Unveiling Malta’s resilience and vulnerability to cybersecurity

A cybersecurity study conducted in Malta revealed the overall maturity of the local corporate community’s security policies. The National Cybersecurity Coordination Centre (NCC), under the auspices of the Malta Information Technology Agency (MITA), commissioned a survey which assessed firms’ cybersecurity needs. The survey, conducted in late September 2022, spanned approximately one and a half months for completion. The findings provided a foundation for targeted grant allocations and informed decisions to strengthen the island’s technological sovereignty in cybersecurity, given the NCC’s collaboration with the European Cybersecurity Competence Centre (ECCC) and network of NCCs throughout European Union Member States.

Through an online survey, the study sought to ascertain the cybersecurity maturity and funding requirements of Malta’s corporate community. To provide a diversified response pool, a total of 2755 active business units with more than ten employees were targeted. The study consisted of questions which addressed critical topics such as cybersecurity protocols, IT inventory, security monitoring, vulnerabilities, cloud services, breach response, and finance requirements. There were a couple of limitations which included the lack of available email addresses for registered businesses resulting in the survey being distributed physically increasing the risk of it being disregarded or lost. Despite these limitations, the survey provided useful findings, establishing a solid foundation for strategic cybersecurity funding allocations in Malta.

The study reveals notable variations in cybersecurity measures across industries. The financial and insurance sector exhibited a higher response rate (17 per cent), indicating a potential higher priority for cybersecurity, followed by the wholesale and retail trade sector (13 per cent) and manufacturing sector (8 per cent). The findings suggest that certain industries might be more proactive in adopting cybersecurity practices, potentially due to industry-specific regulations or the critical nature of their operations. Understanding these differences can help policymakers tailor industry-specific cybersecurity guidelines and allocate resources to address sector-specific vulnerabilities effectively. It is important to also note that different sectors require different levels of security that may depend on the level of technological integration. A single vulnerability can jeopardise an entire system, emphasising the necessity for heightened cybersecurity measures in tech-dependent sectors. Moreover, the study revealed that smaller companies invest less in cybersecurity compared to bigger companies. This is mainly due to resource constraints, with 37 per cent citing lack of funds as a significant factor. Additionally, 65 per cent of these companies believe there is no need for a dedicated cybersecurity function. Consequently, their limited budgets and perceived lower risk exposure may lead to reduced investments in cybersecurity measures. Unfortunately, this makes smaller companies more vulnerable to cyberattacks, as 61 per cent of them do not perform penetration tests, 55 per cent lack monitoring and logging practices, and 46 per cent do not have data encryption policies. Their lower cybersecurity preparedness makes them attractive targets for cybercriminals seeking easier entry points.

To ensure an organisation’s resilience against cyberattacks, it is crucial to adopt regular penetration testing, data encryption, strong access management practices, and specialised cybersecurity training, amongst other things. The study reveals that approximately 76 per cent of organisations with a dedicated cybersecurity function employ these practices. However, cybersecurity measures alone may not suffice. Alarmingly, only 60 per cent of respondents have active business continuity or disaster recovery plans in place, indicating potential gaps in preparedness for security incidents.

Large companies demonstrate higher investment in cybersecurity, with around 71 per cent having a dedicated cybersecurity function and 93 per cent implementing security monitoring practices. On the other hand, smaller companies tend to outsource cybersecurity (49 per cent) and provide limited specialised training (nine per cent), possibly leaving them more vulnerable to attacks.

These findings underscore the significance of comprehensive cybersecurity measures and ongoing training. Notably, the study highlights that a significant percentage of respondents (55 per cent) do not provide any cybersecurity training to their workforce, potentially weakening their defence against cyber threats. To enhance incident response preparedness and resilience, organisations, especially smaller ones, must prioritise investing in cybersecurity measures and comprehensive training to protect their critical assets and data from evolving threats.

The study also revealed that firms are attempting to improve their cybersecurity, with the majority deploying endpoint protections and using cloud services. However, lack of time and committed budget seem to be two hurdles, holding them from being fully realised. Companies that have a dedicated cybersecurity function are more confident, and all agree on the need of investing in employee training. Addressing budget gaps and focusing on training will improve cybersecurity resilience, resulting in a safer digital environment for businesses and individuals.

This study served as a springboard to investigating the reality of cybersecurity needs of organisations on the island, contributing to the actualisation of the SME Cybersecurity Grant Scheme CYBER+ALT ‘Agħżel Li Tipproteġi’. In this respect, €1,000,000 in EU funds have been secured through the Digital Europe Programme and matched by the same amount in terms of National funds, totalling to a budget of €2,000,000, to develop a scheme whereby SMEs, identified as most vulnerable to cyber-attacks, can receive aid for the uptake and dissemination of state-of-the-art cybersecurity solutions. Hence, eligible organisations can part-finance projects up-to 80 per cent of the cost of investment, for a maximum grant of up to €60,000, to better enhance their overall level of security and resilience.

Full information on the scheme is available on the NCC-MT website – www.ncc-mita.gov.mt/. The scheme will remain open until 29^th December 2023, or an earlier date depending on absorption of the total budget of €2,000,000. Grants shall be awarded on a first-come, first-served basis, subject to budget availability.  Applications can only be submitted online through the dedicated NCC Funding Application Portal accessible from www.nccfunding.gov.mt. Queries can be directed to the NCC-MT on [email protected]. The NCC-MT is also collaborating with Servizzi Ewropej f’Malta (SEM) to handle queries specifically related to the online application on [email protected].

This article is co-founded by the European Union.