New Bridewell report highlights decrease in attacks, enhanced cyber maturity among UK CNI organizations

A recent report by cybersecurity services firm Bridewell reveals that 61 percent of civil aviation cyber decision-makers have experienced a ransomware attack in the past 12 months. Despite a year marked by regional conflicts, high-profile cyber attacks, and emerging AI-driven threats, the report paints a more optimistic view of the U.K.’s critical national infrastructure (CNI) security. The majority of CNI organizations reported fewer attacks and expressed greater confidence in their cyber maturity, according to Bridewell’s research conducted this year.

“Ransomware gangs were very active throughout 2023. LockBit, for example, was behind the disruption of Royal Mail systems in the UK, stealing personal and HR data,” according to data published in the firm’s ‘Cyber Security in Critical National Infrastructure’ research report. “Hackers also penetrated Capita’s Microsoft Office 365 defenses, accessing data from the outsourcing giant’s customers including records from the Universities Superannuation Scheme. The costs were significant and long-lasting. Royal Mail has reportedly spent at least £10m on remediation, while Capita reported a £25m financial hit and became subject to legal action initiated by people affected in the breach.” 

Against this background, “it should not surprise us that 98% of respondents from UK CNI organizations say they have security challenges. The findings reveal that overall levels of concern are higher than last year, by considerable margins in some cases.” 

“This report into the top security challenges faced across CNI sectors follows our 2023 Cyber Security in Critical National Infrastructure Organisations research report,” Anthony Young, chief executive officer at Bridewell, wrote in the report. “A year on, we find many of the UK’s CNI organizations are adopting best-practice approaches and feeling more prepared for the current threat landscape. More than eight in ten have put in place innovative technologies and approaches to defend themselves or plan to within the next two years.”

He added “Yet, we know cyber threats will never go away. Despite reported improvements in CNI organizations’ security tooling, detection and response capabilities, and overall cyber maturity, many are still struggling with familiar threats and challenges. Malware, for example, is still the most frequently cited threat to IT and OT environments (by 36% and 32% of respondents, respectively). Yet, what our research highlights is that the variety and sophistication of cyber threats are always increasing. It is only through constant vigilance and innovation that CNI organizations can remain secure.”

In January, the firm commissioned the international market research consultancy, Censuswide, to survey 521 individuals responsible for cybersecurity within the U.K. CNI organizations. These respondents spanned several sectors including civil aviation, energy, transport, finance, and central government, providing insights into the cybersecurity landscape across these critical installations.

It also detailed that accelerating cloud migration and the implementation of cloud-based applications are likely to be why cloud cyber security management has also risen up the rankings, with 88 percent more respondents putting this in their list of top five challenges than did so last year. “Trust in cyber security tools has also become a much bigger concern than in last year’s survey. Nearly a third (31%) of respondents have named this a problem – an increase of 121% on the 14% who pointed to this as a threat in the last survey. Confidence in tools took a blow last year when the UK joined the US and other nations in warning providers of essential services about China-backed activity against CNI,” it added. 

Bridewell identified that these threats included cyber hackers taking advantage of built-in network administration tools to evade detection after initial compromise. “Threats around remote and hybrid working also still register as challenges but have dropped out of the top five most frequently cited this year as other concerns take precedence.”

Despite high levels of concern about cyber threats, the number of reported incidents in the UK CNI sector was down (by more than 50% in most cases), the data revealed. 

“Last year’s report covering 2022, by contrast, reported a rise in 2021. The 71% drop in nation state attacks on UK CNI is the largest year-on-year fall of the types of attacks named in this survey. This may reflect a shift to espionage and influencer operations, and closer focus by Russia and Iran on conflicts in the Ukraine and Middle East. Nation state attacks are, however, very difficult to attribute and any judgment on the matter is likely to involve subjectivity. As a result, organizations without comprehensive threat intelligence may be attributing nation state attacks to other groups,” it added. 

Almost all respondents (98 percent) agree IT environments are at risk. Malware is now seen as the main danger, cited by 36 percent of all U.K. respondents. Last year, it did not feature in the top five (and was cited by only 19 percent of respondents). 

Survey respondents ranked malware and phishing as the top two risks to their OT environments. Given that a fundamental principle of cyber hygiene for OT networks is to prohibit access to the internet and email, it is surprising to see these risks ranking so highly. However, there are valid use cases where organizations may need to, for example, send OT information via email or use the internet to obtain OT support information. In providing these capabilities, organizations may be incidentally creating new pathways for phishing and malware into their OT networks which may explain why respondents have such concerns about them. 

Bridewell identified that confidence in the cyber protection of systems and infrastructure has shot up from last year and is remarkably high despite the knowledge that criminal activity is more sophisticated. “Only the protection for SCADA systems registers less than 80% confidence among respondents. This confidence is likely to relate to the decline in reported cyberattacks experienced by respondents in this research over the course of 2023.”

The research found average response times were similar across different types of attacks despite their diverse scale and nature, with the exception of phishing. Faster responses to phishing reflect how it is the most common and easiest to understand of the attack types. Responses were slowest to nation-state attacks which are likely to be far more complex, unique, or smaller in number. 

“Outsourcing cyber security is an important option at a time when threats are steadily becoming more dangerous and demanding in the CNI world. Outsourcing can meet the needs of CNI organizations that lack the skills or resources to assess, improve, and manage their security,” the report highlighted. “Despite the skills shortages and risks, this year’s report finds outsourcing in IT is stagnant compared with 2023. In terms of the use of security operations centers, use has gone into reverse, as has the use of threat intelligence and managed detection and response. Budget constraints may be a factor.”

In conclusion, the Bridewell report said that it contains a ‘significant amount’ of good news about the state of cybersecurity within the U.K.’s CNI at the beginning of 2024. These organizations have reported a significant reduction in the number of attacks compared to 2022. “They are more confident about the many aspects of security we have examined in this report, even in the face of the notorious cyber-skills drought. And they are as positive as they were in the last report about their level of cyber maturity across a range of approaches and technologies.”

But confidence can easily fold over into complacency, it observed. “Within this research, we can see that cyber security budgets were down by double-digit percentages last year and spending is only set to increase by less than 3% on average. Many organizations still have a way to go on compliance with regulation. CNI entities know they face a very broad range of attacks, many of which are fast-evolving. Hype aside, it is important for their security leaders to focus on accessing high levels of cyber-skills and to gain and maintain the intelligence-based ability to take the initiative against threats. It is vital to act rapidly before significant damage is done.”

“Although CNI is in the crosshairs of state-sponsored hacking groups, organizations should not overlook the fact that financial gain remains a major motivation among cyber criminals,” according to the report. “They must counter the malware, data theft and phishing they currently perceive as bigger risks than nation-state attacks. Unfortunately, these survey results tell us the average cumulative cost of a ransomware attack is now close to £300,000. Yet for many organizations, the cost will be much higher in reputational damage if they fail to devote the maximum resources possible to cyber security.”

Earlier this week, an executive from GCHQ’s National Cyber Security Centre (NCSC) hailed the introduction of a Cyber Security and Resilience Bill as a ‘landmark moment.’ This legislation is designed to bolster the protection of the UK’s critical national infrastructure against escalating cyber threats. The U.K. government plans to introduce this bill to Parliament in the coming months, as highlighted in King Charles’ speech outlining the government’s legislative agenda. This move aims to strengthen the UK’s cyber defenses and ensure the security of critical infrastructure and the digital services that companies depend on.