Security experts warn of ‘contradictory confidence’ over critical infrastructure threats

Cybersecurity concept image showing digitized padlock with data points flowing out from behind.

(Image credit: Getty Images)

Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.

Analysis from Bridewell found that more than half had incurred financial losses of over £100,000 per breach, mostly thanks to cybersecurity upgrades, systems recovery, and increased operational costs.

Cloud services have become the most targeted attack vector across IT and OT environments in UK CNI sectors, the study found, with web browsing and internet access the second biggest.

Similarly, data protection remains a big concern, with nine-in-ten organizations worried about meeting compliance requirements.

The speed of response is the fastest-growing priority, with only 22% of organizations saying they could respond to a ransomware attack within an hour, and 69% within six hours.

Notably, the study found that while nine-in-ten respondents believe they have a mature cybersecurity strategy, only a quarter are following best practices for cyber risk assessments.

Confidence in OT security maturity is even lower, with just a third describing their OT security as 'very mature', compared with 44% for IT security.

CNI organizations concerned about supply chain resilience

Despite growing reliance on third-party providers, only 42% of UK CNI organizations said they were 'very confident' in their ability to handle supply chain cyber threats.

More than half (57%) of respondents experienced a supply chain attack in the past year, with the top three types being firmware attacks, data interception and tampering, and third-party breaches.

Bridewell CEO Anthony Young said the study highlights the need for critical infrastructure organizations to ramp up their cybersecurity capabilities and boost resilience.

“As cyber threats continue to evolve, UK CNI organizations must prioritize rapid incident detection and response, as well as bolster their cybersecurity maturity and strengthen resilience against supply chain risk," he said.

The report highlighted a sharp increase in AI-driven cyber threats, with phishing emerging as the top AI-powered attack vector. Around 83% of respondents specifically highlighted this threat as their top concern in the year ahead.

"With AI taking a bigger role in both attacks and defences, organizations must remain proactive to safeguard critical infrastructure and national security, especially in a tumultuous geo-political climate," Young added.

'Contradictory confidence' placing firms at risk

Dray Agha, senior manager of security operations at Huntress, said the report makes for worrying reading and urged CNI firms to bolster their defences.

"A staggering 25% of breached organizations only realized they were compromised when the attacker told them. This highlights critical failures in detection capabilities: organizations need to improve proactive threat hunting, EDR monitoring, and anomaly detection," he said.

Agha noted that the study also highlighted a “contradictory confidence” among CNI organizations. Around 90% of respondents said they believe their cyber risk assessment practices accurately reflect their security posture, yet 95% suffered breaches.

This overconfidence suggests many organizations may be relying on outdated or incomplete risk models, failing to assess real-world attack pathways."

Conversely, Tim Ward, CEO and co-founder of ThinkCyber Security, said the study does showcase signs of improvement.

Nearly half (40%) of respondents identified employee reporting as a leading method for detecting breaches, he noted, which is encouraging and highlights a growing awareness among staff.

“Organizations also rate investment in training employees most highly as a practice to counter supply chain attacks," Ward added.

"It is imperative for organizational leaders to seek ways to integrate achieving secure behaviors into the day to day for busy staff, whilst they continue to focus on their day jobs. Approaches such as nudging as risks are encountered, and direct metrics of secure behaviors will be key to increasing resilience in these highly targeted sectors."

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.