Cybersecurity has become one of the most critical issues of our time, affecting not only businesses and institutions but also entire sectors of the economy, such as tourism and transportation. In light of October, which has been established by the European Union as Cybersecurity Awareness Month, Lamprini Gyiftokosta, a lawyer and expert on personal data protection and new technologies, speaks to Tornos News about the challenges posed by the digital age, the new European legislation, and the need to cultivate a culture of trust and prevention.
October has been designated as Cybersecurity Awareness Month by the European Union with the aim of educating citizens and organizations about digital threats. How has this dialogue evolved in Europe and Greece, especially when the European Cybersecurity Agency is based in Athens?
October is traditionally dedicated to European Cybersecurity Month, the annual campaign launched by the European Union in 2012 to raise awareness among citizens and organizations on issues of digital security. The initiative is organized by the European Commission and the European Union Agency for Cybersecurity (ENISA), with the support of member states and private entities across Europe.
For 2025, the focus of the campaign is phishing, the most common method for initiating cyberattacks. According to ENISA’s data, about 60% of incidents start with such practices, which can take many forms: email phishing, quishing via QR codes, smishing via SMS, vishing with voice calls, spear phishing targeting specific individuals, whaling of executives, Business Email Compromise (BEC), and scams using artificial intelligence, like deep fakes. It is noteworthy that by early 2025, over 80% of social engineering incidents worldwide were linked to AI-based campaigns.
In Greece, awareness campaigns primarily focus on parents, children, and educators through initiatives such as Saferinternet4kids. However, for businesses and organizations, a more systematic approach is needed. As highlighted by the Head of the National Cybersecurity Authority, Mr. Bletsas, “we still have a long way to go.”
This year’s annual report from the European Cybersecurity Agency ranks transportation, particularly airports and ports, as some of the most vulnerable sectors to cyberattacks. What does this reveal about the preparedness of critical infrastructure, and how secure are transportation networks in Europe?
According to the latest ENISA report (ENISA Threat Landscape Report 2025), which analyzed 4,875 European incidents from July 2024 to June 2025, the five most vulnerable sectors are public administration, digital infrastructures and services, financial services, industry, and transportation. Maritime and air transport have been hit hardest, revealing both preparedness weaknesses and the motivations behind these attacks.
Around 80% of the incidents had an ideological character, primarily from the NoName057(16) group, which targets the EU due to its stances on international issues. In recent incidents at European airports, hackers exploited stolen employee credentials to gain access to the systems of Collins Aerospace, a technology provider for check-in services. This highlighted the systemic risk posed by the interdependence of critical infrastructures: by hacking a provider, multiple airports can be impacted simultaneously.
Cyber threats know no borders, and resilience cannot be the responsibility of just one country. This logic is reinforced by the European NIS2 legislation, which has also been incorporated into Greek law.
The new European legislation on digital infrastructure protection imposes stricter obligations on both public and private entities. How does this change the framework of responsibility for organizations like airports and energy networks, and what are the greatest challenges for Greece?
NIS2 significantly increases both the obligations and scope of responsibility for organizations. For the first time, responsibility extends not only to technical providers or system administrators but also to members of management, who must ensure compliance with the legal framework and take personal responsibility in case of failure. In the case of Collins Aerospace, the responsibility does not only lie with the airports but also extends to the service provider.
The key challenge is to move from theoretical compliance to the practical application of rules, with real enforcement mechanisms. In Greece, this task is complicated by the understaffing of supervisory authorities and the lack of specialized personnel. While legislation has become stricter, without operational capacity, its goals will not be achieved.
Cybersecurity is not just about technology but also about trust — of citizens, travelers, and businesses. How ready are we to shift from the “reacting after the crisis” mindset to a culture of prevention and digital resilience?
Cultural change takes time and sustained effort. Most people, and organizations, react only after a problem arises. Education, awareness, and, above all, an understanding of the cost of a cyberattack—both financially and in terms of reputation—are needed. Trust is built slowly and lost easily. A business handling critical data should not be thinking about whether it will be targeted, but when.
Prevention, staff training, crisis scenario simulations, and effective communication after an incident are crucial tools. Cybersecurity is not just a technical issue; it is a strategic choice that concerns society, the economy, and the credibility of a state.
