Cyprus Cyberattacks: Half of Businesses Hit as Phishing Dominates

 

Nearly half of businesses (53%) in Cyprus experienced a cyberattack in the past year, averaging one breach every eight days, according to a survey conducted on behalf of the Commissioner of Communications – Digital Security Authority.

More than half of affected companies reported financial losses averaging at around €12,000, while phishing (fraudulent email messages) remained the dominant threat. Alarmingly, one in four businesses has not updated cybersecurity policies for over a year, and 43% remain unaware of available training seminars. The survey also revealed a common misperception – that they are simply “not a target” – among businesses that did not suffer a cyberattack or breach.   

A second survey covering cybersecurity challenges among the public revealed that, among citizens in Cyprus, one in three reported a cyberattack, with phishing again the most common method. The average financial cost incurred for citizens is much lower than for businesses, at around €141. Interestingly, the 35-44 age group incurred the highest cost from cyberattacks. Though fewer individuals suffered financial loss, awareness remains low, with 74% unaware of cybersecurity training opportunities.

The two studies, carried out by RAI Consultants between August and November 2025, gathered responses from 1,043 citizens and 459 businesses across key economic sectors. The findings were shared with relevant bodies and authorities at a meeting on December 17, 2025.

In response, the Digital Security Authority plans expanded training programmes, public awareness campaigns, and industry collaboration to strengthen national cyber resilience.

Cybersecurity challenges for businesses

More specifically, the main findings of the survey concerning businesses are as follows:

1. Almost half of businesses (53% in 2025, 47% in 2024, and 49% in 2023) experienced some form of attack/breach in the past 12 months, with an average of one attack every eight days, recording a slight increase compared to 2024 (one attack every 10 days).
2. Among the businesses that suffered an attack/breach, more than half (51% in 2025) incurred financial costs, amounting on average to €12,000. At the same time, there was a slight decrease in the percentage of businesses that suffered financial damage compared with the previous year (55% in 2024).
3. The most common type of attack remains phishing, that is, fraudulent email messages, at 44%, marking a decrease of 4 percentage points compared with 2024 and 1 point compared with 2023. Phishing also constitutes the most recent attack experienced by businesses, reaching 75%.
4. Nearly one in four businesses has not created, updated, or revised its cybersecurity policies for more than a year to ensure they keep pace with technological developments.
5. There is a lack of awareness among businesses regarding the existence of cybersecurity seminars, as 43% state they are unaware of them (50% in 2024 and 46% in 2023), while only 22% participated in such activities (13% in 2024 and 17% in 2023). It is worth noting that businesses that attended seminars subsequently took steps to strengthen their security measures.
6. Among the businesses that did not experience a cyberattack, 48% believe this is because their company is “not a target.” This percentage shows an increase compared with the previous two surveys (37% in 2024 and 38% in 2023), which is worrying, as any business can become a target and should take appropriate protection measures.

One in three citizens record cyberattack 

The main findings of the survey concerning citizens are as follows:

1. The percentage of citizens who experienced a cyberattack in the past 12 months reached 33%, showing a decrease compared with the previous two years (49% in 2024 and 47% in 2023). The average number of attacks per year was 25.9, noting a small decrease compared with 2024 (28.5).
2. Among citizens who experienced an attack, 17% (13% in 2024 and 19% in 2023) incurred a financial cost, averaging €141. An interesting finding is that the highest cost was recorded in the 35-44 age group, in contrast to 2024 when the highest cost was in the 18-34 age group, while the lowest cost was in the 45-54 age group (both in 2025 and 2024).
3. The most common type of attack for citizens is also phishing, at 22%, marking an improvement of 17 percentage points compared with 2024 and 14 points compared with 2023.
4. Among citizens who did not experience an attack or breach in the last year, 89% do not rule out the possibility of falling victim to malicious activity in the future, an increase of 2% compared with 2024.
5. There is significant lack of awareness regarding the existence of cybersecurity training seminars, as 74% of citizens said they were unaware of them (an increase of 4% compared with 2024), while only 15% have participated in such activities. After attending seminars, the most important changes adopted were the use of strong passwords, frequent password changes, and avoiding suspicious websites.

Raising awareness 

Based on the above findings, according to a press release issued on Wednesday, the Digital Security Authority intends to organize training seminars as well as awareness and information campaigns, with the aim of strengthening cybersecurity knowledge and skills among both citizens and businesses.

Specifically:

• For businesses, conferences are planned in collaboration with the EU Agency for Cybersecurity (ENISA), updates on new European funding opportunities in cooperation with the European Cybersecurity Competence Centre (ECCC), joint events with business organizations – the Cyprus Chamber of Commerce and Industry (KEVE) and the Employers and Industrialists’ Federation (OEV) – business missions, announcements of new grant schemes to support the sector, participation in international exhibitions, and more.
• For citizens, the ‘Cybersecurity For All’ Festival will take place for the third consecutive year, along with the 2nd Cybersecurity Career Fair, specialized information sessions for people aged 65+, as well as numerous educational sessions in kindergartens, primary schools, middle schools, and high schools.

The surveys above are the fourth consecutive mapping of the cybersecurity situation in the Republic of Cyprus which will continue annually, adjusted according to developments and informational needs.

The detailed results of the surveys are available in PDF form in Greek.