We surveyed over 600 of the UK’s cyber security leaders across critical national infrastructure (CNI) to uncover their views on the current threat landscape, their cyber maturity, and areas they need to improve in. Here are some of our top findings:
Security Challenges: 41% of CNI organisations rank data protection as one of their biggest security challenges. 40% consider cloud services to be the main avenue of cyber attack in their IT environments.
Cyber Budgets: 56% of CNI organisations anticipate their cyber security investment will increase next year, with 41% reskilling current employees to fill their cyber security talent pipeline over the next two-three years.
Ransomware: 37% of CNI organisations have experienced costs in excess of £500,001 due to ransomware, with 29% citing “system recovery and repair” as one of the main contributing costs.
AI: 83% of UK CNI are concerned about AI-powered phishing attacks, while 95% are using AI-driven tools in their operations.
Operational Technology (OT): Cloud services and web browsing/ internet access are ranked as the main avenues of cyber attack in OT environments, with 35% of CNI organisations citing a “lack of security monitoring” as a main area of concern.
Data Privacy: 95% of CNI organisations have suffered a data breach, with 25% of them only discovering the breach once an attacker notified them.
What’s New in Our 2025 Research?
New for this year’s research is unsurprisingly AI, which, for better or worse, has been an inescapable talking point across the industry. Several of our questions look at what AI threats respondents are concerned about, and how they are currently using AI themselves.
Additionally, with our 2024 Cyber Security in CNI report finding greater levels of concern around data privacy, we’ve added additional questions to understand what specific concerns CNI organisations share in this area. Other areas we’ve dived further into this year are supply chain risk, operational technology, and risk assessments.
Key Whitepaper Highlights
The threat landscape
Future events and threats
AI-driven threats and security tools
Data protection
Operational Technology (OT)
Business pressures and skills
Supply chain attacks
