Introduction
In an increasingly digitized world, Critical National infrastructures (CNI) stand as vital pillars supporting our modern way of life. However, as these sectors embrace digital transformation, they also become prime targets for cyber threats. From ransomware attacks crippling power grids to phishing schemes compromising sensitive infrastructure, the stakes couldn't be higher. As we navigate these perilous waters, the need for robust cybersecurity measures to remain resilient has never been more critical.
Unravelling the Threat Landscape
“The NCSC still assesses that ransomware remains one of the greatest cyber threats to UK CNI sectors. This has been evidenced by international incidents, including attacks against Colonial Pipeline and the Irish Health Executive, and within the UK, against South Staffordshire Water, Royal Mail International and even one impacting NHS 111. Some of these attacks have also highlighted the possibility of disrupting CNI through attacks on key suppliers, who may have weaker security and thus present an attractive opportunity for adversaries.”
Source NCSC Annual Review 2023 - NCSC.GOV.UK
Rampant Ransomware: A Persistent Menace
One of the most ubiquitous cyber threats haunting the industry is ransomware. Attackers target critical infrastructure, encrypting vital data and demanding ransoms for its release. These sectors, with their interconnected systems, become prime targets for malicious actors seeking financial gain or causing widespread disruption.
Pervasive Phishing: A Sneaky Enemy
Phishing attacks remain an ever-present threat, exploiting human vulnerabilities through deceptive emails or messages enticing employees to unwittingly click on malicious links, compromising sensitive data. As digital communication becomes more ingrained in daily operations, the risks associated with phishing escalate.
CNI challenges
As if the threats highlighted above aren’t enough, the CNI industry needs to deal with some internal challenges which risk impacting companies' efforts to address those risks. In particular:
- Typically CNI organisations have to juggle having a mix of staff who are carrying out the traditional corporate functions alongside staff dealing with Operational Technology and legacy systems. These different roles, responsibilities and risks require a more nuanced and targeted approach with staff.
- CNI firms can be a mix of a startup and well-established privatised organisation even within the same organisation, creating challenging cultural artefacts to be considered in communications about cyber security.
- The nature of the services requires a strong focus on resilience, minimising impact – these critical services need to keep running.
- Commercial (shareholder/investor) pressures on the organisation lead to pressures on spending on the management and security of, what are essentially, public assets at risk.
Empowering the Human Element: A Human-Centric Approach
In the face of these evolving threats, the focus needs to shift towards empowering the human element – the frontline defenders against cyber threats. That’s where security awareness training emerges as a crucial component of an organization's defence strategy.
However, in 2023 it was reported that 74% of data breaches involved a ‘human element’; it is becoming evident that traditional approaches to security awareness training simply aren’t working.
Whilst these traditional methods offer a foundational understanding of security, solutions such as eLearning, often fail to provide employees with the relevant skills needed to deal with sophisticated real-life cyber threats in the moment. Let’s be honest, how many of us have clicked “next, next, next” just to get to the end of the course? Once a year mandatory training, regardless of quality, is unlikely to have any lasting impact.
Instead, CNI organisations could look towards using psychology and behavioural science and try to understand why users are more likely to engage in risky behaviour online. By understanding the cognitive and psychological aspects of human behaviour, security training programs can be tailored to address specific challenges faced within organisations but also to actively try and change those behaviours. But how?
Using Nudge Theory for Effective Cybersecurity Awareness Integration
One way organisations can integrate cybersecurity awareness into everyday activities is by using nudge theory, a non-invasive and integrated approach to training. Using the very psychological tools the bad guys use to trick people to, instead, empower them to protect themselves.
Behavioural approaches use contextual nudges at the point of risk as well as drip-fed snippets of content to “prime” people, keeping security front of mind. Timely reminders can build awareness, embed secure habits and offer organisations both visibility of risk and measurable improvements in their risk profile.
To address different roles, responsibilities and both the corporate and OT functions, organisations can use a campaign-based approach, targeting role specific risks or behaviours with role relevant content.
Finally, shifting from a culture that fears admitting mistakes to a safe and rapid reporting culture when things go wrong, will be fundamental to ensure resilience.
This approach recognises that employees are simply not the weakest link in security, as many people wrongly accuse end-users of being, but rather a critical asset in the defence against cyber threats.
Conclusion
As the CNI sector continues its journey into the digital future, the imperative for robust cybersecurity measures cannot be overstated. By embracing a human-centric approach to cybersecurity awareness training, organizations can empower their workforce to become the first line of defence against evolving cyber threats.
If you’re interested in learning more about how ThinkCyber is supporting CNI organisations to measurably reduce their operational risk then join our webinar on the 16th of April when we’ll be talking to Louise Hiscott, Cyber Security Culture Lead at Welsh Water about her highly successful engagement and behaviour change campaign at a UK utility.