Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
Analysis from Bridewell found that more than half had incurred financial losses of over £100,000 per breach, mostly thanks to cybersecurity upgrades, systems recovery, and increased operational costs.
Cloud services have become the most targeted attack vector across IT and OT environments in UK CNI sectors, the study found, with web browsing and internet access the second biggest.
Similarly, data protection remains a big concern, with nine-in-ten organizations worried about meeting compliance requirements.
The speed of response is the fastest-growing priority, with only 22% of organizations saying they could respond to a ransomware attack within an hour, and 69% within six hours.
Notably, the study found that while nine-in-ten respondents believe they have a mature cybersecurity strategy, only a quarter are following best practices for cyber risk assessments.
Confidence in OT security maturity is even lower, with just a third describing their OT security as 'very mature', compared with 44% for IT security.
CNI organizations concerned about supply chain resilience
Despite growing reliance on third-party providers, only 42% of UK CNI organizations said they were 'very confident' in their ability to handle supply chain cyber threats.
More than half (57%) of respondents experienced a supply chain attack in the past year, with the top three types being firmware attacks, data interception and tampering, and third-party breaches.
Bridewell CEO Anthony Young said the study highlights the need for critical infrastructure organizations to ramp up their cybersecurity capabilities and boost resilience.
“As cyber threats continue to evolve, UK CNI organizations must prioritize rapid incident detection and response, as well as bolster their cybersecurity maturity and strengthen resilience against supply chain risk," he said.
The report highlighted a sharp increase in AI-driven cyber threats, with phishing emerging as the top AI-powered attack vector. Around 83% of respondents specifically highlighted this threat as their top concern in the year ahead.
"With AI taking a bigger role in both attacks and defences, organizations must remain proactive to safeguard critical infrastructure and national security, especially in a tumultuous geo-political climate," Young added.
'Contradictory confidence' placing firms at risk
Dray Agha, senior manager of security operations at Huntress, said the report makes for worrying reading and urged CNI firms to bolster their defences.
"A staggering 25% of breached organizations only realized they were compromised when the attacker told them. This highlights critical failures in detection capabilities: organizations need to improve proactive threat hunting, EDR monitoring, and anomaly detection," he said.
Agha noted that the study also highlighted a “contradictory confidence” among CNI organizations. Around 90% of respondents said they believe their cyber risk assessment practices accurately reflect their security posture, yet 95% suffered breaches.
This overconfidence suggests many organizations may be relying on outdated or incomplete risk models, failing to assess real-world attack pathways."
Conversely, Tim Ward, CEO and co-founder of ThinkCyber Security, said the study does showcase signs of improvement.
Nearly half (40%) of respondents identified employee reporting as a leading method for detecting breaches, he noted, which is encouraging and highlights a growing awareness among staff.
“Organizations also rate investment in training employees most highly as a practice to counter supply chain attacks," Ward added.
"It is imperative for organizational leaders to seek ways to integrate achieving secure behaviors into the day to day for busy staff, whilst they continue to focus on their day jobs. Approaches such as nudging as risks are encountered, and direct metrics of secure behaviors will be key to increasing resilience in these highly targeted sectors."
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Google wants to take hackers to courtNews You don't have a package waiting for you, it's a scam – and Google is fighting back
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Been offered a job at Google? Think again. This new phishing scam is duping tech workers looking for a career changeNews A new Google Careers phishing scam is targeting tech workers looking for a change of scenery – here's how to stay safe
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Hackers are abusing ConnectWise ScreenConnect, againNews A new spear phishing campaign has targeted more than 900 organizations with fake invitations from platforms like Zoom and Microsoft Teams.
-
Malicious URLs overtake email attachments as the biggest malware threatNews With malware threats surging, research from Proofpoint highlights the increasing use of off-the-shelf 'phish kits' like CoGUI and Darcula
