In an increasingly digitized world, Critical National infrastructures (CNI) stand as vital pillars supporting our modern way of life. However, as these sectors embrace digital transformation, they also become prime targets for cyber threats. From ransomware attacks crippling power grids to phishing schemes compromising sensitive infrastructure, the stakes couldn't be higher. As we navigate these perilous waters, the need for robust cybersecurity measures to remain resilient has never been more critical.
“The NCSC still assesses that ransomware remains one of the greatest cyber threats to UK CNI sectors. This has been evidenced by international incidents, including attacks against Colonial Pipeline and the Irish Health Executive, and within the UK, against South Staffordshire Water, Royal Mail International and even one impacting NHS 111. Some of these attacks have also highlighted the possibility of disrupting CNI through attacks on key suppliers, who may have weaker security and thus present an attractive opportunity for adversaries.”
Source NCSC Annual Review 2023 - NCSC.GOV.UK
One of the most ubiquitous cyber threats haunting the industry is ransomware. Attackers target critical infrastructure, encrypting vital data and demanding ransoms for its release. These sectors, with their interconnected systems, become prime targets for malicious actors seeking financial gain or causing widespread disruption.
Phishing attacks remain an ever-present threat, exploiting human vulnerabilities through deceptive emails or messages enticing employees to unwittingly click on malicious links, compromising sensitive data. As digital communication becomes more ingrained in daily operations, the risks associated with phishing escalate.
As if the threats highlighted above aren’t enough, the CNI industry needs to deal with some internal challenges which risk impacting companies' efforts to address those risks. In particular:
In the face of these evolving threats, the focus needs to shift towards empowering the human element – the frontline defenders against cyber threats. That’s where security awareness training emerges as a crucial component of an organization's defence strategy.
However, in 2023 it was reported that 74% of data breaches involved a ‘human element’; it is becoming evident that traditional approaches to security awareness training simply aren’t working.
Whilst these traditional methods offer a foundational understanding of security, solutions such as eLearning, often fail to provide employees with the relevant skills needed to deal with sophisticated real-life cyber threats in the moment. Let’s be honest, how many of us have clicked “next, next, next” just to get to the end of the course? Once a year mandatory training, regardless of quality, is unlikely to have any lasting impact.
Instead, CNI organisations could look towards using psychology and behavioural science and try to understand why users are more likely to engage in risky behaviour online. By understanding the cognitive and psychological aspects of human behaviour, security training programs can be tailored to address specific challenges faced within organisations but also to actively try and change those behaviours. But how?
One way organisations can integrate cybersecurity awareness into everyday activities is by using nudge theory, a non-invasive and integrated approach to training. Using the very psychological tools the bad guys use to trick people to, instead, empower them to protect themselves.
Behavioural approaches use contextual nudges at the point of risk as well as drip-fed snippets of content to “prime” people, keeping security front of mind. Timely reminders can build awareness, embed secure habits and offer organisations both visibility of risk and measurable improvements in their risk profile.
To address different roles, responsibilities and both the corporate and OT functions, organisations can use a campaign-based approach, targeting role specific risks or behaviours with role relevant content.
Finally, shifting from a culture that fears admitting mistakes to a safe and rapid reporting culture when things go wrong, will be fundamental to ensure resilience.
This approach recognises that employees are simply not the weakest link in security, as many people wrongly accuse end-users of being, but rather a critical asset in the defence against cyber threats.
As the CNI sector continues its journey into the digital future, the imperative for robust cybersecurity measures cannot be overstated. By embracing a human-centric approach to cybersecurity awareness training, organizations can empower their workforce to become the first line of defence against evolving cyber threats.
If you’re interested in learning more about how ThinkCyber is supporting CNI organisations to measurably reduce their operational risk then join our webinar on the 16th of April when we’ll be talking to Louise Hiscott, Cyber Security Culture Lead at Welsh Water about her highly successful engagement and behaviour change campaign at a UK utility.