Most UK Critical National Infrastructure (CNI) bodies experienced a data breach in the past year, according to a study by a UK-based cyber security services firm. The report, Cyber Security in Critical National Infrastructure: 2025, by Bridewell suggested that over half (54 per cent reported financial losses exceeding £100,000 per breach, due to cyber security upgrades, systems recovery and increased operational costs contributing to the bulk of the expenses.
As for the cyber threats facing UK CNI, they’re particularly ransomware, phishing and unauthorised access. One-third of organisations targeted by ransomware admitted to paying the ransom, a practice which has been debated in recent years. Censuswide surveyed 600 cyber security people in UK CNI. Findings included:
Speed of incident response remains a challenge, with only 22pc of organisations able to respond to a ransomware attack within an hour, while 69pc manage to respond within six hours. Cloud services have become the most targeted attack vector across IT (information technology) and OT (operational technology) in UK CNI sectors according to the respondents, with web browsing and internet access cited as the second main avenue for attack amongst those surveyed. Data protection remains a concern, with most, 90pc of organisations expressing worries about meeting compliance requirements.
Artificial intelligence is re-shaping the cyber threat landscape, with AI-driven phishing emerging as the top AI-powered attack vector (with 83pc of respondents citing it as a top concern). Automated hacking and AI-powered botnets follow. Some 95pc of UK CNI are integrating AI-driven tools into their operations.
Despite 90pc of respondents believing they have a mature IT cyber security strategy, only a quarter are following best practices for cyber risk assessments. Confidence in Operational Technology (OT) security maturity is even lower, with 34pc describing their OT security as “very mature,” compared to 44pc for IT security.
Talent gap
To address a cyber security skills shortage, UK CNI organisations are focusing on re-skilling current employees, outsourcing to external partners and developing apprenticeship programmes over the next two to three years. Despite a growing reliance on third-party providers, only 42pc of UK CNI organisations are “very confident” in their ability to handle supply chain cyber threats. And 57pc of respondents experienced a supply chain attack in the past year. The top three supply chain attacks experienced were firmware attacks, data interception and tampering and third-party service provider breaches.
What they say
Anthony Young, CEO at Bridewell said: “As cyber threats continue to evolve, UK CNI organisations must prioritise rapid incident detection and response, as well as bolster their cyber security maturity and strengthen resilience against supply chain risks. With AI taking a bigger role in both attacks and defences, organisations must remain proactive to safeguard critical infrastructure and national security, especially in a tumultuous geo-political climate.”
To download the report visit: https://www.bridewell.com/insights/white-papers/detail/cyber-security-in-critical-national-infrastructure-organisations-2025.
