Staff and supply chains are the greatest cyber security vulnerabilities for critical national infrastructure organisations, according to a new report.
New research by consultant Atkins has revealed that more than half of senior industry figures have low confidence in the cyber security of critical national infrastructure (CNI) supply chains, while 50% cite people/staff as CNI’s greatest cyber resilience weakness.
The research forms part of Atkins’ new Cyber Resilient Infrastructure Report, published as part of European Cyber Security Month. The company said that the report outlined how the UK could become more cyber resilient.
Cyber attack confidence barometer charts
Atkins said that the research findings reflected the views of senior figures across a wide range of CNI, government and defence organisations, including Airbus Defence and Space, Anglian Water, the Department for Culture, Media & Sport, the Ministry of Defence, Qinetiq, and the UK Space Agency.
Although people were confident in the security protecting their own organisation, it was considered to be much more difficult to protect information assets and intellectual property once it entered a wider supply chain, according to the report.
When asked to rank their top three cyber security concerns today, half of respondents identified people/employees as their top concern. This response covered a range of issues including insider threat, user browsing, board-level awareness, and staff understanding of the part they play in helping to protect their organisation.
The second highest concern was network compromise and insufficiently protected legacy systems (25%), including issues around the Internet of Things (IoT) and cloud-based services. Atkins said that this was followed by concerns around the pervasive growth of organised and state-sponsored cyber crime (8%).
Cyber security concerns
When asked to look ahead and cite their top CNI cyber security concerns for the future, 28% suggested it was the rapid advance of technology, especially the IoT and convergence. This was followed by the growth of organised and state-sponsored cyber crime (24%), and then a shortage of skills required for the UK’s cyber defence (20%).
When asked to gauge whether advantage currently lies with the cyber attacker or defender, 70% believed it was with the attacker (compared to 61% last year), 13% said it was currently balanced (compared to 17% last year), and 17% believed it was with the defender (compared to 22% last year), said Atkins.
Cyber attack perception of advantage graph
“As well as serving as a confidence barometer, the research results also help paint a picture of the CNI and defence industry’s major cyber security concerns, both today and in the future,” said Atkins head of cyber security Andy Wall.
“Although some of these results are concerning, there are, of course, some CNI organisations – particularly the civil nuclear industry – who are leading in this area, and there is much that parallel sectors could learn from their example”
Wall added that alongside the concerns outlined already, transparency was also raised as an enduring industry challenge.
“A lack of clear definitions of risk terms and reliance upon confusing technical language to define the cyber threat is turning off senior leaders,” he said. “This, in turn, is preventing them from fully understanding the risks and potential mitigation measures. Hopefully this report will help to overcome some of those barriers.”