasingly supporting its offering with digital services. Patients can book appointments online, purchase health products in the online shop or obtain information via social-media channels. The IT landscape is manageable: a website, a CRM and billing system, and business email accounts. IT is overseen by a part-time administrator, who takes on this work on top of her admin tasks. The company doesn’t have its own IT department or specific cybersecurity expertise.

Initial situation

As the practice has grown, the number of digital touchpoints has increased continuously. More and more patients book their appointments online, search the website for information or order health products from the online shop. Social media has also developed into an important channel for customer enquiries. This development was positive from a business standpoint, but it increased the network’s attack surface. The practice has had increasing numbers of phishing emails: individual employees have received fraudulent messages, some with links to fake login websites. At the same time, domains have appeared that imitate the name of the practice, evidently designed to deceive patients. It was clear to the management that, although the practice is small and has only limited IT infrastructure, it had recently become a target for cyber criminals. 

The level of uncertainty was correspondingly high. What was missing was an overview of exactly where cyber risks existed, how big they were and what measures needed to be taken most urgently. In the past, IT issues tended to be handled reactively; for example, when a certificate expired or a system update was due. There was no structured approach to identifying and assessing vulnerabilities systematically. Management knew that cybersecurity was a key issue, but they didn’t have either the human resources or the expertise really to delve deeper into it. The danger that patient data could be compromised or that the practice’s reputation would be damaged by fraud became increasingly real. 

Why Sunrise Business Cyber-Risk Discovery?

Physiotopia Basel therefore started looking for a solution that would ensure transparency – without placing too much strain on operations or requiring high investment costs. It was crucial for an analysis to be carried out quickly, easily and in a way that was understandable for a small company. Cyber-Risk Discovery met these requirements. The AI-based solution works entirely from the outside, so from the same perspective that attackers use. It identifies domains, subdomains, cloud services, email addresses, login pages, certificates, social-media profiles and even data circulating on the dark web. In practice, this meant no complicated implementation, no internal system access, no time-consuming review. All Physiotopia needed was a website address, a business email address and an Internet connection to start the process with the AI-based analysis platform.

Solution and collaboration 

Sunrise Business worked with ImmuniWeb to create the customer profile for the platform that Physiotopia Basel GmbH used to perform the analysis. The analysis results were available in just a few days and highlighted several critical points. Two subdomains that hadn’t been used for a long time were still active and being operated with outdated software with known security vulnerabilities. An SSL certificate had expired, which meant that encrypted data transmission was no longer guaranteed. In addition, stolen access data for business email accounts was found on the dark web, and this could potentially have been used as an attack entry point. Finally, faulty configurations were discovered in the DNS that could make it easier for attackers to create deceptively real copies of the domain. 

For the company’s management, the report was impressive – not just because of the results, but also its comprehensibility. Instead of long technical lists, it contained clear prioritisation: risks to be remedied immediately; risks to be addressed in the medium term; and risks to be monitored only. This meant the part-time administrator could implement specific measures without having to fight her way through technical jargon. The 24/7 support, which she could consult and send questions, was particularly helpful. She was given practical advice, such as how to renew an SSL certificate or which password policies make sense for small businesses lacking internal cybersecurity expertise. 

The result

Based on the initial analysis, Physiotopia Basel successfully remedied a total of around 70% of all initially identified critical vulnerabilities – clear evidence of the immediate security benefit. The unused subdomains were deactivated, the SSL certificate was renewed and new, stricter password policies were introduced for all employees. The management also decided to introduce multi-factor authentication for the email accounts – a measure recommended by Cyber-Risk Discovery. 

After about four months, the reassessment was carried out via the platform. This confirmed that critical gaps had been closed successfully. In addition, the second analysis revealed new aspects, including social-media profiles that claimed to have been created in the practice’s name.  

The added value for Physiotopia Basel was huge. In a very short time, the practice had gained a complete overview of its digital attack surface and existing cyber risks. The team was able to take concrete measures to prevent a cyber attack and to protect patient data and business information better. Practice management gained confidence in the stability of its own systems and found a basis on which it could make future IT decisions effectively. 

Benefits 

• Analysis of all relevant digital attack surfaces in the shortest possible time 

• Understandable and prioritised recommendations for action that could be implemented without specialist knowledge 

• Uncovered critical vulnerabilities, such as outdated software, expired certificates or stolen access data 

• Immediate implementation of measures with minimal internal effort 

• 24/7 expert support for any queries and assistance in real time 

• Reassessment by means of a second analysis to prove that security vulnerabilities had been closed permanently 

• Improved protection of patient data and brand reputation

*This practical example of Physiotopia Basel GmbH is fictitious. However, the experiences outlined are of great relevance to many SMEs.