Anyone who has sat through security awareness training knows the standard slide: a suspicious email, a too-good-to-be-true link, and a reminder not to click. All fair enough, yet phishing and business email compromise still cost organisations billions every year.

The truth is, the criminals behind these attacks don’t fire off random spam. They plan, they probe, they adapt and they often succeed because too many defences stop at the inbox.

A real-world example

Picture an ordinary Friday. A finance assistant at Company ABC finds an email from a long-standing supplier asking them to update the bank details for an invoice due that day. Nothing unusual. Branding looks right, the contact name checks out, so the payment goes through.

On Monday, the real supplier chases for payment that never arrived. Meanwhile, the same firm’s accounting platform locks out another user who “reset their password” after following instructions from what turned out to be a fake internal IT email. Two incidents, days apart, both seemingly isolated but neither was random.

How the Kill Chain actually works

Security teams use the Cyber Kill Chain to break down exactly how an attack like this happens, stage by stage. The original model came from Lockheed Martin back in 2011, borrowed from a military concept about stopping a threat before it hits its target. The same idea applies to cyber threats: the earlier you disrupt the chain, the better chance you have of stopping an attacker before real damage is done.

1. Reconnaissance
This is the groundwork. Attackers start by gathering as much detail as they can about your organisation. They mine LinkedIn for job titles, scan company websites for supplier lists and hunt social media for casual clues. A single LinkedIn post mentioning a new supplier contract might be all they need to craft a believable fake invoice. Some groups even trawl public code repositories to spot who is working on what. The Lazarus Group, for instance, has repeatedly targeted software developers by lurking on code-sharing platforms and watering-hole sites.

2. Weaponisation
Once they have enough detail, the attacker prepares their toolkit. In a phishing scenario, this might be a cloned invoice template, complete with your supplier’s logo and a believable change-of-bank-details notice. More advanced campaigns might embed a macro that only activates inside your network, or a link that drops a Trojan payload.

3. Delivery
Delivery is the method the attacker uses to get that weaponised email or file in front of a target. Phishing remains the easiest route. A spoofed email domain, a carefully timed message and a sense of urgency: “please process this today to avoid a late fee”, and the bait is set. Even when companies have spam filters and domain checks in place, attackers use lookalike domains or hijacked legitimate accounts to slip past.

4. Exploitation
This is the moment the user unwittingly opens the door. The assistant processes the fake invoice and changes the bank details, or the other employee clicks a link that harvests login credentials. In more technical breaches, this stage involves triggering a software vulnerability, for example, an unpatched macro library in Office or a cross-site scripting flaw in a portal link.

5. Installation
If the attack involves malware rather than just social engineering, the malicious file or script then installs itself. It might embed a lightweight backdoor or remote access Trojan, hiding in normal system folders or registry keys to avoid detection. Sophisticated groups design these implants to stay dormant for weeks, quietly watching and collecting more credentials.

6. Command and Control (C2)
At this point, the attacker needs a way to communicate with the compromised machine. The backdoor calls home, usually over normal web traffic so it blends in. Through this channel, attackers can escalate privileges, pivot to other systems or manipulate mailbox rules. For example, they might create a hidden forwarding rule that sends a copy of every invoice email to an external address; an easy way to spot payment opportunities.

7. Actions on Objectives
Finally, the attacker achieves their goal. In a BEC scenario, that usually means money leaves the business bank account and flows through mule accounts into cryptocurrency wallets. In other cases, the objective might be stealing data or deploying ransomware. But the core idea is the same: everything before this point was groundwork to make the final step as smooth as possible.

Where frameworks meet real operations

The Cyber Kill Chain is a good starting point but real attacks rarely follow it in a straight line. That’s where frameworks like MITRE ATT&CK come in. ATT&CK maps out hundreds of real-world techniques - things like “Valid Accounts” or “Spearphishing Link” - that defenders can look for in logs and alerts.

The Diamond Model adds context by tracking the links between the attacker, their tools, their infrastructure and the target. And the Unified Kill Chain ties these ideas together, recognising that attackers might loop back to reconnaissance when they hit a dead end, or chain multiple tactics together in ways the old linear model doesn’t fully capture.

Closing gaps in the real world

If all that sounds theoretical, it isn’t. The same supplier fraud could be blocked by making sure finance staff always verify bank detail changes by phone not by email alone. Technical controls matter too. Email authentication protocols like SPF, DKIM and DMARC make basic spoofing harder. Multi-factor authentication limits what attackers can do with stolen credentials. Modern Security Operations Centres (SOCs) use MITRE-mapped detection rules, among others, to spot suspicious login locations or sudden mailbox rule changes. And when something does slip through, automated playbooks can suspend an account, quarantine an endpoint or freeze a payment faster than any human alone could manage.

One final thought

A phishing email might look like a simple trick, but the operation behind it is anything but. Attackers pick their moment, pick their target and combine human manipulation with technical loopholes. Understanding that chain and putting checks into every stage is how you stop the money leaving the account before it is too late.

DIONE VELLA, Chief Service Excellence & Compliance Officer at BMIT, talks governance and why it is so much more than a box-ticking exercise.

Let’s talk about governance. It’s not always the most exciting topic, but it’s absolutely vital for any business, wouldn’t you agree?

Absolutely, and I get it. Governance doesn’t exactly spark excitement at first. But when you think about it, governance is like the backbone of a business. It’s what keeps things running smoothly, ensures everyone’s pulling in the same direction, and protects the organisation from unnecessary risks. Unfortunately, governance has more often than not been treated as a burden and a box-ticking exercise for compliance audits. That image persists but it is slowly changing. Today, governance should not add red tape but create clarity and structure.

Many companies see governance as tedious or even a waste of time, even money. Why is that?

You’re right, and that’s a common complaint. I think it’s often because governance is seen as this big, complex thing that doesn’t have an immediate payoff. It can feel like a mountain of paperwork or dozens of rules that slow things down.

But a lot of that comes down to how governance is introduced. If you ask someone to read a 50-page policy document without explaining how it helps, of course, they’ll feel frustrated. Perception matters too. As I said, governance is often seen as a ‘tick-the-box for compliance’ rather than something that actively supports the business. As practitioners, we may need to change our approach and how we position governance within a business. That said, I admit, few enjoy reading through multiple policies to satisfy an audit requirement, but it is crucial that all staff know what these documents are about.

You mentioned policies. For those who might not fully understand, how do policies, standards, and procedures fit into this picture?

Think of it like this: policies are the “why”, standards are the “what”, and procedures are the “how”. For example, if you’re running an IT department, a policy might be “We prioritise data security.” The standard could be “All employees must use multi-factor authentication”. And the procedure would be the step-by-step guide on how to set it up.

Without these, people are left guessing. They don’t know what’s expected or how to go about things. And that’s where inefficiencies, mistakes, or even compliance issues creep in.

So how do you show companies that governance is actually a good thing?

It starts with communication. You need to connect the dots for people. For instance, let’s say a business introduces a policy requiring regular software updates. On the surface, that might seem like extra work for the IT team. But when you show them how it reduces the risk of cyberattacks suddenly, it makes sense.

You also need to make governance practical. Don’t overcomplicate things. Use clear, concise language and focus on what’s relevant to your business goals. And when a policy helps to prevent loss of data or a security breach, inform the company. Make some noise. A win for governance is a win for everyone in the company.

You said that perceptions are changing albeit slowly. How are regulations reshaping the world of governance and leading to more ‘enforcement’ compliance?

Regulations in the EU are driving major changes in how companies approach governance by embedding compliance directly into their strategic and operational frameworks.

Starting with the General Data Protection Regulation (GDPR) in 2018 to the Network and Information Security (NIS) 2 Directive in October 2024, and in January 2025, the Digital Operational Resilience Act (DORA), the EU has increased its efforts to protect its citizens, businesses and critical infrastructure by ensuring that governance extends into the technical and operational domains.

Yes, these regulations are required for enforcement and substantial fines can be imposed but what they are really achieving is so much more. They are reshaping corporate governance to prioritise transparency, sustainability, and resilience. Companies aren’t just being told what to do; they’re being shown how these practices benefit their long-term performance and reputation. By mandating these measures, the EU is creating a level playing field while promoting better governance across all industries.

Ultimately, this regulatory landscape is forcing businesses to make governance a key part of their operations to build trust with customers, partners, and investors.

What happens to companies that ignore governance?

Well, the short answer is: they learn the hard way. Take cybersecurity again as an example. If you don’t have proper policies around password management, it’s only a matter of time before someone uses “123456” and your business becomes a target for hackers. Things get worse if data was exfiltrated, especially customer data. No business wants to pay substantial fines when in most cases it could have been avoided if good governance was in place.

Beyond security, poor governance can lead to inefficiencies, missed opportunities, and even legal trouble. A lack of clear decision-making processes can slow a company down when it needs to act quickly, like during a crisis or market change.

What advice would you give to companies looking to improve their governance?

Start small and keep it practical. Don’t try to reinvent the wheel overnight. Focus on the areas where you’re most at risk or where small changes can make a big impact.

And involve your teams. Ask for their input when developing policies. They’re the ones who’ll be using them day-to-day. Finally, don’t forget to review and update regularly. The business world moves fast, and your governance framework needs to keep up.

I also recommend talking to a governance expert if the business doesn’t have the resources or expertise to create and manage a governance strategy.

It’s not that intimidating after all – if done right.

Governance might not be the flashiest topic, but it’s one of the most important investments a business can make. And once you see the benefits, it’s hard to imagine running without it.

BMIT provides comprehensive governance, risk and compliance services for businesses. From policy development, to security awareness training, to guidance on the latest regulations, BMIT can help. Talk to one of our GRC experts to learn more.

Most organisations already use the cloud in some form. Whether it started with moving emails to Microsoft 365, running a website on AWS or Azure, or using a private cloud for sensitive data, cloud has become part of the day-to-day.

However, not every cloud setup fits every business, and the model you choose can affect everything from how secure your data is to how quickly you can scale. For IT leaders and decision-makers, making the right choice depends on many factors.

The Public Cloud

Think of the public cloud as a sprawling office block where you rent exactly the space you need with added amenities. Providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) operate digital infrastructures that you can tap into.

For example, a boutique retail store can run its e-commerce site on Shopify (hosted on AWS), use Microsoft 365 for collaboration, and rely on cloud-based CRM and backup solutions to streamline operations. Using public cloud services, an organisation gains automatic scalability during peak sales and remote accessibility but without the burden of managing IT infrastructure.

Security concerns can make some businesses wary, but major cloud service providers invest far more in security than most individual organisations could. For those experiencing rapid growth or managing customer-facing applications, public cloud solutions offer both cost efficiency and scalability.

Private Cloud

While public cloud infrastructures are secure, if you are a financial institution, a healthcare organisation, or handling sensitive documents, a private cloud may be the better choice. Think of it as having your own ‘dedicated data centre’, but with all the flexibility of cloud technology. It’s more expensive, but for organisations requiring total control, it’s essential.

A financial institution, for example, may rely on a private cloud to comply with strict regulations while modernising its infrastructure. This setup ensures customer data is fully secure, while also enabling the agility to launch new digital services efficiently. For businesses with stringent data residency requirements, private cloud solutions offer peace of mind.

The Hybrid Approach

This is where things get interesting and where business thinking is changing. Often described as getting the ‘best of all worlds’, the Hybrid Cloud or Multicloud model is like having a secure private office for your most sensitive operations while also maintaining flexible, scalable space in one or more shared buildings for everything else. What you are doing here is matching each workload to its most suitable environment.

Compliance and security needs may dictate that customer data resides in a private cloud (on-premises or in a data centre), while its website and e-commerce platform run on Azure. Meanwhile, its development teams might test web applications in AWS. This approach balances security with scalability while leveraging the strengths of different cloud providers.

BMIT recently organised a half-day event that explored hybrid cloud. You can read more about the event here.

Making This Work

BMIT, Malta's leading data centre and cloud services provider, has years of experience helping organisations - particularly in highly regulated industries like iGaming and financial services - choose the right cloud model. The company recently invested in a managed services provider specialising in AWS solutions.

The key is to start with your business objectives.

Based on your answers, BMIT will provide a tailored solution that may focus on one type of deployment or recommend a hybrid approach using the existing infrastructure but also expanding the IT ecosystem with a multi-cloud approach (AWS with private cloud, or AWS and Azure).

The Path Forward

Your business goals and growth path will determine the right cloud deployment model. Whether you're looking to reduce costs, accelerate innovation, or enhance security, there's a cloud option that can support your business strategy.

Would you like to discuss how these cloud deployment models could specifically support your business strategy? Speak to one of our experts to discuss your options.

Cyber resilience today is less about stopping every threat and more about surviving them. Networks will be probed, systems will fail, but what matters is whether your business keeps going when they do

Most organisations have long focused on prevention. That still matters. But cyber resilience, the ability to respond to incidents and recover quickly, is what separates those who survive a breach from those who don’t. It is a leadership challenege inasmuch as it is a technical concern.

According to the World Economic Forum, almost three quarters of organisations have seen cyber risks increase. Ransomware remains the headline threat, but other risks are growing just as quickly. Many larger companies have built mature security capabilities, yet mid-sized organisations often find themselves exposed. They often lack internal expertise or dedicated teams, and sometimes rely on incomplete processes.

For attackers, what matters is not the size of your business but the quality of your defences. They look for outdated systems, weak credentials and slow responses.

A Shifting Threat Landscape

Attackers continue to use familiar methods because they work. Phishing remains the most common way into a network. In the UK, the overwhelming majority of businesses and charities have faced these attempts. Emails and messages often look legitimate, and in many cases, even experienced staff are caught out.

Ransomware has become more targeted. Criminal groups look for sectors where downtime is expensive and recovery is complicated. There’s also been a sharp rise in attacks through suppliers and partners. These supply chain breaches can be hard to detect and even harder to prevent. And as we have seen with the Marks & Spencers breach in the UK, a lack of proper process at a third-party IT partner was the root cause.

Emerging threats are also gaining ground. AI is proving to be a great tool but in the wrong hands it's also being used to automate attacks, create fake content and trick users. Traditional defences alone won’t always catch them.

Building Stronger Security with Clear Oversight

Defensive tools are a good starting point. Firewalls, endpoint detection & response (EDR), regular patching and encryption all reduce risk. Multi-factor authentication has become essential, especially with remote and hybrid working models. But security only works well when these controls are part of a broader approach.

A structured framework makes it easier to govern and improve your security. Many mid-sized firms benefit from adopting standards like the NIST Cybersecurity Framework or ISO 27001. These provide a clear structure for assessing risks, defining roles and setting controls. They also help demonstrate accountability, whether to regulators, insurers or partners.

Measuring performance is also important. Key indicators such as detection time, response time, patching delays and training completion can show whether your efforts are paying off. These metrics also help security stay visible at board level, where decisions around budgets and priorities are made.

Without data, it’s hard to know what’s working and what’s not.

Taking Ownership of Cloud Security

The shift to cloud platforms has made many systems more flexible, but it has also introduced new responsibilities. Cloud providers protect the core infrastructure, but it is still your responsibility to manage access, control data, and configure services securely.

Identity management is critical. A weak password or excessive permissions can undermine even the most advanced platform. Encryption should be used both when storing and transferring data. Access rights should be reviewed regularly, and unused accounts removed.

Cloud security posture management (CSPM) tools are increasingly common. They help spot misconfigurations that might otherwise go unnoticed. But tools alone are not enough. You need regular audits, real testing of your backup and recovery plans, and clear policies on who is responsible for what.

When something does go wrong, it should be clear who leads the response and how recovery will happen.

Embedding Security into Business Culture

Security is most effective when it becomes part of everyday work. This begins with a realistic understanding of your risks. A proper risk assessment should consider how your people, systems and suppliers operate. That helps focus resources where they are most needed.

Staff training plays a big part. Many organisations still rely on static presentations and annual courses. These have limited impact. What works better is training that uses real examples, role-specific scenarios and ongoing engagement. People need to recognise the signs of an attack and know what action to take. However, they are not security experts. This is important. Awareness helps but an organisation should not put the onus for security on employees because of a few training sessions.

Your technical teams also need to test your defences. Simulated attacks, penetration tests and internal exercises are all useful ways to identify weaknesses before attackers do. And incident response plans should be clear, accessible and regularly rehearsed. When time is tight, clarity matters more than anything else.

A security-minded culture does not appear overnight. It is built through consistent communication, visible leadership support and a willingness to learn from mistakes.

Looking Ahead

The threat landscape continues to evolve. Artificial intelligence is being used to strengthen security operations but also to power more convincing attacks. The growing number of connected devices is creating new points of vulnerability. Meanwhile, developments in quantum computing have triggered early efforts to upgrade encryption before today’s protections become obsolete.

Approaches like Zero Trust are increasingly seen as necessary. In a world where staff work from multiple locations and applications live across many environments, it makes sense to verify every user, every device and every access request.

Security strategies must keep pace with these changes. That means staying informed, being willing to adapt and making security a regular part of strategic planning, not just a technical checklist.

The Role of Leadership in Resilience

Cyber resilience is all about preparing for attacks, responding quickly and ensuring the business can continue operating. This requires strong leadership and clear governance, not just investment in new tools.

For mid-sized organisations in particular, the goal should be to build a security programme that supports business growth, meets compliance obligations and earns the trust of partners and customers. That means asking the right questions, setting the right expectations and holding the right people accountable.

The cost of preparation is often far lower than the cost of recovery. And the organisations that understand this are the ones most likely to thrive, no matter what comes next.

Choosing the right IT partner

At BMIT, we understand that building and maintaining cyber resilience requires more than just technology. It requires a trusted partner that aligns with your unique needs. Our enterprise-grade IT solutions are designed for growing businesses navigating complex operational challenges. We support organisations that view technology as a strategic asset, helping them drive innovation and achieve sustainable outcomes while ensuring robust, adaptive security.

BMIT – Enterprise technology expertise, tailored for your growth.

Every business relies on technology, but how often do we stop to check if it’s as secure as we think? Making assumptions on how secure our networks are is a dangerous and costly game to play! 

A cybersecurity risk assessment isn’t about ticking boxes or indulging in worst-case scenarios (though the latter exercise could prove invaluable, but more on that in another post). It’s about understanding where your organisation might be vulnerable before someone else does. 

What Is a Cybersecurity Risk Assessment? 

Think of it as a health check for your IT systems. It’s a process of identifying weaknesses, evaluating potential threats, and determining how those threats could impact your business. It is an important exercise that gives you a clear view of where your risks lie and what you can do about them. 

Why Does It Matter? 

Cyberattacks don’t just happen to “big” companies. Small and medium-sized businesses are frequently targeted because are easier targets with weaker security in place. More often than not, smaller organisations are not resilient enough to recover. Apart from the data stolen, they face disruption, financial loss, and reputational damage (think customer trust) - enough cripple the business. 

Take the example of a UK logistics firm, KNP Logistics that fell victim to a ransomware attack in 2023. Three months later they were declared insolvent with the loss of 600 jobs. Could a proactive risk assessment have saved the company? Maybe, maybe not. However, done properly, it could have helped spot cracks and weaknesses that the ransomware group exploited.  

“Hoping for the best” isn’t a strategy. 

What Does a Risk Assessment Involve? 

A proper risk assessment focuses on four key steps: 

At BMIT, we use industry-recognised frameworks like CIS Controls to ensure a thorough and practical approach. 

What Happens If You Don’t Do One? 

Ignoring risk assessments is like driving without checking your brakes. Sure, you might be fine for a while, but the risks build up over time. Without regular assessments, you’re more likely to face: 

The Takeaway 

Cybersecurity risk assessments aren’t just for IT experts or massive enterprises. They are important for any organisation that wants to stay secure and resilient. By identifying and addressing risks now, you can save yourself from far greater headaches (and costs) down the line. 

Investing in an assessment is about preparation not fear. After all, wouldn’t you rather spot the cracks before they become unfixable? 

Download for free our Cybersecurity Discovery Assessment to start your resilience-building journey with BMIT. 

“The future of cloud computing is no longer about choosing a single provider – it’s about strategically leveraging multiple providers to achieve business objectives.” There has been a shift in thinking over the last few years from Which cloud should we use? to How can we maximise the potential of multiple clouds? SEAN COHEN, Chief Customer Delivery & Support Services Officer at BMIT discusses the use of Multicloud and hybrid cloud models.

Q. How would you define a multi-cloud strategy?

Think of a multi-cloud strategy like a diversified investment portfolio. The same principle applies to cloud strategy. It involves risk mitigation but also leveraging each provider's unique strengths.

There are many permutations and scenarios but consider the following: You might use Google Cloud's AI and machine learning capabilities for data analytics, AWS's extensive global infrastructure for your customer-facing applications, and Microsoft Azure for your enterprise applications that integrate seamlessly with your existing Microsoft environment. You could even add a Private Cloud hosting critical and sensitive data.

This isn't hypothetical; many organisations, including BMIT customers, have adopted a similar approach because it works well for their diverse needs and multi-site operations.

The Real Benefits (Beyond the Sales Pitch)

Q. We hear a lot of about the benefits... but what should compel a company to go for this approach?

Hybrid and multi-cloud environments offer compelling advantages. Their flexibility and scalability allow businesses to seamlessly expand operations by leveraging a combination of on-premises, public cloud resources and private cloud instances. This dynamic approach allows an organisation to scale to meet demand without the burden of overcommitting to infrastructure.

Cost efficiency is another significant benefit. By utilising public cloud services for less sensitive data and workloads, organisations can substantially reduce expenses while maintaining complete control over critical information stored on-premises or in a private cloud.

Enhanced security is also a key advantage, as sensitive data can remain within private cloud systems or on-premises environments, enabling organisations to adhere to regulatory requirements and safeguard their operations.

They also help avoid vendor lock-in. By strategically working with multiple cloud providers, businesses are not dependent on a single vendor, allowing them to choose the best services and tools to meet specific needs. You have greater freedom and improved performance. Workloads can be distributed across different environments, therefore optimising resources and reducing latency. User experience also improves.

Finally, there is a positive impact on organisational resilience. With multiple providers, you minimise the risk of downtime resulting from provider-specific issues, ensuring uninterrupted operations and greater peace of mind.

The Challenges

Q. There are also challenges and pitfalls if you are not careful. It's not the perfect answer to all tech problems?

Managing this model can be complex, requiring businesses to integrate and maintain resources across different environments, multiple links and so on. For these deployments to be successful, you need to have strong governance structures to ensure smooth operations and oversight.

Latency issues can also arise when data is transferred between on-premises and cloud environments, potentially impacting application performance and user experience.

While, overall cost optimisation is achievable, some capital expense may be required at the beginning. Nothing comes for free!

The complexity doesn't end there. Managing multiple environments often requires specialised tools and skilled personnel, which can be difficult for organisations lacking in-house expertise. This complexity can lead to increased management costs, as maintaining such an environment demands ongoing operational resources and investment.

Finally, security presents a significant challenge. Ensuring consistent security policies across various cloud providers is no small task, and the potential for inconsistencies can increase the risk of security breaches. For organisations with stringent compliance and security requirements, this is an area that calls for careful attention.

Making Multi-Cloud Work

Q. Where do you begin?

If you're considering a multi-cloud strategy – or if you're already using multiple clouds but want to optimise your approach – start by assessing your current situation. What are your critical workloads? Where are your users located? What are your compliance requirements?

I always recommend starting from your business objectives, not the technology. For some organisations, based on their workloads and processes, a multi-cloud environment suits their business needs and objectives. For others, a single Cloud instance makes more sense.

The next step is to identify how you want your workloads to be managed. For example, some compute-intense processes would work better with a specific provider, a critical financial application might run on a private cloud infrastructure at BMIT, while your development and testing environments live on public clouds.

Taking the Next Step

Q. What is the key to a successful implementation?

I think it’s very important that the goal isn't to use multiple clouds just for the sake of it – it's about creating an infrastructure that gives your business the agility, resilience, and performance it needs to be successful.

This calls for good planning, a clear vision and understanding of what it means to run a business across multiple clouds and multiple locations. Adopting a hybrid or Multicloud model is feasible with the right tools and the right advice.

BMIT has been helping clients with their hybrid and Multicloud models for many years, offering both private cloud options as well as connectivity to all the major Cloud Service Providers. We’re here to help any business exploring these options.

BMIT Technologies today reported record financial results for 2024, marking a year of strong performance and continued progress on its transformation strategy.

The company posted €33.6 million in revenue, up 17.2% year-on-year, while EBITDA rose 26.7% to €12.7 million. The board has approved a net dividend of €4 million, or €0.0189 per share, with a scrip option.

Alongside the financial performance, BMIT continued to evolve its business model with investments across cloud, digital infrastructure and cyber resilience. The company consolidated its position in Malta’s digital infrastructure space following the acquisition of passive mobile assets that power one of the country’s largest 5G networks, and also strengthened its multicloud capabilities through a majority stake in AWS-focused 56Bit Limited.

Record-breaking year

“2024 was a record-breaking year for BMIT,” Chairman Nikhil Patil told shareholders at the company’s Annual General Meeting today. “Not only did we deliver exceptional results, but we also undertook a fundamental transformation of our business and our business model.”

He added that the company’s long-term growth depends on continued diversification and strategic investment. “Every country now needs both a data centre strategy and a digital infrastructure strategy. BMIT is positioning itself to be central to both.”

CEO Christian Sammut said the results reflect the company’s disciplined execution and sharper focus on customer value. “The success we have achieved is the result of a clear strategic vision, the disciplined execution of this plan, and a continuous effort to put the needs of our clients first.”

Future growth

BMIT also laid the groundwork for further growth. It expanded its managed services portfolio, added new capabilities in governance and compliance, and deepened its reach in hybrid IT. The company is now the only operator in its sector to make use of all subsea cables currently connecting Malta to international routes, strengthening its resilience and connectivity.

Looking ahead, BMIT said its 2025 priorities will remain focused on execution, capability-building, and sustainable growth. It is exploring opportunities in AI clusters, next-generation data centres, and supporting infrastructure to capitalise on the momentum created by AI. The company is actively exploring adjacent growth areas that complement its digital infrastructure strategy, with a focus on telecommunication infrastructures, emerging technologies and future-ready services.

The financial results for the year ended 31 December 2024 were approved at the company’s Annual General Meeting earlier today. The final dividend will be paid on 11 July 2025.

As a business owner or CEO, you know cybersecurity is a critical issue - every headline reminds you of the risks - but justifying hiring a full-time Chief Information Security Officer (CISO) on a tight budget feels out of reach. 

Maybe it’s the cost, or maybe you’re unsure if your organisation even needs someone in that role full-time. What you do know is that leaving security to chance isn’t an option. You need someone who can assess the risks, create a plan, tell you what needs to be done and how. 

This is where the Virtual CISO (vCISO) comes in.  

What is a vCISO? 

A vCISO offers the high-level expertise of a traditional CISO without the significant cost or commitment of a permanent hire. A vCISO is a senior cybersecurity expert who works with your organisation as an external consultant or part-time resource. They step in as a strategic advisor, offering the insights and expertise to secure your business, manage risks, and meet compliance obligations. Think of them as a dedicated cybersecurity leader, on demand, when you need them. 

Why Was the vCISO Role Created? 

Cybersecurity has become an executive-level concern. However, many organisations lack the budget for a full-time CISO. Meanwhile, the rise of flexible working models and the growing complexity of cyber threats created demand for a more adaptable, cost-effective solution. The vCISO role was born to fill this gap, providing the same level of expertise and strategic guidance as an in-house CISO but tailored to suit the unique needs and budgets of growing businesses. 

Why Choose a vCISO 

  1. Cost-Effective Leadership 
    A full-time CISO can cost your organisation a substantial amount of money. For many businesses, this simply isn’t feasible. A vCISO offers the same strategic oversight at a fraction of the cost, charging only for the time and services you need. 
  1. Expertise Without Gaps 
    vCISOs bring many years of experience across industries, offering insights that extend beyond what a single full-time hire might provide. They’ve seen it all - from handling breaches to implementing compliance programs - and use this broad expertise to create solutions tailored to your organisation’s needs. 
  1. Flexibility and Agility 
    As your business evolves, so do your security challenges. A vCISO can adapt to your changing needs, scaling their involvement up or down as required. They are there when you need them - and only when you need them. 
  1. Improved Resilience and Security Posture 
    If cybersecurity isn’t your organisation’s primary focus, it’s easy for gaps to form. A vCISO works proactively to identify and mitigate risks, ensuring you’re not just reacting to problems but staying ahead of them. From implementing robust security frameworks to preparing for potential incidents, they enhance your organisation’s resilience against evolving threats. 
  1. Regulatory Compliance 
    Staying compliant with new and changing regulations can be a significant headache for executives. A vCISO provides clarity and guidance, ensuring your organisation adheres to regulations or standards like GDPR, ISO 27001, DORA or PCI DSS. 

BMIT’s vCISO and security services

BMIT offers a comprehensive range of cybersecurity solutions and services. Aside from standard security services like Threat Management and Security Monitoring and Response, the dedicated vCISO package covers every aspect of the role from security reviews, incident response planning and security training to policies and procedures, business continuity and DR and TableTop Exercises (TTX) among others. Each service within the vCISO offering can be tailored to a customer’s needs.  

Is a vCISO Right for Your Business? 

If cybersecurity is an area that is growing in importance but lacks focus, a vCISO may be the answer. You get the same leadership and expertise as a full-time CISO but on terms that align with your organisation’s budget and operational needs. 

Look at the vCISO as a strategic partner first, and a cost-saving exercise second. They bring clarity to complex security challenges, allowing you to make informed decisions that support your business goals.  

Focus on Strategy, Leave Security to BMIT 

Engaging BMIT’s vCISO gives you peace of mind that you have an expert available when you need one. Every action, investment and decision are guided by someone who understands security but also your business requirements and the challenges you face. That mix of knowledge and experience is invaluable for a business that needs to prioritise security and resilience without breaking the bank. 

It was a packed room at BMIT’s The Cybersecurity Imperative 2025 event, which brought together security professionals, business leaders, and technologists for a morning of practical insights and honest reflection. Now in its third year, this edition tackled a question that seems straightforward but remains challenging: what does ‘secure enough’ really mean?

The keynote from Dr Gege Gatt, CEO of London-based EBO.ai, set the stage by exploring how leadership needs to evolve to make better use of AI and emerging technologies. He stressed that genuine competitive advantage isn't about reacting to disruption but proactively preparing for it. Gege illustrated clearly how the most successful companies reshape their approach to leadership, build adaptability into their culture, and embed AI into their core strategies.

Back to basics

Patrick Camilleri, CEO of 56Bit, followed by reinforcing that despite significant advancements in cybersecurity tools and techniques, organisations still regularly stumble over fundamental practices. He pointed out common mistakes like poorly configured cloud environments, weak identity controls, and insufficient monitoring. Rather than chasing the latest, most sophisticated technologies, Patrick emphasised the importance of consistently addressing these basics as the foundation of genuine resilience.

Nicolas Yiallouros from Microsoft provided perspective on the rapidly growing threat landscape, particularly around identity-based attacks. He explained why relying only on multifactor authentication is no longer enough and introduced how Microsoft Entra helps organisations build a robust Zero Trust approach. Nicolas also highlighted how AI is changing identity protection and administration.

Accountablity & Ownership

In another critical session, Cyrille Aubergier, a Senior GRC specialist at BMIT, detailed a deepfake-driven social engineering attack that cost a company $25 million. His analysis revealed worrying gaps in accountability across IT, HR, finance, and security teams, highlighting structural weaknesses in roles and responsibilities. Rather than offering easy fixes, Cyrille made a strong case for rethinking internal accountability and risk ownership to better face today's cyber threats.

Sean Cohen’s presentation offered a stark illustration of how basic security measures can sometimes create an illusion of safety. Using a simulated attack chain beginning from a seemingly harmless software download, he showed just how swiftly ransomware can compromise an entire organisation. Real-world cases, such as the Colonial Pipeline incident and Costa Rica’s government breach, reinforced his point that vulnerabilities often exist in overlooked areas or in decisions made without proper scrutiny.

The human element

Ekaterina Mayorova, a technologist specialising in cyberpsychology, introduced an important human-focused dimension to the discussions. She delved into how cognitive biases, manipulation tactics, and the nature of online interactions significantly increase user vulnerabilities. Her session highlighted the necessity of understanding human behaviour and psychology as essential parts of effective cybersecurity strategies.

Christian Bajada, Head of Information Security at BMIT, then brought attention to everyday operational issues that allow basic security gaps to persist. He cited practical examples like inconsistent verification of remote workers, slow adoption of modern authentication methods like passkeys, and the overreliance on MFA. Christian argued that organisations frequently become stuck in awareness without taking meaningful steps forward, using current threats like Silver Terrier and adversary-in-the-middle attacks to illustrate his point. He urged organisations to move beyond discussions and start implementing proactive measures.

Can you ever be 'secure enough'?

The fireside chat moderated by BMIT’s CMO, Jack Mizzi, provided valuable real-world insights from Kenneth Ciangura (GO), David Vassallo (Cybersift), and Matthew Sciberras (Invicti). They discussed how organisations define and achieve ‘secure enough’ when threats evolve faster than security policies. The panel agreed that being ‘secure enough’ isn't static but constantly shifting, influenced heavily by organisational culture, context, and capabilities.

Finally, Vanessa Psaila, Head of Sales at BMIT, concluded the event by summarising key takeaways and announcing the launch of three new solutions designed to help businesses approach cybersecurity with a clear, structured plan to build resilience.

The recent breach at Marks & Spencer didn’t stem from a technical failure. It began with a phone call. 

Attackers impersonated internal engineers and convinced help desk staff to reset passwords and disable multi-factor authentication. That gave them the foothold they needed to access domain credentials, escalate privileges, and ultimately deploy ransomware. Stores reverted to manual operations. Online sales stopped. 

For a business built on digital efficiency, the disruption was immediate and serious. 

Human Error at the Heart of It 

This wasn’t about gaps in tooling. MFA was active. Security budgets had increased substantially. Yet one moment of misplaced trust was all it took to compromise the system. That’s not a flaw in the technology; it’s a flaw in how the process was executed. 

Social engineering is designed to exploit people under pressure. It preys on urgency, familiarity, and the assumption of legitimacy. And when processes allow for that to happen, for example, when password resets or access changes don’t require verification beyond a single human interaction, the entire security model can be undermined. 

Supply Chains Are Now Attack Surfaces 

This breach didn’t originate inside M&S. It started with a smaller third-party contractor. That’s significant. As internal systems become more secure, and in this case the door was firmly shut, threat actors are increasingly targeting suppliers, vendors, and partners. A smaller business with privileged access and less mature security makes for an ideal access point. 

This is no longer just a vendor management issue. It’s a question of access governance. Which third parties can touch your systems, and under what conditions? How are their credentials managed? And critically, how is their activity monitored? 

Where M&S Got It Right 

What’s worth noting, and often overlooked, is how M&S responded. Systems were isolated. Operations reverted to backup processes. Communications were managed. While not perfect, the company followed a plan. Many organisations don’t even have one. 

Too often, the real damage in a breach comes not from the attack itself, but from the lack of coordination afterwards. That includes delayed disclosures, unclear roles, or even internal confusion over how to restore systems safely. M&S, for all the headlines, showed what it looks like to act on a well-rehearsed plan. That’s a lesson in itself. 

What Businesses Need to Take Away 

The lessons here extend far beyond the particulars of the breach. At their core, they reinforce the idea that cybersecurity is not a matter of investment alone, but of clarity and preparedness. 

Organisations must begin by reinforcing basic access procedures. A password reset or privilege escalation should never rely on a single interaction. There needs to be structured verification. This can happen through independent confirmation, callback procedures, or internal controls that can’t be overridden under pressure. 

Equally important is the need to scrutinise third-party access. It’s not enough to assess vendors once and move on. Access should be reviewed regularly, not just technically but contractually, and every external relationship should be treated as a potential risk vector. 

This ties directly into the question of preparedness. Every business, regardless of size, should have an incident response plan that clearly defines roles, communication channels, and recovery procedures. That plan should be stress-tested, rehearsed, and updated as the environment evolves. A well-executed tabletop exercise (TTX), by way of example, helps expose gaps in your response plan, clarify roles under pressure, and build the mindset needed to respond decisively when real threats emerge. 

Security is not a silo

Yet these practical steps will always fall short without senior ownership. Security cannot remain an IT silo. It needs to be treated as a governance issue, driven by leadership and supported by external expertise where internal resources are limited. Governance is what ensures that good advice becomes consistent action, and that priorities align with risk. 

Just as critical is the need for active threat monitoring and timely response. Managed detection and response (MDR) services are becoming essential for those without round-the-clock internal capabilities. Having visibility isn’t enough there must be capacity to act when anomalies surface. 

But perhaps the most enduring lesson from this breach is cultural. M&S’s attackers didn’t find a backdoor; they persuaded their way in. That highlights the role of culture in resilience. Teams must be trained to spot suspicious behaviour, yes but more than that, they need to feel confident pushing back, questioning instructions, and slowing things down when something doesn’t feel right. Security, at its heart, depends on behaviour as much as infrastructure. 

Final Thought 

There’s no such thing as a secure organisation. However, there is one that’s well-prepared. The M&S breach was serious, but it wasn’t unique. The methods used are familiar. The access paths are common. The difference is how organisations anticipate, prepare for, and respond to these moments. 

Smaller businesses might assume they’re not targets. In truth, they often face higher risk because the same level of resilience isn’t in place. But you don’t need a massive budget to get the fundamentals right. You need clarity, process, and a culture that understands cyber risk isn’t someone else’s problem. 

In the end, resilience is measured not just by how well you prevent a breach, but by how effectively you respond when it happens. 

Christian Bajada is Head of Information Security at BMIT Technologies plc. This article first appeared on Who's Who.