Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
Analysis from Bridewell found that more than half had incurred financial losses of over £100,000 per breach, mostly thanks to cybersecurity upgrades, systems recovery, and increased operational costs.
Cloud services have become the most targeted attack vector across IT and OT environments in UK CNI sectors, the study found, with web browsing and internet access the second biggest.
Similarly, data protection remains a big concern, with nine-in-ten organizations worried about meeting compliance requirements.
The speed of response is the fastest-growing priority, with only 22% of organizations saying they could respond to a ransomware attack within an hour, and 69% within six hours.
Notably, the study found that while nine-in-ten respondents believe they have a mature cybersecurity strategy, only a quarter are following best practices for cyber risk assessments.
Confidence in OT security maturity is even lower, with just a third describing their OT security as 'very mature', compared with 44% for IT security.
CNI organizations concerned about supply chain resilience
Despite growing reliance on third-party providers, only 42% of UK CNI organizations said they were 'very confident' in their ability to handle supply chain cyber threats.
More than half (57%) of respondents experienced a supply chain attack in the past year, with the top three types being firmware attacks, data interception and tampering, and third-party breaches.
Bridewell CEO Anthony Young said the study highlights the need for critical infrastructure organizations to ramp up their cybersecurity capabilities and boost resilience.
“As cyber threats continue to evolve, UK CNI organizations must prioritize rapid incident detection and response, as well as bolster their cybersecurity maturity and strengthen resilience against supply chain risk," he said.
The report highlighted a sharp increase in AI-driven cyber threats, with phishing emerging as the top AI-powered attack vector. Around 83% of respondents specifically highlighted this threat as their top concern in the year ahead.
"With AI taking a bigger role in both attacks and defences, organizations must remain proactive to safeguard critical infrastructure and national security, especially in a tumultuous geo-political climate," Young added.
'Contradictory confidence' placing firms at risk
Dray Agha, senior manager of security operations at Huntress, said the report makes for worrying reading and urged CNI firms to bolster their defences.
"A staggering 25% of breached organizations only realized they were compromised when the attacker told them. This highlights critical failures in detection capabilities: organizations need to improve proactive threat hunting, EDR monitoring, and anomaly detection," he said.
Agha noted that the study also highlighted a “contradictory confidence” among CNI organizations. Around 90% of respondents said they believe their cyber risk assessment practices accurately reflect their security posture, yet 95% suffered breaches.
This overconfidence suggests many organizations may be relying on outdated or incomplete risk models, failing to assess real-world attack pathways."
Conversely, Tim Ward, CEO and co-founder of ThinkCyber Security, said the study does showcase signs of improvement.
Nearly half (40%) of respondents identified employee reporting as a leading method for detecting breaches, he noted, which is encouraging and highlights a growing awareness among staff.
“Organizations also rate investment in training employees most highly as a practice to counter supply chain attacks," Ward added.
"It is imperative for organizational leaders to seek ways to integrate achieving secure behaviors into the day to day for busy staff, whilst they continue to focus on their day jobs. Approaches such as nudging as risks are encountered, and direct metrics of secure behaviors will be key to increasing resilience in these highly targeted sectors."
MORE FROM ITPRO
-
How to implement a four-day week in techIn-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businessesIn-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victimsNews Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
‘All US forces must now assume their networks are compromised’ after Salt Typhoon breachNews The announcement marks the second major Salt Typhoon incident in the space of two years
-
Hackers are using Microsoft 365 features to bombard enterprises with phishing emails – and they’ve already hit more than 70 organizationsNews A new phishing campaign uncovered by researchers at Varonis shows threat actors are abusing Microsoft 365's Direct Send feature to launch phishing attacks.
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacent
News Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
