It was a packed room at BMIT’s The Cybersecurity Imperative 2025 event, which brought together security professionals, business leaders, and technologists for a morning of practical insights and honest reflection. Now in its third year, this edition tackled a question that seems straightforward but remains challenging: what does ‘secure enough’ really mean?
The keynote from Dr Gege Gatt, CEO of London-based EBO.ai, set the stage by exploring how leadership needs to evolve to make better use of AI and emerging technologies. He stressed that genuine competitive advantage isn't about reacting to disruption but proactively preparing for it. Gege illustrated clearly how the most successful companies reshape their approach to leadership, build adaptability into their culture, and embed AI into their core strategies.
Back to basics
Patrick Camilleri, CEO of 56Bit, followed by reinforcing that despite significant advancements in cybersecurity tools and techniques, organisations still regularly stumble over fundamental practices. He pointed out common mistakes like poorly configured cloud environments, weak identity controls, and insufficient monitoring. Rather than chasing the latest, most sophisticated technologies, Patrick emphasised the importance of consistently addressing these basics as the foundation of genuine resilience.
Nicolas Yiallouros from Microsoft provided perspective on the rapidly growing threat landscape, particularly around identity-based attacks. He explained why relying only on multifactor authentication is no longer enough and introduced how Microsoft Entra helps organisations build a robust Zero Trust approach. Nicolas also highlighted how AI is changing identity protection and administration.
Accountablity & Ownership
In another critical session, Cyrille Aubergier, a Senior GRC specialist at BMIT, detailed a deepfake-driven social engineering attack that cost a company $25 million. His analysis revealed worrying gaps in accountability across IT, HR, finance, and security teams, highlighting structural weaknesses in roles and responsibilities. Rather than offering easy fixes, Cyrille made a strong case for rethinking internal accountability and risk ownership to better face today's cyber threats.
Sean Cohen’s presentation offered a stark illustration of how basic security measures can sometimes create an illusion of safety. Using a simulated attack chain beginning from a seemingly harmless software download, he showed just how swiftly ransomware can compromise an entire organisation. Real-world cases, such as the Colonial Pipeline incident and Costa Rica’s government breach, reinforced his point that vulnerabilities often exist in overlooked areas or in decisions made without proper scrutiny.
The human element
Ekaterina Mayorova, a technologist specialising in cyberpsychology, introduced an important human-focused dimension to the discussions. She delved into how cognitive biases, manipulation tactics, and the nature of online interactions significantly increase user vulnerabilities. Her session highlighted the necessity of understanding human behaviour and psychology as essential parts of effective cybersecurity strategies.
Christian Bajada, Head of Information Security at BMIT, then brought attention to everyday operational issues that allow basic security gaps to persist. He cited practical examples like inconsistent verification of remote workers, slow adoption of modern authentication methods like passkeys, and the overreliance on MFA. Christian argued that organisations frequently become stuck in awareness without taking meaningful steps forward, using current threats like Silver Terrier and adversary-in-the-middle attacks to illustrate his point. He urged organisations to move beyond discussions and start implementing proactive measures.
Can you ever be 'secure enough'?
The fireside chat moderated by BMIT’s CMO, Jack Mizzi, provided valuable real-world insights from Kenneth Ciangura (GO), David Vassallo (Cybersift), and Matthew Sciberras (Invicti). They discussed how organisations define and achieve ‘secure enough’ when threats evolve faster than security policies. The panel agreed that being ‘secure enough’ isn't static but constantly shifting, influenced heavily by organisational culture, context, and capabilities.
Finally, Vanessa Psaila, Head of Sales at BMIT, concluded the event by summarising key takeaways and announcing the launch of three new solutions designed to help businesses approach cybersecurity with a clear, structured plan to build resilience.
The recent breach at Marks & Spencer didn’t stem from a technical failure. It began with a phone call.
Attackers impersonated internal engineers and convinced help desk staff to reset passwords and disable multi-factor authentication. That gave them the foothold they needed to access domain credentials, escalate privileges, and ultimately deploy ransomware. Stores reverted to manual operations. Online sales stopped.
For a business built on digital efficiency, the disruption was immediate and serious.
Human Error at the Heart of It
This wasn’t about gaps in tooling. MFA was active. Security budgets had increased substantially. Yet one moment of misplaced trust was all it took to compromise the system. That’s not a flaw in the technology; it’s a flaw in how the process was executed.
Social engineering is designed to exploit people under pressure. It preys on urgency, familiarity, and the assumption of legitimacy. And when processes allow for that to happen, for example, when password resets or access changes don’t require verification beyond a single human interaction, the entire security model can be undermined.
Supply Chains Are Now Attack Surfaces
This breach didn’t originate inside M&S. It started with a smaller third-party contractor. That’s significant. As internal systems become more secure, and in this case the door was firmly shut, threat actors are increasingly targeting suppliers, vendors, and partners. A smaller business with privileged access and less mature security makes for an ideal access point.
This is no longer just a vendor management issue. It’s a question of access governance. Which third parties can touch your systems, and under what conditions? How are their credentials managed? And critically, how is their activity monitored?
Where M&S Got It Right
What’s worth noting, and often overlooked, is how M&S responded. Systems were isolated. Operations reverted to backup processes. Communications were managed. While not perfect, the company followed a plan. Many organisations don’t even have one.
Too often, the real damage in a breach comes not from the attack itself, but from the lack of coordination afterwards. That includes delayed disclosures, unclear roles, or even internal confusion over how to restore systems safely. M&S, for all the headlines, showed what it looks like to act on a well-rehearsed plan. That’s a lesson in itself.
What Businesses Need to Take Away
The lessons here extend far beyond the particulars of the breach. At their core, they reinforce the idea that cybersecurity is not a matter of investment alone, but of clarity and preparedness.
Organisations must begin by reinforcing basic access procedures. A password reset or privilege escalation should never rely on a single interaction. There needs to be structured verification. This can happen through independent confirmation, callback procedures, or internal controls that can’t be overridden under pressure.
Equally important is the need to scrutinise third-party access. It’s not enough to assess vendors once and move on. Access should be reviewed regularly, not just technically but contractually, and every external relationship should be treated as a potential risk vector.
This ties directly into the question of preparedness. Every business, regardless of size, should have an incident response plan that clearly defines roles, communication channels, and recovery procedures. That plan should be stress-tested, rehearsed, and updated as the environment evolves. A well-executed tabletop exercise (TTX), by way of example, helps expose gaps in your response plan, clarify roles under pressure, and build the mindset needed to respond decisively when real threats emerge.
Yet these practical steps will always fall short without senior ownership. Security cannot remain an IT silo. It needs to be treated as a governance issue, driven by leadership and supported by external expertise where internal resources are limited. Governance is what ensures that good advice becomes consistent action, and that priorities align with risk.
Just as critical is the need for active threat monitoring and timely response. Managed detection and response (MDR) services are becoming essential for those without round-the-clock internal capabilities. Having visibility isn’t enough there must be capacity to act when anomalies surface.
But perhaps the most enduring lesson from this breach is cultural. M&S’s attackers didn’t find a backdoor; they persuaded their way in. That highlights the role of culture in resilience. Teams must be trained to spot suspicious behaviour, yes but more than that, they need to feel confident pushing back, questioning instructions, and slowing things down when something doesn’t feel right. Security, at its heart, depends on behaviour as much as infrastructure.
Final Thought
There’s no such thing as a secure organisation. However, there is one that’s well-prepared. The M&S breach was serious, but it wasn’t unique. The methods used are familiar. The access paths are common. The difference is how organisations anticipate, prepare for, and respond to these moments.
Smaller businesses might assume they’re not targets. In truth, they often face higher risk because the same level of resilience isn’t in place. But you don’t need a massive budget to get the fundamentals right. You need clarity, process, and a culture that understands cyber risk isn’t someone else’s problem.
In the end, resilience is measured not just by how well you prevent a breach, but by how effectively you respond when it happens.
BMIT Technologies today announced it has finalised the acquisition of a 51% stake in 56Bit Limited, with the option to increase its shareholding over the next five years, subject to the company’s performance.
This strategic move strengthens BMIT Group's position as Malta’s leading provider of hybrid IT and cloud services and significantly enhances it's cloud portfolio - particularly in AWS technologies.
Through this investment, BMIT Group is gaining access to deep AWS expertise, specialised skills, and proven delivery capabilities. It also accelerates the Group's ability to provide vendor-agnostic, tailored cloud solutions - from migration to optimisation and managed services - and reinforces the commitment to delivering high-quality, secure, and scalable cloud solutions across multi-cloud environments.
Packages are more than just a collection of services
Do you think cybersecurity is just an IT issue? It’s not. It’s a business issue and one that could have a lasting impact on the company’s future. Security is often considered (and treated) as a collection of tools rather than a strategic advantage that builds customer trust, operational resilience, and ultimately, competitive edge.
BMIT have just announced three security packages based on what we’ve learned protecting businesses and where they stumble when it comes to security.
The Threat Management, vCISO, and Managed Detection and Response packages go beyond tools, checklists and compliance. They’re designed to integrate security into the business. Why? Because real security isn’t just about preventing attacks, it’s about building resilience and enabling growth with confidence.
Every business has vulnerabilities: outdated software, human error, third-party risks. No system is perfect, attack surfaces are numerous, and attackers know that. The real challenge isn’t eliminating every risk (that’s impossible); it’s about dealing with the now and what you know.
Our Threat Management package combines vulnerability scanning, penetration testing by actual security professionals (not just automated tools), and real-time threat intelligence. But the real value comes from our approach: we help you build security thinking into everyday operations.
vCISO – Because Security Needs Leadership, Not Just Tools
You cannot handle cybersecurity like a to-do list: update firewall rules, update Windows, carry out compliance. These are just scattered efforts that miss a crucial element: Leadership.
Our vCISO (Virtual Chief Information Security Officer) service brings senior-level security expertise to your business without the cost of a full-time executive. Yes, we do point out risks and areas of weakness, but we align this activity with your business goals, helping you build trust with customers, strengthen compliance, and create a strong security culture among staff.
From security policy development to awareness training, this package isn’t just about meeting standards, it’s about setting them.
A cyberattack is a business issue. Data loss, reputational damage, operational downtime aren’t theoretical risks; they’re real consequences. The Managed Detection and Response package is not about sending alerts when something is suspicious or goes wrong. It means making sure the business has the right response in place before an attack even happens.
With continuous monitoring, daily reviews, expertise in managing SIEM (Security Information and Event Management), and rapid response, you get the knowledge to be able to act.
Looking at security from a different lens
Cybersecurity isn’t a product you buy once and forget about. We do things differently by offering proactive services that help businesses think ahead, planning for the future, today.
Each security package is designed to fill specific gaps in your security posture. Many clients will start with one service and expand as they mature. The question isn't which package is best but which risks pose the greatest threat to your specific business right now?
It’s time to start seeing a proactive approach to security as an advantage. The checkboxes come later. Unsure which package makes most sense? Let’s have a chat and discuss your business needs.
Cyrille Aubergier, Senior Compliance (GRC) Specialist at BMIT talks about making a success of security awareness training and to be wary of the pitfalls.
Security awareness training is gaining a lot of traction in organisations, yet we continue to see incidents stemming from basic errors. What do you think is the biggest reason for this disconnect?
Errors typically stem from two primary sources: spoofing (phishing) and mishandling. In cases where errors arise from spoofing, the appropriate solutions are a strong security awareness programme and phishing tests, and I'll mention a few best practices.
When errors result from incorrect handling, privilege comes with responsibility. And this can be addressed in multiple ways, such as comprehensive technical training, “four-eyes” validation, and adherence to robust engineering principles for testing and implementation.
To return to your question, this disconnect is mainly due to the quality of the training programme. Live training sessions, whether remote or in-person, are more effective than recorded sessions or videos. Interactive and context-specific training is much more stimulating and impactful compared to traditional training.
Additionally, sharing real examples of security incidents that happen within the company (without naming individuals) will clearly highlight the consequences of security breaches that may affect you indirectly.
You mentioned stimulation and impact - what makes traditional training so unengaging?
Traditional training can be unengaging when it fails to address current threats, current risks, and the evolving technical landscape. Training content disconnected from the company's ecosystem leads to disinterest among participants.
Beyond engagement, are there other common mistakes organisations make with their training programmes?
Organisations may underestimate the phishing risk but also the benefits of a robust cybersecurity awareness programme. This oversight is frequently due to budget constraints or the lack of well-defined Key Performance Indicators (KPIs). Without clear metrics to evaluate effectiveness it becomes challenging to measure benefits and justify the cost.
How would you recommend organisations rethink their strategy?
They need to shift their mindset from compliance to competence. The goal should not just be to meet regulatory requirements; it should be to help employees to make smart security decisions every day. A key strategy will be to adapt the training to the audience. For example, “An introduction to Cybersecurity” will enforce your code of conduct with all staff. A Table-Top Exercise (TTX) will educate and empower they key people who may one day find themselves handling a security incident.
How can organisations make their training more relevant?
Organisations should tailor their programmes to align with the local and technical context, as well as their existing security policies. Aligning training materials with the organisation's Code of Conduct will help in clarifying acceptable behaviours and prohibited actions, which can lead to the errors we mentioned earlier. Additionally, we all agree that confidential information must be encrypted when sent over the Internet. This is mentioned in almost every security policy, and technical solutions exist to manage this. Training materials should include practical guidance on how to use encryption with email.
Are there any specific techniques you have seen work well for keeping employees engaged?
Take the universal nature of cyber threats. Cybercriminals use similar psychological tactics whether targeting individuals at work or at home, aiming to compromise personal, professional data or the company itself. Highlighting this dual threat can motivate employees to consider a fundamental question: “How can I protect myself and my family?” This underscores the importance of vigilance at all times.
How do you ensure the lessons learned during training are reinforced over time?
Maintaining a regular frequency of cybersecurity training is key. Most regulations suggest a minimum of once a year, but it depends on how your phishing risks have been evaluated. Additionally, just as security policies and codes of conduct are periodically updated to reflect new technologies, threats, and business changes, training content should also be regularly refreshed.
What role does leadership play in the success of security awareness training?
Cybercriminals target all employees in search of the "weakest link”. But we must remember that it is the leadership's responsibility to ensure that all weaknesses are properly addressed. And to choose the appropriate security awareness programme that will mitigate the phishing risk.
How do you measure the effectiveness of their training programmes?
To measure their effectiveness, you can incorporate interactive elements like open questions, anonymised quizzes, use cases, and discussions to validate understanding and improve impact. The programme can also be measured using two indicators: trends in the number of phishing incidents and periodic phishing tests. These tests are the only way to measure KPIs such as the number of clicks on malicious links, the number of ignored emails, and the number of reports of suspicious emails, which will help evaluate the current risk. The goal is to encourage employees to report any dubious emails. What is worse than an employee falling for a phishing trick? Not reporting it.
Finally, if you had to summarise the key to effective security awareness training, what would it be?
Empowering humans remains a critical component of cybersecurity. Despite advancements in technology and artificial intelligence, we are all still receiving unsolicited emails - and for more than 50 years! Humans are and will remain the first line of defence. Focus on creating a culture of security, where employees feel involved and engaged to take the right decision every day. Building this culture requires continuous reinforcement, role-specific training, leadership involvement, and the use of appropriate technology. By investing in the education and empowerment of employees, organisations can significantly enhance their global security posture.
BMIT Technologies backs Maltese para powerlifting talent on road to 2028
Nick Mercieca, the Maltese para powerlifting athlete, has set his sights on the 2028 Paralympic Games in Los Angeles, and his preparations have been boosted by new backing that will help him take on a rigorous international schedule in the years ahead. BMIT Technologies has just announced that it will be the athlete’s main partner on his journey to the Games.
For the next three years, Nick has a packed calendar of training camps, international events, and elite competitions that will shape his path and ambition to earn a Paralympic qualification spot.
“My focus has always been the Paralympics. LA 2028 is the goal,” said Nick. “I train every day to earn that place, and this support from BMIT means I can fully commit to that journey. It’s more than a sponsorship, it’s a belief in what I’m working towards and the Paralympic spirit we uphold. Paralympic sport shows us how far we can push ourselves, no matter the obstacles we may face in life.”
Nick’s sporting credentials already speak volumes. A karate black belt and para rowing world record-holder, he has quickly emerged as a promising talent in the world of para powerlifting. At the recent World Para Powerlifting World Cup in Tbilisi, Georgia, he became Malta’s first international para powerlifter in history, placing 1st place in total lift and 2nd for best lift in the ‘Next Generation’ category for 18-20-year-olds. His development in the sport has drawn attention for both his athletic potential and his sheer determination.
“When we met Nick, we immediately saw someone who reflects the values we believe in - resilience, purpose, and a relentless drive to improve,” said Christian Sammut, CEO of BMIT Technologies. “We’re proud to support his journey and hope our backing helps him reach the world stage.”
The sponsorship forms part of BMIT Technologies’ broader commitment to supporting local talent and inclusivity in sport. Nick will now enter a critical period of development and competition, with upcoming events playing a key role in building his international ranking and experience.
A security policy is a formal set of rules that defines how your organisation protects its information assets and systems. It outlines the necessary actions to prevent unauthorised access, use, disclosure, modification, or destruction of data and infrastructure.
If your business handles sensitive data - such as customer information, financial records, intellectual property, or confidential communications - a security policy is essential.
Why a Security Policy Matters
A security policy helps manage security risks and incidents in a consistent, structured manner. It clearly sets expectations for employees, customers, and partners, establishing accountability and trust. In regulated industries, a formal policy is often mandatory to demonstrate compliance with legal and regulatory standards.
A well-defined, regularly updated policy signals that your organisation is prepared to handle the potential impact of a data breach or cyber incident. It also helps build credibility and demonstrates that you take security seriously.
However, developing a strong policy isn’t a one-off task, it must evolve alongside your business and the threat landscape.
How to Get Started
Define Objectives and Scope Clarify the goals of your security policy: what assets and systems it covers, who is affected, and how the policy supports your broader business strategy and values.
Conduct a Risk Assessment Identify the key threats and vulnerabilities facing your organisation. Where are the gaps? What risks are most severe? This assessment helps define the right controls and priorities.
Set Security Requirements Use the insights from your risk assessment to define specific rules, standards, and minimum expectations. These should apply to staff, partners, contractors, and any other third parties with access to your systems.
Communicate Clearly Use plain, accessible language to explain the policy. Avoid jargon. Many staff members won’t be security experts. Everyone needs to understand and accept their responsibilities.
Implement and Enforce Define clear steps for compliance. Provide training, tools, and ongoing support. Establish processes for reporting incidents, conducting audits, and updating the policy.
Evaluate and Improve Regularly assess how well your policy is working. Gather feedback, track effectiveness, and adjust as needed to reflect changes in your business or the threat environment.
Key Areas to Cover in Your Policy
Your security policy should address multiple aspects of information security. Core areas include:
Password Management Require strong passwords and multi-factor authentication.
Access Control Follow least privilege or zero-trust principles. Give users only the access they need.
Data Encryption Encrypt data both at rest and in transit using current best practices.
Employee Training Educate staff on password hygiene, phishing, and incident response.
Third-Party Access Ensure vendors and partners follow the same security standards as your internal team.
Network Security Implement and maintain firewalls, intrusion detection systems, and VPNs for secure remote access.
Mobile Device Management Apply security controls to work devices - such as strong passcodes, remote wipe capabilities, and device encryption.
A comprehensive, realistic, and regularly maintained policy fosters a culture of awareness and helps the entire organisation remain resilient against evolving threats.
How BMIT Can Help
BMIT provides a number of related services to help businesses with audits and compliance if they don't have the necessary expertise or resources. Want to create a robust security policy that protects your business? Contact us today to get started.
Q: What is cloud security?
A: Cloud security is a combination of technologies, policies, processes, and user education designed to protect data, applications, and systems operating in a cloud environment. Just as you wouldn’t leave your wallet or purse unattended in a busy public space, you should not leave your digital assets unattended. Effective cloud security involves choosing the right tools, understanding the risks, and having a strategy in place to manage those risks. It is an essential part of any modern IT setup.
Q: Why should an organisation prioritise cloud security?
A: Cloud services offer significant advantages in agility, scalability, and cost efficiency. However, they also introduce new risks that differ from traditional on-premises environments. Without proper safeguards, organisations face threats such as data breaches, compliance violations, and reputational harm. A strong cloud security posture protects the confidentiality, integrity, and availability of systems and ensures business continuity. Security is not just a technical necessity but a critical component of strategic risk management.
Q: What are the main threats in the cloud?
A: The main threats include unauthorised access, data loss, and misconfigured cloud services. These often result from weak access controls, overly broad permissions, or a failure to monitor and secure assets. Insider threats, whether due to negligence or malicious intent, remain a significant concern. Organisations must also watch for insecure APIs, vulnerabilities in third-party services, and account hijacking. Importantly, moving to the cloud does not eliminate responsibility. Organisations retain a significant role in securing their environment.
Q: What is the Shared Responsibility Model?
A: The Shared Responsibility Model defines which aspects of cloud security are managed by the cloud provider and which remain the customer’s responsibility. Generally, the provider secures the physical infrastructure, including data centres, networks, and hardware. The customer is responsible for securing their own data, applications, identities, and access configurations. This division varies depending on the cloud service model in use:
Infrastructure as a Service (IaaS): Customers manage operating systems, storage, and applications.
Platform as a Service (PaaS): Providers manage more of the stack, but customers still manage data and user access.
Software as a Service (SaaS): The provider manages most aspects, but customers are still responsible for user access and data policies.
Understanding where your responsibilities begin and end is essential. A clear grasp of this model helps avoid assumptions that can lead to gaps in protection.
A: Zero Trust is a security model based on the principle of never trust, always verify. It assumes that threats can come from inside or outside the network, so no user or device is automatically trusted. Every access request is authenticated, authorised, and continuously monitored. Every access request is authenticated, authorised, and continuously monitored based on identity, device health, location, and behaviour. The model enforces least privilege access, meaning individuals and systems are only given access to the resources they absolutely need. Zero Trust is not a single product but a set of principles that work together, often including network segmentation, conditional access, and very granular, specific permissions.
Q: What practical steps can be taken to secure a cloud setup?
A: A layered approach is recommended, combining technical controls, governance, and human awareness. Key steps include:
Encryption: Data should be encrypted both at rest and in transit to prevent unauthorised access.
Access control: Use role-based access controls and enable multi-factor authentication (MFA) to reduce the risk of credential misuse.
Patch management: Keep systems and applications up to date to minimise exposure to known vulnerabilities.
Monitoring and auditing: Continuously monitor cloud activity and conduct regular audits to detect anomalies and ensure compliance.
Employee training: Human error is still a leading cause of incidents. Staff should be trained to recognise phishing, use secure practices, and understand their responsibilities.
Cloud-native tools: Make use of tools provided by cloud vendors, such as Cloud Security Posture Management (CSPM), to automate compliance checks and detect misconfigurations.
Q: What about compliance and governance in the cloud?
A: Many industries are subject to regulatory frameworks that impact how cloud data must be handled. Organisations may need to comply with standards such as GDPR, ISO/IEC 27017, or sector-specific requirements like PCI-DSS. Cloud governance should include policies on data classification, lifecycle management, and vendor risk oversight. Using cloud environments does not reduce compliance obligations. It often makes them more complex.
Q: What is the cost-benefit of investing in cloud security?
A: Security spending may seem high initially, but it is significantly lower than the cost of responding to a serious breach. A data breach can lead to financial losses, legal penalties, operational downtime, and lasting reputational harm. According to IBM’s 2024 Cost of a Data Breach report, the global average cost of a breach was over $4.88 million. By comparison, proactive investment in security controls, staff training, and monitoring systems delivers resilience, preserves customer trust, and supports long-term business performance.
Q: How can an organisation balance agility with the need for robust security?
A: Security and agility are not mutually exclusive. In fact, effective security frameworks should enable innovation by creating a safe foundation. Use flexible controls that adapt as the business evolves. Automation helps reduce manual work and speeds up response times. For example, access rules can be set in advance, security checks can be built into new projects from the start, and systems can automatically flag when something breaks the rules. Most importantly, maintain regular collaboration between IT, security, compliance, and business teams. This ensures that controls are practical, proportionate, and aligned with both risk appetite and delivery speed.
Q: What's the bigger picture?
A: Security is not a one-off effort or a fixed checklist. Look at it as an ongoing, evolving discipline. Whether your organisation is just beginning its cloud journey or fine-tuning a mature setup, having a clear plan and a culture of shared responsibility makes all the difference. Periodic review, continuous learning, and strategic investment will help you stay ahead of threats and make the most of what the cloud can offer.
Choosing the right Cloud partner
At BMIT, we know that no two businesses are alike, and neither are their cloud journeys. That’s why our enterprise-grade cloud solutions are designed to adapt to your needs. Whether you’re building a private cloud, moving to a public platform, or managing a hybrid or multi-cloud environment, we provide the expertise and support to help you make the most of your technology investments. We work with growing businesses to unlock the full value of the cloud by driving innovation, enhancing agility, and delivering sustainable outcomes. Talk to our experts today.
BMIT – Enterprise cloud expertise, tailored for your growth.
Cybersecurity challenges are a reality everywhere. They are immediate, and they are affecting organisations of every size and type. Whether you are running a public authority, managing a growing business, or supporting national infrastructure, the threat landscape is shifting. Attacks are becoming more frequent, more sophisticated, and more disruptive.
This is a shared reality. Whether you are working in a major city or a smaller market, the nature of the threat is fundamentally the same. So is the responsibility to respond to it.
The encouraging news is that awareness is growing. More organisations are taking cybersecurity seriously, not simply to meet compliance obligations, but because the business risks are becoming more obvious. There is greater collaboration, increased investment, and more engagement at leadership level. That is real progress.
Initiatives like the Coordinated Vulnerability Disclosure Policy (CVDP) are helping to build trust too, by encouraging responsible information sharing. MITA’s Malware Information Sharing Platform (MISP), through which public and private stakeholders can exchange indicators of compromise and threat data, are partly driven by compliance, but also reflect a growing awareness of what good practice looks like today.
Weak monitoring and delayed response
This is a clear sign of progress, but progress on its own does not guarantee preparedness.
The reality is that many of the attacks we see today - phishing, business email compromise, ransomware, remote access abuse, supply chain - can be prevented. They often succeed because of gaps in awareness, weak monitoring, or delayed responses.
The shift to remote and hybrid work has created new vulnerabilities. In some cases, businesses lack visibility over who is doing the work or even whether those individuals are who they claim to be. This is not hypothetical. There are documented cases of cybercriminals infiltrating organisations through fake remote job schemes.
Even when internal systems are secure, the supply chain often is not. Third-party vendors and service providers can unintentionally introduce serious risks. Breaches where a third-party was involved doubled to 30% according to Verizon’s 2025 Data Breach Investigations Report.
The threat of Shadow IT
Shadow IT, where employees use unauthorised applications or cloud services, only increases the attack surface and makes it harder to manage. According to Gartner, 41% of employees have acquired, modified or created technology that IT is not aware of. This is expected to increase to 75% by 2027!
And having the right tools is not enough. Misconfigured systems, outdated policies, or an overreliance on automation can create a false sense of security. When new vulnerabilities or attack techniques appear, the response time is still too slow. That gap between threat discovery and defence is often when the real damage is done.
The key message here is simple. Cybersecurity is not a task to complete and move on from. It is a continuous process that demands discipline and attention. Regular risk assessments, timely updates, effective monitoring, and a company-wide culture of vigilance must all be part of standard operations.
The consequences of a breach are not only technical. There can be reputational damage, loss of productivity, and serious financial costs. That is why cybersecurity must be seen as a strategic business issue, not just an IT concern.
Signs of progress are welcome, but true resilience is not built once. It must be maintained through ongoing effort, practical thinking, and the ability to respond quickly when it matters most. In today’s environment, no organisation is too small, too peripheral, or too prepared to be a target.
Many businesses acknowledge the importance of security but do not have the resources or the skillset in-house to create a security strategy. BMIT cyber resilience experts can help develop a strategy that protects your business today and in future. Talk to us.
Hybrid IT is rapidly becoming the norm for organisations striving to find the right balance between on-premises infrastructure and cloud services. However, adopting the cloud is not a decision to be made lightly. It requires a well-defined strategy that is rooted in technical necessities while aligning with the company's broader goals. Without this clarity, complexity is inevitable.
Before diving in, consider these crucial questions:
What are we really trying to solve?
Is scalability an issue? Are we bogged down by maintenance tasks instead of focusing on innovation? Are there bottlenecks hindering our progress? Gaining a clear understanding of the core challenges will help determine whether Hybrid IT is the right approach and, more importantly, how to implement it effectively.
What does success look like?
Is the goal to reduce costs, speed up service delivery, or improve resilience? While these are all valid objectives, it's essential to pinpoint what matters most to your organisation. Defining success from the outset keeps the project focused and ensures that outcomes can be accurately measured.
What data needs to stay on-premises?
Not all data is created equal. Some may need to stay on-site due to regulatory or security requirements, while other workloads may be better suited to the cloud. Treat your data as your most valuable asset and prioritise its management accordingly.
Can we manage a mixed environment?
Hybrid IT involves managing on-premises systems alongside multiple cloud platforms, potentially alongside legacy systems as well. Do you have the internal capabilities to handle this complexity, or will you need to bring in external expertise?
Have we factored in the full cost?
Look beyond the initial investment and think long-term. What will ongoing operational expenses: cloud consumption, support, maintenance, and training, look like? Understanding your total cost of ownership will help you avoid unwelcome surprises down the road.
Will it work alongside what we already have?
Chances are, your organisation is not starting from scratch. Existing systems, processes, and platforms will still be in place. How will the new hybrid model fit into this? Poor integration leads to inefficiencies and silos, which undermine the very benefits Hybrid IT is meant to offer.
How will we keep it secure?
Security becomes more complex when data and services are spread across environments. Strong access controls, encryption, monitoring, and clear policies need to work across the entire infrastructure and should be defined during the planning process.
Are we locking ourselves in?
While opting for a single provider may seem straightforward at first, it can restrict flexibility over time. To avoid being tied to a single vendor, work with an IT partner capable of delivering multiple solutions across different platforms. This ensures your business can evolve with its changing needs.
By addressing these questions upfront, you’ll lay the groundwork for a successful Hybrid IT strategy that drives efficiency, flexibility, and long-term value.
Thinking about your next steps? Let’s have a conversation. Get in touch!
