Current security budgets are failing to keep pace with cyber-attacks against the UK’s water industry, according to new research from UK cyber security services firm, Bridewell.
The research, which surveyed UK cyber security decision-makers across critical national infrastructure (CNI), reveals over half (57%) of water companies have increased cyber security budgets over the past 12 months. Yet, despite rising investment in cyber security, 79% say it has become harder to detect and respond to threats – higher than any other sector within CNI. Furthermore, 57% admit that new and innovative measures of cyber attacks are significantly outpacing their cyber security strategy.
On average, UK water operators are now spending 43% of their IT budget on cyber security, with investment predicted to rise by a further 16% in the year ahead. However, the fact that many organisations are still struggling with the volume, sophistication and detection of cyber threats suggests cyber security investment is not being spent wisely.
Martin Riley, Director of Managed Security Services at Bridewell, comments:
“While it’s encouraging to see that cyber security budgets are rising, this is only one piece of the puzzle for water companies. Any exploitable security vulnerabilities in our water supply can pose significant dangers, including risk to public safety and even loss of life, so it’s essential that operators re-evaluate how they allocate and use their budget and invest in tools and technology that will deliver the visibility and results needed for a more robust, proactive, and holistic approach to security.”
The results reflect wider problems throughout the utilities sector, highlighting the need for a more strategic approach to cyber security transformation and investment. Currently, only 14% of CNI IT decision-makers in utilities say they have a managed detection and response (MDR) solution in place and even less (13%) have implemented extended detection and response (XDR) to enable detection and response capabilities across network, web and email, cloud, endpoint and most crucially, identity. Similarly, less than a fifth say they have implemented threat hunting and cyber intelligence processes.
Poor cyber security investment choices could also be causing problems with visibility. 68% of those in the utilities sector say they don’t have sufficient visibility across the IT/OT boundary and 7 in 10 do not have sufficient visibility over all end user, networks, and systems.
Problems could also be a result of over-investment in security tools, with 70% saying the number of security tools within their organisation is unmanageable. On average, security teams in the water industry are now managing 31 security tools, with 37% admitting to managing over 40 tools. Not only does too many tools stretch security teams too thinly across disparate and poorly developed solutions, but it increases the complexity of monitoring, managing, operating, and optimising a technology stack.
To learn more, you can download the full report ‘Cyber Security in UK Critical National Infrastructure 2022: Part 2’.
