Trust in cybersecurity tools has become one of the biggest challenges facing critical national infrastructure (CNI) providers as sophisticated nation-state attacks proliferate, according to a new report from Bridewell.
The IT services firm’s latest Cyber Security in Critical National Infrastructure report is based on interviews with over 1000 CISOs and equivalent at CNI providers in the US and UK.
It revealed that nearly a third (31%) ranked “trust in cybersecurity tools” as a top challenge this year, a massive 121% increase on the 2023 edition of the report.
“Confidence in tools took a blow last year when the UK joined the US and other nations in warning providers of essential services about China-backed activity against CNI,” the report noted.
In fact, 74% of respondents said they are concerned about Chinese state actors, on a par with those worried about Russian state operatives (73%).
Read more on CNI threats: US Urges Critical Infrastructure Firms to Get “Shields Ready”
These concerns are likely to have been exacerbated recently, with US warnings in February that Chinese actors have pre-positioned themselves in multiple CNI networks to launch destructive attacks in the event of a military conflict.
As trust in tooling declines, so have budgets. The report found that the percentage of IT (33%) and OT (30%) budgets earmarked for cybersecurity fell dramatically from the previous year’s figures of 44% and 43% respectively.
The sharp decline can be seen across the board, from new hires, training and risk assessments to technology investments.
However, despite these financial difficulties, nearly a third (30%) of CNI respondents that fell victim to a ransomware attack last year told Bridewell that they paid their extortionists.
As well as the costs involved, Bridewell warned of the potential legal jeopardy it may put CNI firms into.
“Ransom payments could, for example, go to individuals subject to legal sanctions by the UK, US or EU. The UK’s Office of Financial Sanctions Implementation is warning payments could breach the law in other jurisdictions,” the report noted.
Interestingly, over a quarter (27%) of respondents claimed that ransomware breaches also had a psychological impact on employees.
Bridewell CEO, Anthony Young, was sympathetic to those organizations that do end up paying.
“If the organization has no ability to recover, then paying the ransom may represent the only viable option to resume operations other than rebuilding their systems from scratch,” he argued.
“However, this difficult choice is avoidable by having a security strategy to reduce the risk of threat actors gaining access and traversing through your systems without discovery and effective removal.”