A single cyber incident can cascade across supply chains, financial markets and essential services, causing systemic disruption. This heightened vulnerability, combined with strategic dependencies on critical technologies and supply chains, elevates cybersecurity from a technical requirement to a pillar of the EU’s political stability, economic security and strategic autonomy," George Michaelides, Commissioner of Communications notes, continuing, "For these reasons, cybersecurity has become integral to safeguarding Europe’s resilience in an increasingly volatile geopolitical environment."
In a recent interview with GOLD magazine, Michaelides discusses what recent attacks reveal about Cyprus’ cyber exposure and what needs to change fast.
Among other things, he also underlines, "Only through common standards, timely information sharing and consistent maturity levels can we reduce systemic vulnerabilities and protect our societies from increasingly persistent threats."
Can you give us a brief overview of Cyprus’ cybersecurity market?
It is steadily developing, with organisations relying mainly on external providers for services such as risk assessments, penetration testing, cybersecurity training, incident response support and compliance with EU frameworks – including the provision of external CISO services.
The key offerings are on network, application, endpoint security, identity management and managed detection and response. Larger regulated sectors show higher maturity, while SMEs depend heavily on outsourced expertise. Demand is stronger in financial institutions, telecommunications and the public sector, mainly driven by digital transformation and regulatory requirements. The market remains small but expanding, as organisations place more emphasis on security.
The EU is accelerating its cyber agenda. Beyond more sophisticated attackers, what’s really driving this urgency? Is it geopolitics, economic security or something else?
The real urgency comes from the convergence of geopolitical instability, economic security risks and rapid technological transformation. Recent events have demonstrated that a member state’s strength increasingly depends on its ability to conduct and withstand cyber operations. Digital attacks can disrupt societies, economies and public trust long before any conventional military action occurs.
The Russia-Ukraine conflict is the most visible example: coordinated cyberattacks have targeted energy grids, government systems and communications networks – often in parallel with kinetic operations. This confirms that modern conflicts are inherently hybrid, merging digital disruption with physical force. On this expanded battlefield, keystrokes can now shape outcomes as powerfully as missiles.
At the same time, Europe’s highly digitalised economy leaves it uniquely exposed. A single cyber incident can cascade across supply chains, financial markets and essential services, causing systemic disruption. This heightened vulnerability, combined with strategic dependencies on critical technologies and supply chains, elevates cybersecurity from a technical requirement to a pillar of the EU’s political stability, economic security and strategic autonomy.
For these reasons, cybersecurity has become integral to safeguarding Europe’s resilience in an increasingly volatile geopolitical environment.
Cyprus has faced several cyberattacks recently, from the disruption of the Hermes Airports website to incidents targeting the Electricity Authority and Cyta. What tactics are attackers using and what gaps in how we approach cybersecurity in critical infrastructure are they exploiting? Do we know the motivation behind these campaigns?
Recent cyber incidents show that attackers continue to rely on well-known and widely used techniques. Most operations still revolve around Distributed Denial of Service (DDoS) attacks that overwhelm services, social engineering that exploits human behaviour, AI-enabled automated attacks that scale exploitation at unprecedented speed and website compromises targeting weak or outdated protection. These methods succeed because adversaries exploit common gaps – end-of-life systems, delayed patching of operating systems and applications, uneven levels of cybersecurity maturity across organisations and the absence of continuous monitoring – all of which make certain services systematically easier to penetrate.
The motivations behind these attacks differ: criminal groups seek financial gain, hacktivists pursue political or ideological agendas, while state-sponsored actors focus on strategic espionage or broader geopolitical influence. Together, these incidents underscore the need to strengthen resilience across the entire ecosystem – from public administrations to private operators – and to ensure coordinated cybersecurity efforts across all critical sectors. Only through common standards, timely information sharing and consistent maturity levels can we reduce systemic vulnerabilities and protect our societies from increasingly persistent threats.
Based on the attacks we’re seeing, what are the realistic worst-case scenarios for Cyprus if critical systems aren’t strengthened soon? How close are we to those risk thresholds?
Realistically, any country – not only Cyprus – that delays upgrading the protection of its critical systems faces serious risks, including prolonged service outages, economic disruption and threats to public safety. In severe cases, this can mean nationwide blackouts, interruptions to the water or energy supply, paralysed transport networks or temporary shutdowns of key public services. We have already seen global examples where ransomware halted hospital operations, payment system breaches froze financial transactions and telecom failures disrupted emergency services. These incidents show how quickly digital disruptions can spill over into daily life.
The danger grows even further when cyberattacks are combined with misinformation campaigns or physical sabotage, undermining public trust and amplifying societal impact. Unfortunately, we are already closer to this reality than many expected. Attack tools, now accelerated by AI, are evolving rapidly, becoming more automated, more effective and more accessible.
Reducing these risks requires coordinated action: stronger cross-sector cooperation, improved monitoring, broader cybersecurity awareness and the timely sharing of threat intelligence. Building resilience now is essential to protect critical services and maintain societal stability.
Where are both the public and private sectors most exposed today and what factors are keeping these vulnerabilities in place, particularly at the decision-making level?
Public and private organisations are rapidly embracing cloud services, automation and interconnected systems but their cybersecurity frameworks are not evolving at the same pace. This widening gap between fast digital transformation and slower security preparedness creates the most vulnerable points – areas where attackers can easily exploit weaknesses. In the public sector, achieving resilience is especially challenging. Complex procurement processes, outdated legacy systems and slow modernisation cycles make it difficult to secure critical infrastructure quickly.
Compounding this is a persistent cultural issue. In many government environments, cybersecurity is still viewed as the exclusive responsibility of the IT department rather than a shared organisational duty. The absence of clear accountability – and the lack of consequences for poor security practices – reduces the incentive to adopt stronger controls and undermines long-term resilience. In the private sector, the rapid pace of digitalisation introduces a different set of risks. Companies increasingly depend on external vendors, cloud platforms and complex supply chains, all of which expand their attack surface. When these third-party risks are not properly assessed or managed, they create additional points of exposure that can be exploited with serious consequences.
So, public and private organisations should approach their cybersecurity risk assessment differently?
Public and private organisations should base their cybersecurity risk assessments on the same core principles but their priorities inevitably differ. Public bodies must evaluate risk in terms of service continuity, legal obligations and the broader societal consequences of disruption.
Private companies, by contrast, typically focus on financial exposure, operational downtime and reputational impact. The methodologies may look similar, yet the context, risk tolerance and strategic objectives vary, shaping different decisions and levels of investment.
If every organisation in Cyprus could make only three cybersecurity investments in 2026, which would matter most?
The most impactful would be the implementation of critical controls, many of which are inexpensive or even free. These cover fundamental security needs such as robust backup and password policies, automatic operating system and application updates and strong governance, as highlighted in the Digital Security Authority’s Cyber Hygiene Framework.
A second priority should be strengthening detection and response capabilities, including centralised monitoring and well-rehearsed incident response procedures.
Finally, organisations should invest in developing a genuine cybersecurity culture across both staff and leadership. These three areas consistently deliver the highest gains in resilience, ensuring that cybersecurity becomes part of everyday operations rather than a purely technical afterthought.
How quickly are AI-enabled attacks evolving? And is Cyprus prepared for them?
AI-powered cyberattacks are now emerging at unprecedented speed, becoming cheaper to execute, more sophisticated and significantly harder to detect. Techniques such as AI-driven phishing, deepfakes, automated vulnerability exploitation and polymorphic malware have moved from experimental concepts to mainstream threats. Attackers increasingly use AI to scale their operations, personalise social-engineering campaigns, identify weaknesses autonomously and generate highly convincing deceptive content.
In this environment, traditional defence models, based on manual review or signature-based detection, are rapidly losing effectiveness as AI-enabled threats evolve in real time. Cyprus is strengthening its cybersecurity posture through modern legislation, updated national strategies and its active participation in advanced research and innovation initiatives. These steps are essential, as the growth of AI-driven cyberattacks requires more adaptive, intelligence-led defence capabilities.
Yet challenges remain. Cross-sector coordination is still limited, specialised cybersecurity skills are in short supply and many SMEs continue to operate on vulnerable digital infrastructures. Building true national resilience will require sustained long-term investment, continuous capacity-building across both the public and private sectors, and the adoption of innovative defensive technologies that can keep pace with the rapidly evolving threat landscape.
If Cyprus could accomplish only one strategic cybersecurity objective in the next five years, what should it be?
It should be the systematic strengthening of national capacity at all levels. Building a sustainable and mature national capability requires far more than technical tools: it depends on strong institutional governance, clear processes, a skilled workforce and consistent risk management across every sector.
Strengthening capacity means reinforcing the regulatory framework, improving incident management, modernising critical infrastructures and adopting advanced practices such as shared threat intelligence, AI-driven situational awareness, and enhanced detection and response mechanisms. It also requires cultivating a culture of innovation through education, public awareness programmes, hackathons and targeted initiatives for strategic industries such as maritime and energy.
A holistic approach is what enables a country to develop a resilient and self-reliant digital ecosystem. Ultimately, national capacity-building is the foundation upon which all future cybersecurity progress is built.
This interview first appeared in the December issue of GOLD magazine. Click here to view it.
