Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
Analysis from Bridewell found that more than half had incurred financial losses of over £100,000 per breach, mostly thanks to cybersecurity upgrades, systems recovery, and increased operational costs.
Cloud services have become the most targeted attack vector across IT and OT environments in UK CNI sectors, the study found, with web browsing and internet access the second biggest.
Similarly, data protection remains a big concern, with nine-in-ten organizations worried about meeting compliance requirements.
The speed of response is the fastest-growing priority, with only 22% of organizations saying they could respond to a ransomware attack within an hour, and 69% within six hours.
Notably, the study found that while nine-in-ten respondents believe they have a mature cybersecurity strategy, only a quarter are following best practices for cyber risk assessments.
Confidence in OT security maturity is even lower, with just a third describing their OT security as 'very mature', compared with 44% for IT security.
CNI organizations concerned about supply chain resilience
Despite growing reliance on third-party providers, only 42% of UK CNI organizations said they were 'very confident' in their ability to handle supply chain cyber threats.
More than half (57%) of respondents experienced a supply chain attack in the past year, with the top three types being firmware attacks, data interception and tampering, and third-party breaches.
Bridewell CEO Anthony Young said the study highlights the need for critical infrastructure organizations to ramp up their cybersecurity capabilities and boost resilience.
“As cyber threats continue to evolve, UK CNI organizations must prioritize rapid incident detection and response, as well as bolster their cybersecurity maturity and strengthen resilience against supply chain risk," he said.
The report highlighted a sharp increase in AI-driven cyber threats, with phishing emerging as the top AI-powered attack vector. Around 83% of respondents specifically highlighted this threat as their top concern in the year ahead.
"With AI taking a bigger role in both attacks and defences, organizations must remain proactive to safeguard critical infrastructure and national security, especially in a tumultuous geo-political climate," Young added.
'Contradictory confidence' placing firms at risk
Dray Agha, senior manager of security operations at Huntress, said the report makes for worrying reading and urged CNI firms to bolster their defences.
"A staggering 25% of breached organizations only realized they were compromised when the attacker told them. This highlights critical failures in detection capabilities: organizations need to improve proactive threat hunting, EDR monitoring, and anomaly detection," he said.
Agha noted that the study also highlighted a “contradictory confidence” among CNI organizations. Around 90% of respondents said they believe their cyber risk assessment practices accurately reflect their security posture, yet 95% suffered breaches.
This overconfidence suggests many organizations may be relying on outdated or incomplete risk models, failing to assess real-world attack pathways."
Conversely, Tim Ward, CEO and co-founder of ThinkCyber Security, said the study does showcase signs of improvement.
Nearly half (40%) of respondents identified employee reporting as a leading method for detecting breaches, he noted, which is encouraging and highlights a growing awareness among staff.
“Organizations also rate investment in training employees most highly as a practice to counter supply chain attacks," Ward added.
"It is imperative for organizational leaders to seek ways to integrate achieving secure behaviors into the day to day for busy staff, whilst they continue to focus on their day jobs. Approaches such as nudging as risks are encountered, and direct metrics of secure behaviors will be key to increasing resilience in these highly targeted sectors."
MORE FROM ITPRO
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
FIN6 attackers target recruiters with fraudulent resumesNews The group's phishing methods protect it from many detection tools, researchers warn
-
100,000 accounts have been hit in a HMRC scam campaign, but the tax office says it wasn't hacked – here's whyNews Organized criminals used phished data to set up dodgy HMRC accounts and demand tax rebates
-
Employee phishing training is working – but don’t get complacentNews Educating staff on how to avoid phishing attacks can cut the rate by 80%
-
Russian hackers tried to lure diplomats with wine tasting – sound familiar? It’s an update to a previous campaign by the notorious Midnight Blizzard groupNews The Midnight Blizzard threat group has been targeting European diplomats with malicious emails offering an invite to wine tasting events, according to Check Point.
-
This hacker group is posing as IT helpdesk workers to target enterprises – and researchers warn its social engineering techniques are exceptionally hard to spotNews The Luna Moth hacker group is ramping up attacks on firms across a range of industries with its 'callback phishing' campaign, according to security researchers.
-
Healthcare organizations are turning a blind eye to phishing attacks
News A survey reveals that most attacks go unreported, putting patient data at risk
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
