Within three years, Cyprus’s newly formed academic CSIRT has already made impressive progress, even while navigating a global pandemic. CYNET’s Panayiota Smyrli and Stephanos Andreou share their experiences, insights, and lessons learned about establishing a new CSIRT.
The birth of CYNET CSIRT
Established in 2017 and operative since late 2018, the CSIRT for Cyprus’s NREN, CYNET, supports the country’s academic and research institutions.
“One of our biggest security challenges is rapidly evolving cyber-attacks, such as ransomware or cryptojacking. Certain areas were being harder hit than others, with education and research bearing the brunt of the damage,” says Panayiota.
“This indicates a focus by cyber threat actors on areas that are rapidly growing more reliant on technology, but the least prepared to protect themselves against cyber threats. Before the establishment of CYNET CSIRT, it was difficult to protect our many academic community users from these challenges.”
As part of addressing this, the CSIRT was also tasked with improving the limited cyber security knowledge among Cyprus’s academic communities.
The biggest challenges in establishing CYNET CSIRT
On top of tackling the issues above, the CYNET CSIRT team has also faced other, sometimes unexpected challenges:
Winning over hearts and minds
“Cyber security wasn’t well known. So it wasn’t easy to convince our community that we have the skills and knowledge to support them with their daily security needs, or that it was necessary,” says Stephanos.
“For example, we would recommend implementing a particular security feature to a member. But they would be reluctant because it makes users’ lives a bit harder.”
Training that incorporates real-life scenarios of security incidents was key to helping people understand the risks.
“Realising that these security issues could happen to their own institution in real life, any time, was a bit of a wake-up call for our community members. It made them realise the need to improve how they manage certain things.”
Adapting working practices during the COVID-19 pandemic
“We took up our duties as cyber security analysts in September 2019. Then in March 2020, the COVID-19 pandemic broke out. This was definitely one of the biggest challenges we had to face. It drastically affected our project plans for most of 2020,” Panayiota explains.
“We had to cancel or postpone our training and events, including visits with other CSIRT teams and our FIRST and TI sponsors [part of becoming FIRST members and accredited Trusted Introducers]. It also caused difficulties in validating and testing our self-developed toolkit. Fortunately, we overcame this with very good collaboration and professionalism.”
The CSIRT team adapted their support to CYNET’s members during the unforeseen conditions of mass remote work. “We tried to fill the gap by building our network of partnerships and offering even more help to our members. We organised lots of webinars and training programmes.”
CYNET CSIRT’s biggest achievements so far
Despite the challenges, the CYNET CSIRT team have achieved a lot during their first few years:
Significantly reducing cyber security incidents
“One of our biggest achievements is the reduction in cyber security incidents in academic cyber space,” Panayiota says. “From approximately 27,000 incidents in 2018, to around 16,000 today.”
Achieving objectives despite COVID-related disruptions
“Even under the adverse conditions of the pandemic we managed to implement many more objectives than initially planned. For example, developing more tools, and participating in several additional training courses,” Panayiota recalls.
“Overall, we successfully completed the journey of establishing the CSIRT within the stipulated time without sacrificing the quality of our work.”
Receiving public acknowledgment from members
Panayiota and Stephanos recall a particular occasion when the CSIRT team responded to a serious ransomware attack against a member.
“A month later, during a members’ training session, the security officer of the affected institution spontaneously took the floor. They told everyone how much we helped them and emphasised the excellent work we do. This was the biggest reward for us,” Panayiota says.
Stephanos agrees: “For me, that was the best part. To have a constituent member get up on their own and say they were very happy about how we supported them – it shows they acknowledge our work, and they trust us.”
Key factors behind CYNET CSIRT’s rapid success to date
Stephanos and Panayiota identify two crucial success factors when establishing a new CSIRT:
Establishing a strong, committed team with a great bond
“When the CSIRT was established, management wasn’t looking only for skilful employees, but also looking at personalities,” says Stephanos.
“We are a very committed team, with strong collaboration. The reason CYNET CSIRT was able to succeed so early, despite the COVID pandemic and other challenges, was because we were keen to achieve our goal.”
Willingness to go the extra mile has been crucial to this success, which includes becoming TI accredited much faster than many CSIRTs. The team often worked extra hours to meet deadlines.
“If I had to choose just one piece of advice for a country wanting to set up a CSIRT, it’s this: the key to a team’s success is the people who make it up. In addition to team members’ know-how, their commitment to the goal and the close working collaboration between them are so vital.”
Building good relationships with the international cyber security community
“Since CYNET CSIRT began, we’ve had great help from other CSIRT teams,” Stephanos says. “They assisted us and shared their knowledge. As well as being helpful, it’s also nice to make friends with other CSIRTs.”
Panayiota agrees. “A good surprise about setting up CYNET CSIRT was when we realised that we don’t work in isolation, but are part of a larger system through international cooperation.”
Lessons learned during CYNET CSIRT’s first years
Panayiota and Stephanos note both strategic and practical lessons learned from establishing CYNET CISRT:
Collaborating is key
“During this exciting journey of establishing our CSIRT, we have learned many important lessons,” says Panayiota. “Crucially, we realised how significant collaborations are.”
“Collaboration is an advantage of being part of the CSIRT community. You are never alone. We learn the operating mode of other teams and how to avoid the pitfalls they encountered, and we share our experiences too. It is a great joy and pleasure every time you have the opportunity for such collaborations.”
Efficiency requires the right tools
“Finding effective solutions to complex problems isn’t easy. But, with the use of the right methods and state-of-the art techniques, you can help your team to be more efficient in the process,” says Panayiota.
Some learning only occurs on the job
“When dealing with an incident, sometimes we solve one problem, and at the same time another small issue is created. So then we have to fix that issue too. And we only learn about these unexpected consequences while we are dealing with them,” says Stephanos.
Tech-savvy doesn’t equal cyber security-savvy
“Many people believe that younger people are more familiar with computers. Yet during training sessions we’ve held, we’ve noticed that’s not exactly the case,” says Stephanos. “They know how to use software, but don’t know the underlying processes.
“A great example was when we explained the process of forwarding an image from a media application to a friend. They didn’t know it goes to the cloud before their friend receives it. So then they realised it’s possible for a photo they’ve shared to be accessed by others.”
What’s next for CYNET CSIRT?
While proud of their achievements to date, the CYNET CSIRT team is not resting on its laurels. Over the next few years, the team aims to hire more specialised staff, expand the range of services offered, and open up their services to new members, such as schools.
“One of our biggest goals, for sure, is achieving the adoption of a cyber security culture in academic cyber space. This is vital for progress in Cyprus’s academic and research community,” says Panayiota.
“We have some exciting projects coming up, nationally and internationally, including a Horizon project starting in early 2023 in collaboration with GÉANT.
“We’re also upgrading our cybersecurity self-development and learning platform with new tools. Our goal is the continuous development of the services we offer our members.”
Above all, concludes Stephanos, “we are always open to new challenges.”
About the interviewees
Panayiota Smyrli is a PhD candidate in Post-Quantum Cryptography and a Cyber Security Analyst at CYNET-CSIRT. Her research interests focus on cognitive areas of Cryptography and Network Security, as well as their applications in Computer Science and Telecommunications. Panayiota is one of the few scholarship winners of the State Scholarships Foundation (I.K.Y.) co-funded by the European Science Foundation and the Greek State.
Stephanos Andreou is an experienced Security Analyst with a demonstrated history as a Cyber Security Analyst. He holds a Master of Information Sciences, specialised in Security in Organizations, Architectural System Design, Cyber Security and Business Rules Spec. and Application. Stephanos continually strengthens his cyber security skills on cutting-edge technologies and state-of-the-art techniques.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022