Almost all critical national infrastructure (CNI) organizations in the UK (95%) experienced a data breach in the last year, according to new research.
Analysis from Bridewell found that more than half had incurred financial losses of over £100,000 per breach, mostly thanks to cybersecurity upgrades, systems recovery, and increased operational costs.
Cloud services have become the most targeted attack vector across IT and OT environments in UK CNI sectors, the study found, with web browsing and internet access the second biggest.
Similarly, data protection remains a big concern, with nine-in-ten organizations worried about meeting compliance requirements.
The speed of response is the fastest-growing priority, with only 22% of organizations saying they could respond to a ransomware attack within an hour, and 69% within six hours.
Notably, the study found that while nine-in-ten respondents believe they have a mature cybersecurity strategy, only a quarter are following best practices for cyber risk assessments.
Confidence in OT security maturity is even lower, with just a third describing their OT security as 'very mature', compared with 44% for IT security.
CNI organizations concerned about supply chain resilience
Despite growing reliance on third-party providers, only 42% of UK CNI organizations said they were 'very confident' in their ability to handle supply chain cyber threats.
More than half (57%) of respondents experienced a supply chain attack in the past year, with the top three types being firmware attacks, data interception and tampering, and third-party breaches.
Bridewell CEO Anthony Young said the study highlights the need for critical infrastructure organizations to ramp up their cybersecurity capabilities and boost resilience.
“As cyber threats continue to evolve, UK CNI organizations must prioritize rapid incident detection and response, as well as bolster their cybersecurity maturity and strengthen resilience against supply chain risk," he said.
The report highlighted a sharp increase in AI-driven cyber threats, with phishing emerging as the top AI-powered attack vector. Around 83% of respondents specifically highlighted this threat as their top concern in the year ahead.
"With AI taking a bigger role in both attacks and defences, organizations must remain proactive to safeguard critical infrastructure and national security, especially in a tumultuous geo-political climate," Young added.
'Contradictory confidence' placing firms at risk
Dray Agha, senior manager of security operations at Huntress, said the report makes for worrying reading and urged CNI firms to bolster their defences.
"A staggering 25% of breached organizations only realized they were compromised when the attacker told them. This highlights critical failures in detection capabilities: organizations need to improve proactive threat hunting, EDR monitoring, and anomaly detection," he said.
Agha noted that the study also highlighted a “contradictory confidence” among CNI organizations. Around 90% of respondents said they believe their cyber risk assessment practices accurately reflect their security posture, yet 95% suffered breaches.
This overconfidence suggests many organizations may be relying on outdated or incomplete risk models, failing to assess real-world attack pathways."
Conversely, Tim Ward, CEO and co-founder of ThinkCyber Security, said the study does showcase signs of improvement.
Nearly half (40%) of respondents identified employee reporting as a leading method for detecting breaches, he noted, which is encouraging and highlights a growing awareness among staff.
“Organizations also rate investment in training employees most highly as a practice to counter supply chain attacks," Ward added.
"It is imperative for organizational leaders to seek ways to integrate achieving secure behaviors into the day to day for busy staff, whilst they continue to focus on their day jobs. Approaches such as nudging as risks are encountered, and direct metrics of secure behaviors will be key to increasing resilience in these highly targeted sectors."
MORE FROM ITPRO
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attackTroy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
-
Healthcare organizations need to shake up email security practicesNews Microsoft 365 is the source of almost half of all healthcare email breaches, thanks mainly to misconfigurations in security settings.
-
Google is dropping SMS authentication for QR codesNews Google appears finally ready to deprecate using SMS codes for multi-factor authentication (MFA) for Gmail according to insiders at the search giant.
-
Why ‘malware as a service’ is becoming a serious problemNews Researchers have issued a warning over the rise of 'malware as a service' platforms amid a surge in attacks over the last year.
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
Threat actors are leaning on trusted services more than everNews Cyber threats are increasingly incorporating legitimate services in their attack chain, researchers warn.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
