Cybersecurity seen as compliance, not value, warns Qrator Labs CTO

The Cyprus Mail recently sat down with Andrey Leskin, CTO of Czech firm Qrator Labs, which also has a presence in Limassol, who delved into the cybersecurity risks confronting Europe’s small and medium-sized enterprises (SMEs).

In this in-depth interview, Leskin identified ransomware as the leading threat, compounded by limited resources and a lack of strategic awareness among SMEs.

Moreover, he outlined how governments can support the sector through tax-friendly policies, public education, and fostering local cybersecurity ecosystems.

Leskin also highlighted the systemic challenges in the cybersecurity job market, including the talent gap and perception issues, and weighed in on Cyprus’ ambitions to become a regional cybersecurity hub, exploring both its competitive advantages and looming risks.

CM: How do you assess the current state of cybersecurity among SMEs in Europe, and what are the most pressing vulnerabilities they face today?

For small and medium-sized enterprises, the primary cybersecurity risk today is ransomware attacks. These involve malicious actors gaining access to a company’s systems, creating an encrypted copy of critical data, deleting the original, and then offering to sell the decryption key — necessary to restore the data — back to the rightful owner.

This threat has been around for quite some time. In practice, SMEs are often poorly protected against it. This is typically due to the lack of proper data backup strategies and insufficient access control — particularly poor protection of privileged accounts with administrator-level access.

The core issue is that with limited resources, SMEs often struggle to prioritize among numerous theoretical threats. As a result, they tend to focus on risks they’ve recently encountered or are required to address by regulators. Because ransomware attacks, while highly destructive, are relatively rare, they often fall outside the immediate scope of attention — leaving many organizations unprepared when such an incident does occur.

CM: Given the Deputy Minister’s recent call for increased public and private investment, what role should national governments play in supporting cybersecurity for SMEs?

In this context, the national government should focus on fostering a domestic market for cybersecurity solution providers — particularly those offering data protection and backup services. For SMEs, acquiring and maintaining such software or services should be as transparent and affordable as possible, ideally with minimal tax burdens or administrative complexity.

The government can also promote information sharing by organizing seminars, workshops, or conferences targeted at small and medium-sized businesses. These events should aim to objectively present the real-world cybersecurity risks SMEs in Cyprus face.

In addition to ransomware, other pressing threats include leaks of personal data, distributed denial-of-service (DDoS) attacks, phishing, and business email compromise (BEC) schemes. Again, these efforts should involve the developers and vendors of cybersecurity solutions — particularly those providing tools that help mitigate the impact of such threats.

Andrey Leskin, the CTO of Qrator Labs

CM: In what ways is the shortage of skilled cybersecurity professionals impacting SMEs, and how can the industry and academia collaborate to address this gap?

In practice, the shortage of cybersecurity professionals mostly affects large enterprises, and to a lesser extent, mid-sized companies. For small businesses, this shortage has little to no direct impact, as they typically do not hire such specialists — either because they cannot afford to have dedicated cybersecurity personnel at all, or because they prioritize hiring other types of staff.

CM: How are government initiatives and EU-wide policies expected to influence the cybersecurity job market by 2025?

The fundamental challenge facing the cybersecurity job market is that, in many small and medium-sized businesses — and even in large enterprises — cybersecurity risks are viewed solely as regulatory compliance issues. As a result, companies often treat cybersecurity professionals as compliance personnel.

When it comes to allocating resources, decisions are typically based on how those investments impact business outcomes. However, cybersecurity rarely contributes directly to revenue growth. It’s almost impossible to increase product or service sales by emphasizing enhanced information security — except in cases where the company itself operates in the cybersecurity sector.

As a result, cybersecurity is largely seen through the lens of compliance — with attention focused on avoiding fines, mitigating data loss, or addressing data recovery costs.

This leads to a fundamental contradiction. On the one hand, companies are often only willing to offer cybersecurity professionals salaries that are comparable to those of compliance specialists. On the other hand, effective cybersecurity work requires technical education — including programming or systems administration skills. Professionals with such skills can typically earn more in roles that directly support revenue-generating functions.

This mismatch greatly reduces the number of technically skilled individuals who are both qualified for and interested in pursuing careers in cybersecurity.

Perhaps the only way to resolve this issue is through increased investment in cybersecurity education. This would help expand the talent pipeline by attracting individuals who might otherwise pursue other technical career paths — even though cybersecurity could be a more suitable and rewarding field for them.

CM: What unique challenges and opportunities does Cyprus face as it positions itself as a regional hub for cybersecurity in the Mediterranean and the EU?

Cyprus is in a strong position when it comes to attracting foreign business, thanks to a business-friendly regulatory environment. This makes it a strategically sound move to encourage international cybersecurity companies to open local branches, as well as to support startups in the cybersecurity space in establishing offices on the island.

Naturally, this approach comes with competition — particularly from nearby countries like Israel and the United Arab Emirates, both of which are also active in developing their cybersecurity sectors. However, Cyprus has a distinct advantage in being part of the European Union, which provides certain regulatory and market benefits for many companies.

A potential challenge lies in the fact that positioning the country as a cybersecurity hub may also increase the attention it receives from malicious actors, particularly targeting government websites and digital infrastructure. As such, Cyprus may need to re-evaluate its public sector cybersecurity strategies and consider increasing investment in this area in the near future.

It’s worth noting that building strong cyber defenses is typically more costly than maintaining them. Much of the investment would therefore be one-time — involving audits, identification of weak points, and addressing vulnerabilities. Once those issues are resolved, maintaining a solid cybersecurity posture for government systems becomes a more manageable and cost-effective task.