‘We are as much of a target as anyone else’: Is Malta doing enough for cybersecurity? 

The world in 2025 is marked by increased global conflicts. The fallout of this turbulence is in the digital realm – the growing capacities of cybercriminals and the rapid advances in emerging technologies show no sign of abating, and have led to a more complex cyberspace. It is one of the most pressing international issues today.

So where does Malta land in cybersecurity?

BusinessNow.mt speaks to two experts, CY4 Security founder Keith Cutajar, and Christian Bajada, head of information security at BMIT Technologies about all things cybersecurity at present – and the winding road ahead.

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users through ransomware; or interrupting normal business processes.

The Malta Information Technology Agency (MITA) has invested €30 million to enhance government security with tools like encryption, two-factor authentication and artificial intelligence, and also launched the first cyber security master’s degree at the University of Malta. Experts say this investment is equally promising and not enough.

“Budget wise, I would never say one figure is enough. In our Maltese landscape this is not enough. I encourage more investment in advisory, purchasing of software tools, etc. There needs to be significantly more collaboration between the public sector and private companies,” Keith Cutajar says.

“Northern countries like Britain and Germany invest much more as a ratio than we do. There has been a public tender for private security services to reinforce cybersecurity capacity because MITA is not comprehensive, and yet the tender has been stalled for months.”

Mr Cutajar founded CY4 Security, which deals with immediate cyber security incident response for companies. It receives notifications of attacks of a regular basis.

“We get notification by companies ona monthly, even weekly basis. We are hit locally by both bigheads and very small heads. Attacks are on the increase. The concept of national protection in Malta is generally lacking. We tell ourselves, we are an island in Mediterranean, who can target us? But we are a target like anyone else.”

“Security breaches in our national services can result in loss of our most precious data, leave entities without services, a loss of intelligence or information. In other wards, a lot is at stake. The Government holds critical citizenship data, our identities, health, licensing, national transportation. Capacities are not there, and the laws do not match the severity of the potential losses.”

According to the Data Protection Act, public authorities face administrative fines of up to €50,000 per violation for severe breaches, with additional daily penalties for ongoing non-compliance, and potential criminal liability (fines or imprisonment) for deliberate misconduct. 

The maximum penalty has never been enforced. 

The violation of Data Protection Laws in Malta has resulted in just 30 fines of less than €5,000 in seven years until 2020, according to a Freedom of Information (FOI) request published by Transparency Malta. Thirty breaches amounted to fines totalling only €40,000 over seven years. The fines range from €23.29 to €250, and from €1,000 to €2,000.

The highest fine was €5,000, penalising the Lands Authority in 2019 for a massive breach of personal data of more than 5,000 users who made use of its online services.

Private companies on the other hand, are subject to much higher consequences in cases of breaches. 

“Funding for cybersecurity capacities is not enough. We need full reform that includes public liability. People who are responsible for data need to be held accountable,” Mr Cutajar affirms.

“I believe that the Government will reprioritise if it fully understands the things at stake here.”

‘Malta must not be a sitting duck’ – Christian Bajada 

For Christian Bajada, Malta’s present response is a cautious step in the right direction.

“Cybersecurity challenges are a reality everywhere. Whether you’re talking about public authorities, private businesses, or critical infrastructure providers, threats are increasing – and they’re becoming more sophisticated, more frequent, and more disruptive. This isn’t something unique to Malta. Organisations around the world are facing the same constantly shifting cybersecurity landscape. That said, Malta’s response is worth highlighting.”

The country has made a clear commitment to strengthening its cybersecurity posture, he explains.

“There’s real investment happening at a national level, and a growing sense of urgency within both Government and business. I don’t think the €30 million allocated to cybersecurity is a token amount – far from it. I believe it signals a genuine understanding of the risks, and a willingness to do something about them. Could more be done? Of course. There always is. But it’s a step in the right direction.”

This investment and the fact that national entities are collaborating are a signs of good practice.

“MITA and the National Cybersecurity Coordination Centre (NCC) are now playing a more prominent role in bringing the national cybersecurity community together. Interest in the NCC is growing, and collaboration across sectors is becoming more visible. Initiatives like the Coordinated Vulnerability Disclosure Policy (CVDP) are helping to build trust too, by encouraging responsible information sharing. MITA’s Cyber Threat Intelligence programme, for example, features a Malware Information Sharing Platform (MISP) through which public and private stakeholders can exchange indicators of compromise and threat data. 

These efforts are partly driven by compliance, but they also reflect a growing awareness of what good practice looks like today.” 

Still, Mr Bajada says, we must be realistic. 

“We are seeing numerous attacks involving phishing and business email compromise. These are often preventable through stronger awareness programmes and better monitoring and alerting for suspicious activities. At the grassroots level, I don’t believe we’re there yet.”

More broadly, private and public entites must be careful not to focus solely on known or historic attack methods. Many organisations are well-prepared for traditional threats but it is the blind spots that remain dangerous. 

“The shift to remote and hybrid work is one example. After the pandemic, full-remote working became the norm for many businesses. But in some cases, employers have little to no visibility over who is performing the work. This is being actively exploited, with documented cases of North Korean actors infiltrating companies through remote work scams.”

Similarly, third-party risk remains a persistent weak link. 

“Even if your own systems are secure, attackers can gain access through less-protected vendors or service providers. The reality is that no business operates in isolation and the supply chain is now part of the attack surface.

Shadow IT – where employees set up cloud services or install apps without IT’s knowledge – introduces further risks, often without anyone realising until it’s too late. And while security tools are essential, they can’t be treated as silver bullets. Misconfigurations, outdated rules, or blind faith in automation can create a false sense of security. “

One of the biggest gaps we face both locally and globally is the lack of rapid response to newly emerging attack methods. Even when vulnerabilities or techniques are well documented in public threat reports, the reaction time is often slow, due to a number of intermingling factors. 

This delay, the security expert continues, leaves organisations exposed during the most critical window: when attackers are actively exploiting a weakness and defenders haven’t yet caught up. 

“We cannot afford to be sitting ducks. Building the capability for faster analysis, faster patching, and quicker operational changes must be a national priority,” he says.

“All of this reinforces a simple point: cybersecurity is ongoing. It is not a box to tick or a project with an end date. We have to keep pace with the threat landscape. That means consistent investment, regular monitoring, and long-term planning. Attackers are constantly evolving their tactics, so defences need to evolve too. Risk assessments, system reviews, and a culture of vigilance are fundamental.”

And for businesses, the risks aren’t just technical. A cyber incident can mean reputational damage, lost productivity, and serious financial impact. 

“That’s why cybersecurity needs to be a core part of business strategy. Regular training, timely system updates, and active participation in national initiatives all help strengthen resilience. 

“So yes, Malta is heading in the right direction. The mindset is shifting, and the right structures are taking shape. But this journey doesn’t have a finish line. Building true cyber resilience takes more than good intentions. It needs ongoing commitment, critical thinking, and the agility to respond when it matters most,” Mr Bajada concludes.