Before we go to bed, we ensure that our windows and doors are locked, maybe you leave a light on somewhere in the house to deter possible intruders, and activate an alarm system. We do these things because we are aware of potential threats to the safety of our home, possessions, and family. We act on our awareness to provide security to matters that are important to us. However, many people remain unaware of threats in the digital world, which harms the security of our digital identities and digital assets, as well as that of organizations. For example, in 2019, 87% of small and medium-sized enterprises (SMEs) in Cyprus lacked the appropriate cybersecurity protection measures, raising alarms for concern regarding the safety of corporate and user data.

Cybersecurity involves protecting electronic devices and networks from unauthorized access, theft, or damage. With rapid digital transformation taking place, it is vital to prioritize cybersecurity to safeguard sensitive data and infrastructure from the growing threat of cyber attacks. Just as we reinforce the security of our homes, we should also prioritize the security of not only our online presence but that of organizations as well.

The World Economic Forum (WEF) has recently published their Global Cybersecurity Outlook Report for 2023, where they discuss their key findings. This year, they highlighted that business leaders are paying greater attention to data privacy laws and cybersecurity regulations, business leaders are now meeting regularly with cybersecurity advisors, and that businesses are beginning to promote “more fluid communication and effective cyber-risk management.” This is due to the fact that “respondents now believe that cyberattackers are more likely to focus on business disruption and reputational damage”, indicating that these are the most prominent concerns.

In just the first four months of 2023, several organizations in Cyprus have fallen victim to cyber attacks. The Open University of Cyprus (OUC), and the Land Registry have suffered from cyber attacks such as ransomware. The issue of a lack of cyber awareness and resilience is evident across the island. It is critical that as digital transformation efforts scale, we should prioritize vigilance and being proactive in ensuring the security of personal and institutional data and privacy.

Based in Nicosia, the OUC is an online university offering remote learning for the past twenty years, across thirty different courses. In early March of 2023 the OUC was struck with a ransomware attack by threat actors referred to as “Medusa”. The ransomware gang seized control over and access to sensitive information of researchers, staff, and students, as well as their financial information and records. 

In order to return these faculties back to OUC, and to not leak sensitive information and data to parties with potentially malicious intent, they demanded a ransom of €100,000 to be paid within two weeks of the attack. The OUC announced access to their eLearning platform has been reactivated, however they did not meet the demands of the ransom and suffered further leaks and losses of data.

Additionally, Cyprus’ land registry, a critical part to the island’s large real estate sector, was targeted by another ransomware attack which froze registrations at a total sum of €150 million. This cyber attack forced the land registry to build a new portal, and, despite their efforts, they have not yet fully recovered after one month since succumbing to the cyber attack. Their new portal wavers between an offline and online status, oftentimes losing connection.

Senior Land Officer, Elikkos Elia, stated that “we cannot be 100% sure that no permanent damage has been inflicted, but the fact that we have not encountered anything missing, and we are able to carry out daily tasks is encouraging.” It is crucial for the land registry’s website and internal functionalities to return as they are a critical piece of the island’s real estate sector. However, without the appropriate skilled talent and tools, a full recovery may take place over an extended period of time which may cost the real estate sector valuable time and capital.

To gain a better understanding of the current challenges and possible solutions for organizations in Cyprus regarding cyber threats, we spoke with Andreas Constantinides, Manager at Odyssey CyberSecurity. He vouches for a clear cut approach that is iterative and heavily reliant on awareness and know-how.

“Regarding Cyprus’ current situation, we see companies in a panic mode on a daily basis. They ask for ad-hoc, technology driven solutions. We have seen money spent in the wrong areas. Technologies purchased with the promise that they will mitigate some risks. People not being properly educated on security, procedures not existing or not being followed.

What organizations should do now more than ever, is to take a step back, revisit and rethink their cybersecurity strategy taking into consideration not only technologies but also the people and the processes. All this of course can be achieved by being aware of their organization's threat landscape which includes cyber, insider, and third-party threats. When people refer to cyberattacks, they tend to think about ransomware, phishing, DDOS or other attacks which, yes, they are indeed the top type of cyberattacks in Cyprus and globally at the moment, but are not the only.

Organizations should build an effective and applicable strategy and this process requires a holistic approach to cybersecurity. A Cybersecurity Strategy starts from awareness and leads to action. It’s a continuous process that differentiates based on each organization's needs and capabilities.

For an organization to build a cybersecurity strategy they must first be aware of their security posture so they can then design an action plan. First assess, second implement, and third evaluate and improve. The first step is always the most important. It’s where the current situation of an organization is assessed, and the status is evaluated. By having a clear view on the risk, organizations gain an understanding on where to focus next and can identify where there are quick wins and where there’s the biggest risk that needs to be mitigated.

The second step is the implementation, where the plan is put into action and risks are mitigated by using the right products and services to put controls for people, process, and technologies. Here is where most of the companies invest their budget, complaining that they don’t have results. It’s simple. It’s because they do it without going through the first and the third stage. Something that leads to wrong investments.

The third stage is the evaluation and continuous improvement, where we assess and evaluate the effectiveness of what we have put in place and make the necessary adjustment or planning. Here we also have a 24/7 management, monitoring of log and event data collected from diverse systems and applications. We need to know where we stand at any given moment, so if anything happens to be able to timely react.”

There were further cyber threats made towards Cyprus’ Defense Ministry and the University of Cyprus, however they thwarted the threats and are continuously monitoring their systems to prevent future cyber attacks. Cyprus is not the only country to be targeted by ransomware attacks, with institutions globally working tirelessly to resolve the impact on their systems, staff, and customers.

Similar to the attacks on OUC, Minneapolis, a city in Minnesota, USA, has recently suffered a data breach by the Medusa ransomware group. Minneapolis’ Public Schools (MPS) were given merely ten days to pay a substantial ransom of $1 million in order to not leak critical files and data. 

MPS has not paid the ransom, and is working with cybersecurity experts to review the scope of the leaked files, finding that student and alumni records, parent contacts, addresses, identification documents, health records, budgets, payrolls, and more have been leaked on the dark web. 

Cybersecurity professional, Ian Coldwater, expressed “despite the district’s attempts to downplay this, it is a really big deal. I’m not telling you to panic. I’m telling you to know and prepare.” As institutions look to protect their reputation, they may not provide the full picture, ultimately reducing transparency which impacts people’s ability to stay informed and react accordingly.

Another concerning, recent cyber attack is that of Yum! Brands, owner of the KFC, Pizza Hut, and Taco Bell chains. They suffered a data breach in early January of 2023 as a result of a ransomware attack, and were ultimately forced to close down nearly 300 restaurants across the United Kingdom for one day. They are continuing to survey the impact of the attack and the extent of employee data that was stolen.

There are a plethora of examples when looking to take note of cyber attacks and data breaches. Yahoo, Twitter, Facebook, and Microsoft have all been targets of threat actors who leaked millions of compromised records throughout the 2010’s decade. Taking Microsoft as an example, they disclosed in early 2020 that 250 million records across 14 years have been leaked online which included the exposure of eMail and internal protocol (IP) addresses. Their response was to improve their internal database security, and to raise cyber awareness across their departments.

As digital transformation and technology as a whole become more advanced, cybercriminals will continue to refine and develop their strategies and tools to infiltrate systems and data. It is critical for people and organizations to remain consistently informed, trained, and made aware of cyberthreats. VentureBeat, a global leader of transformative technology-related news, recently compiled a list of cyberthreats that target organizations, and how people can prevent threat actors from breaching important data.

Broken access control refers to a security flaw that enables users to access restricted resources. Attackers can exploit this vulnerability to evade security procedures and gain access to critical data. When you hear a knock on your door, you typically ask who is knocking, and if they are unfamiliar to you, you ask them what or who they are looking for.

In this context, organizations should perform authorization audits and ensure that their data does not pass through the wrong hands.

While we may tease our older relatives regarding their lack of awareness of phishing scams, the threat remains present in all of our lives. Threat actors with malicious intentions send emails and text messages to users regarding a supposed need to update their banking credentials, or to donate to charities, false shipping updates, and more. 

Phishing scams are the most common delivery method for ransomware infections, accounting for more than half of ransomware attacks globally. Avoiding such cyberthreats is best achieved through cybersecurity education, which can be learned online with no costs; and make sure to share it with your older relatives as well.

According to a report from (ISC)2, an international non-profit association, more than 3.4 million security professionals are required to fill roles across sectors, highlighting the shortage of talent. Without the required skilled talent, organizations lack a critical part of their security protocols, which is accurate, refined, and updated penetration testing methods. 

To remediate this challenge, organizations must prioritize sourcing skilled information technology talent to proactively identify and test the security of their systems.

IoT refers to the connectivity and exchange of data between household appliances, hardware we use daily such as smartphones and smartwatches, and industrial and manufacturing tools. 

The EU has advanced several cybersecurity mandates expected to be met by 2024, encouraging companies to adjust their strategies and models to the new directives. Protecting interconnected devices boils down to one, albeit fragile, element which is strengthened password protection. Having multiple passwords and updating them regularly may help in preventing threat actors from accessing them.

As we discussed in this article, ransomware is a growing and evolving threat that is being enforced and implemented by cybercrime groups. Ransomware attacks have been steadily rising at 155 million attacks in just 2022’s fourth quarter. Recovering from such attacks is costly, and organizations must aim to strengthen their IT and security systems to test and monitor their infrastructures regularly, as well as pursue continuous education on the matter.

Staying informed and educating family, friends, employees, and colleagues is critical as aspects of our lives are increasingly digitized. As institutions in Cyprus undergo vast digital transformation efforts, they must not only be wary of the various cyberthreats that could potentially target them and their data, but also be prepared to respond to cyberthreats and attacks appropriately. The digital reskilling of the island is underway, however there is still some way to go for Cyprus to catch-up with skilled talent and critical tools to raise cyber awareness and resilience.