Staff and supply chains are greatest cyber security risk for CNI
The research forms part of Atkins’ new Cyber Resilient Infrastructure Report, which was published today as part of European Cyber Security Month. The report, which outlines how the UK might become a more cyber resilient nation, includes a contribution from General Sir Richard Barrons, former Commander Joint Forces Command and Chief of Staff of the UK Armed Forces (until April 2016).
The research findings reflect the views of senior figures across a wide range of CNI, government and defence organisations. These include Airbus Defence & Space, Anglian Water, Department for Culture, Media & Sport, Ministry of Defence, Qinetiq, and the UK Space Agency.
Fifty eight per cent of respondents reported low levels of confidence in the cyber resilience of CNI supply chains, with half of those expressing no confidence at all. Although people were confident in the security protecting their own organisation, it was considered to be much more difficult to protect information assets and intellectual property once it entered a wider supply chain.
When asked to rank their top three cyber security concerns today, half of respondents identified people/employees as their top concern. This response covered a range of issues including insider threat, user browsing, board-level awareness, and staff understanding of the part they play in helping to protect their organisation.
The second highest concern was network compromise and insufficiently protected legacy systems (25 per cent), including issues around the Internet of Things and Cloud-based services. This was then followed by concerns around the pervasive growth of organised and state-sponsored cyber-crime (8 per cent).
Two thirds of respondents consider their top three concerns to be the same this year as last, with any difference being a greater understanding of the scale of the threats presented and breadth of the risk.
When asked to look ahead and cite their top CNI cyber security concerns for the future, 28 per cent suggested it was the rapid advance of technology, especially the Internet of Things and convergence. This was followed by the growth of organised and state-sponsored cyber-crime (24 per cent), and then a shortage of skills required for the UK’s cyber defence (20 per cent).
When asked to gauge whether advantage currently lay with the cyber attacker or defender, 70 percent believed it was with the attacker (compared to 61 per cent last year), 13 per cent said it was currently balanced (compared to 17 per cent last year) and 17 per cent believed it was with the defender (compared to 22 per cent last year).
Andy Wall, Atkins’ head of cyber security explained: “As well as serving as a confidence barometer, the research results also help paint a picture of the CNI and defence industry’s major cyber security concerns, both today and in the future. Although some of these results are concerning, there are of course some CNI organisations – particularly the civil nuclear industry – who are leading in this area, and there is much that parallel sectors could learn from their example.
“Alongside the concerns outlined above, transparency was also raised as an enduring industry challenge. A lack of clear definitions of risk terms and reliance upon confusing technical language to define the cyber threat is turning off senior leaders. This in turn is preventing them from fully understanding the risks and potential mitigation measures. Hopefully this report will help to overcome some of those barriers.”
