One in three people and more than half of businesses in Cyprus were hit by cyberattacks in the past 12 months, according to two nationwide surveys by the Communications Commissioner and the Digital Security Authority.
The surveys revealed that 33 per cent of people experienced a cyberattack over the last year, while almost half of companies reported at least one breach.
The first survey targeted businesses and was conducted between September and November 2025 on a sample of 459 companies spanning industry, trade and services.
The second survey targeted regular individuals and was carried out during August and September 2025 on a sample of 1,043 individuals.
Among businesses, 53 per cent in 2025 reported suffering an attack or breach in the previous 12 months, compared with 47 per cent in 2024 and 49 per cent in 2023.
On average, businesses experienced one attack every eight days, marking a slight increase from 2024, when the rate stood at one attack every 10 days.
Of the businesses that suffered an incident, 51 per cent in 2025 incurred a financial cost averaging €12,000.
This represents a slight decline compared with 2024, when 55 per cent of affected businesses reported financial damage.
The most frequent form of attack remained phishing, defined as fraudulent email messages, accounting for 44 per cent of incidents.
This figure reflects a decrease of four percentage points compared with 2024 and one point compared with 2023.
Phishing was also identified as the most recent type of attack experienced by businesses, reaching 75 per cent.
Alarmingly, nearly one in four businesses has not created, updated or revised its cybersecurity policies for more than a year in order to keep pace with technological developments.
The findings also show a lack of awareness among companies regarding the existence of cybersecurity seminars, with 43 per cent stating they were unaware of such initiatives, compared with 50 per cent in 2024 and 46 per cent in 2023.
Moreover, only 22 per cent of businesses participated in such training in 2025, up from 13 per cent in 2024 and 17 per cent in 2023.
Companies that attended seminars proceeded to strengthen their security measures.
Among businesses that did not experience a cyberattack, 48 per cent believe this is because their company is not a target.
This perception has increased compared with previous surveys, standing at 37 per cent in 2024 and 38 per cent in 2023, a trend described as concerning given that any business can become a target and should take appropriate protective measures.
Turning to regular individuals, the survey found that the average number of attacks per year reached 25.9 in 2025, slightly lower than 28.5 in 2024.
The proportion of people who suffered a cyberattack stood at 33 per cent, down from 49 per cent in 2024 and 47 per cent in 2023.
Among those affected, 17 per cent incurred a financial cost, compared with 13 per cent in 2024 and 19 per cent in 2023.
The survey also showed that the average cost for individual people amounted to €141.
The highest financial cost was recorded in the 35 to 44 age group, in contrast to 2024 when the 18 to 34 group reported the highest cost, while the lowest cost was observed in the 45 to 54 age group in both 2025 and 2024.
Phishing was also the most common form of attack against individuals, accounting for 22 per cent of cases.
This represents an improvement of 17 percentage points compared with 2024 and 14 points compared with 2023.
Among people who did not experience an attack or breach in the past year, 89 per cent do not rule out the possibility of becoming victims of malicious activity in the future, an increase of 2 per cent compared with 2024.
The findings further indicate significant lack of awareness regarding the availability of cybersecurity training, as 74 per cent of people said they were unaware of such seminars, up by 4 per cent compared with 2024.
Only 15 per cent of people have participated in such actions, the findings showed.
After attending seminars, the most important changes adopted included the use of strong passwords, frequent password changes and avoiding suspicious websites.
Based on these results, the Digital Security Authority intends to organise educational seminars and awareness campaigns aimed at strengthening knowledge and skills in cybersecurity among both regular people and businesses.
