Cost-of-living crisis could trigger spike in cyberattacks on critical infrastructure

The cost-of-living crisis could trigger a rise in cyberattacks and security risks impacting UK critical national infrastructure (CNI). That’s according to new research by UK cybersecurity services firm Bridewell, which surveyed 500 UK cybersecurity decision makers in the transport and aviation, utilities, finance, government, and communications sectors. The Cyber Security in Critical National Infrastructure Organisations: 2023 report found that over a third (34%) of organisations across UK CNI anticipate a rise in cybercrime as a direct result of the current economic crisis.

The findings come as the ongoing Russia-Ukraine war squeezes oil and gas flows to the UK, causing a spike in prices for fuel and food.

Economic downturn may increase insider threats, social engineering attacks

The rising cost of living is putting employees and organisations under increased financial strain. As focus turns to financial stability, security issues could be sliding down the priority list, creating opportunities for insider threats to go unnoticed, the report read.

The rising cost of living could lead to an increase in insider threats and employee crime, as workers increasingly steal from their employers to make ends meet, the report said. Over a fifth (21%) of CNI decision makers surveyed now rank employee sabotage among the biggest risks to their organisation’s IT environment.

Meanwhile, organised criminal groups could be primed to exploit people’s vulnerabilities by reaching out to individual employees within an organisation, offering them a lucrative payoff in return for access to sensitive data or protected systems. A third (33%) of respondents expect the prevalence of phishing and social engineering attacks to grow because of economic downturns, suggesting that threat actors could prey on employees’ financial fears to gain illicit access to CNI data and systems.

Reduced cybersecurity budgets add to CNI security risks

Aside from evolving security threats, the economic pressures facing CNI are causing some UK organisations to re-evaluate their cyber spend. Almost two-thirds (65%) of respondents across UK CNI have seen some reduction or a significant reduction in their organisation’s cybersecurity budget this year, in sharp contrast to 2022, when cybersecurity budgets rose across all sectors, the report stated.

The communications sector has been impacted the least by cybersecurity budget cuts, with almost half (48%) seeing no change in cybersecurity budgets. However, the transport and aviation and utilities sectors (including energy, oil, and gas) have experienced the greatest fall in cyber budgets, with 73% and 69% of respective respondents seeing some reduction or a significant reduction, the research found.

CNI must strengthen cyber defences from the inside out

Amid increased security risks and decreasing security budgets, IT, and security leaders in the CNI sector must invest in strengthening their cyber defences from the inside out, said Anthony Young, Co-CEO at Bridewell. This should encompass the robust monitoring and testing of systems and access controls, investment in data loss prevention, and the continuous education and training of employees to raise awareness of cyber security best practices.”

Last September, the UK’s National Cyber Security Centre (NCSC) released a new version of the Cyber Assessment Framework (CAF) to support CNI organisations that are subject to the Network and Information Systems (NIS) regulations and organisations managing cyber-related risks to public safety. The release came in the wake of research which revealed that the UK CNI sector is struggling to address software supply chain risks and cyber skills shortages.