Asked what the biggest cybersecurity challenge was for CNI organisations at the moment, the response showed 41 percent stated data protection and privacy for 2025 - a rise from 37 percent of respondents in 2024 and 18 percent in 2023.

The research also found a reduction in the number of phishing, malware and system access attacks, which Bridewell CTO Martin Riley, said could be tied to investment in cybersecurity tools and regulation “has given benefits to UK CNI.”

Speaking at a media roundtable, Riley said: “If we look back over recent years, regulation has become one of the largest, if not the largest driver for maturity in cybersecurity in these organisations, so it's good that we're starting to see some benefits come of it.”

Anthony Young, CEO at Bridewell, said the NIS regulations came in the same year as GDPR, 2018, so “it took a while for them to really start to have traction and a lot of the investment for being sort of critical national infrastructure has come off the back of NIS, as operators of essential services have been told to identify what the critical systems within the organisation.”

Young said a lot of money has gone into systems over the last five-six years, in making sure systems are providing the right security controls around those systems.

Board Representation

The survey found that 88 percent of CNI organisations have board representation, and Ben Vaughan, chief commercial officer at Bridewell, said this is probably “a really good number if you compare it to other areas like retail and areas where cybersecurity is less well considered.”

He said this is the key item to improving your overall cybersecurity, because it may impact everything else if cybersecurity is a topic at board level. ”If the board is aware of some of these issues, it just helps resolve for the overall organisation, so when we work with our customers, we always try to make sure that we advise them that where possible to get all the board representation.”

Asked about their confidence level in their OT cyber maturity, 88 percent said they believed they were at a level of ‘mature’, compared to 34 percent who were ‘very mature.’ Vaughan said: “There is a high degree of confidence in the OT cycle, which is probably not reflective of what we see in our customers.

“A lot might have got a really good grasp of security in the IT space, but they haven't necessarily got a good grasp in the OT security space

In the IT space, 90 percent they were at a mature level, whilst 44 percent said they were very mature.

Elsewhere, the speed of incident response remains a key challenge, with only 22 percent of organisations able to respond to a ransomware attack within an hour, while 69 percent manage to respond within six hours. As a result, improving incident detection speed has emerged as the fastest-growing priority for UK CNI organisations over the past two years.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.