Opinion
The Digital Security Authority recently reported that one in two people and businesses in Cyprus experienced a cyberattack last year. The statistic made headlines briefly, then disappeared from conversation.
The silence is revealing. Not because the number is unimportant, but because the diagnosis that follows is uncomfortable.
The high number of breaches is primarily a governance issue, not a technology problem.
Many organisations in Cyprus lack clarity on who can access their systems, what permissions they hold, and when access was last reviewed.
This is not negligence. It is accumulated operational debt.
For years, access was granted based on immediate business need. A consultant required system access for an implementation project. A finance team needed broader visibility during year-end reporting. A shared mailbox was given additional privileges to coordinate work across departments. Over time, these adjustments became permanent. Nobody was explicitly responsible for removing them.
The result is an access environment built on inherited permissions rather than deliberate design. Most firms cannot answer basic questions: Which vendors currently have standing access to core systems? What can the AI assistant deployed last quarter actually see? How many service accounts exist with credentials that never expire?
This is what creates the risk of breaches.
Attackers do not need to find sophisticated zero-day vulnerabilities when they can exploit credentials that should not exist. Compromised vendor accounts, legacy service credentials, and shared logins provide direct entry. The breach happens because the access was already there, waiting to be used.
Consider a payment services firm in Limassol. During a security review triggered by a client audit, the firm discovered 11 external accounts with active access to its transaction processing platform. Three belonged to IT consultants who completed projects years earlier. Two were tied to a software vendor the firm no longer used. Four were configured for integrations that had been replaced but never properly decommissioned. The remaining two could not be attributed to any current business relationship.
None of these accounts had been used maliciously. But each represented a breach pathway the firm did not know existed.
The firm passed its annual security assessment, and the accounts were technically permitted. The underlying issue was not a technical error but the absence of a decision regarding whether to retain or remove access.
This pattern repeats across sectors. Law firms with document management systems accessible to dozens of legacy accounts. Investment services firms with vendor credentials configured during platform migrations and never revoked. Shipping companies with email forwarding rules established years ago and forgotten.
The core issue is not carelessness but the absence of a governance model designed for the way Cypriot firms actually operate.
Cyprus has a small, interconnected business environment. Relationships are built on trust. Speed matters. Firms depend heavily on outsourced providers, consultants, and third-party platforms to remain competitive. That dependency creates legitimate access requirements.
The problem emerges when temporary access becomes permanent by default, when service accounts are created for convenience and never expire, and when nobody is explicitly responsible for mapping what authority exists across the organisation.
NIS2 now places direct accountability on management bodies for these decisions. Boards are liable for cybersecurity risk management measures, including third-party access controls. DORA requires financial institutions to demonstrate operational resilience and maintain oversight of ICT service providers. Both frameworks assume organisations can explain who has access to what and why.
Currently, most organisations are unable to meet these requirements.
The breach statistic is a symptom. The underlying condition is unmapped authority. Firms have been granting access faster than they have been governing it. AI adoption, vendor dependencies, and remote operations are accelerating that imbalance. Fixing this does not require sophisticated technology. It requires a governance decision: access should expire by default unless explicitly renewed with documented business justification.
This inverts the current model. Instead of access persisting until someone notices it should be removed, access terminates automatically unless someone takes responsibility for keeping it active.
A financial services firm in Nicosia implemented time-bound permissions for all external accounts. Access expires after 90 days unless renewed. Within the first cycle, the firm identified and removed 14 vendor accounts with no current business purpose. The accounts had been active for years. Manual audits never surfaced them. The expiry mechanism did.
The same principle applies to internal access. AI systems should operate under purpose-built machine identities with explicitly scoped permissions, not under broad employee accounts. Shared credentials should be eliminated in favour of individual accountability. Service accounts should have documented owners responsible for their continued necessity.
These steps won’t prevent every breach, but they dramatically reduce the attack surface by ensuring that access reflects current operational reality rather than accumulated history.
For Cyprus, this is not only a regulatory requirement. It is a commercial necessity. The island's economy depends on cross-border trust. Investment services, payments, fintech, and professional services all operate in markets where clients increasingly demand proof of controlled access.
Firms that can demonstrate governed authority move faster through due diligence. Firms that cannot face delays, additional scrutiny, or lost opportunities.
The breach statistic will likely remain high until governance catches up to operational complexity. The question for each firm is whether they discover their access environment proactively or after an incident forces the discovery.
Because the breach surface is not what attackers might find.
It is what firms created years ago and never reviewed.
The access exists. The only question is whether you discover it before or after an incident.
*Petros Nearchou, Director at a US-based Enterprise Cybersecurity & IAM firm.
