Armis, the asset visibility and security company, has divulged findings from the Armis State of Cyberwarfare and Trends Report: 2022-2023, which measured global IT and security professionals’ perceptions of cyberwarfare. It found that while 84% of UK organisations claimed they had programmes and practices in place to respond to cyberwarfare threat, only one-third (32%) said their plans are validated by best practice frameworks, which is less than the global average of nearly 40%. In addition, 57% of UK organisations have stopped or stalled digital transformation projects due to threat of cyberwarfare – slightly higher than the global average of 55%.
The cyberwarfare threat is growing
The Russian invasion of Ukraine has not only tragically upended the lives of countless people in a sovereign nation, but it is also causing geopolitical shockwaves of cyberwarfare that will reverberate for the foreseeable future. Today’s targets extend well beyond the higher levels of the opposition governments; any organisation is a potential victim, with critical infrastructure and high-value entities at the top of the list. The study shares responses from more than 6,000 respondents globally and across multiple industries, including healthcare, critical infrastructure, retail, supply chain and logistics, and more.
The study showed that cyberwarfare was one of the lowest-ranking priorities for UK organisations – despite a majority of organisations (59%) agreeing that the threat of cyberwarfare has increased since the start of the Ukrainian conflict, and 62% claiming to be somewhat or very concerned about the threat of cyberwarfare on their organisations. In the UK, for instance, 42% of security professionals claimed to have had to report an incident of cyberwarfare to authorities, which is significantly higher than the European average of one-third of companies, but lower than the global average of 45%. A further 28% of UK organisations reported more threat activity on their networks in the past six months compared with the six months prior.
In additions, other UK findings Armis noted were:
– Almost half (46%) of UK security professionals have said they’re reconsidering suppliers as a result of the Ukrainian conflict.
– Almost three-fifths (57%) of UK security professionals support a conscription to a cyber defence league if the UK was drawn into a cyberwar conflict.
– Almost one in ten (9%) of UK companies spend less than 5% of IT budget on cybersecurity, while the majority (43%) spend between 5-10%.
– When it comes to paying for ransomware, almost a quarter (24%) of security professionals in the UK said they have an “always pay” policy, while a quarter (25%) have a “never pay” policy and 31% would only pay if customer data was at risk.
– The UK has a relatively high confidence in its government protecting from cyberwarfare threats (77%), compared with the European average of just 67% being confident in their governments.
What does this mean in light of Network & Information Systems (NIS) Regulations?
A majority of organisations in the UK somewhat (46%) or strongly (25%) support the extension of NIS regulations to all businesses, while 27% remain indifferent to the legislation. Historically, NIS regulations applied to operators of essential services and relevant digital service providers, but have since seen updates in the NIS2 iteration that extend to “important” services as well.
The study also examined UK security professionals’ adoption of NIS and found that only one-third (33%) strongly agree that they have mapped their cybersecurity programmes to NIS.
A further 78% of organisations somewhat (41%) or strongly (37%) agree that they review cybersecurity risks coming from immediate suppliers, with 34% strongly agreeing that they are able to address vulnerabilities in their supply chains. However, when broken down into industry sectors, OT sectors in the UK fell significantly below this baseline average of being able to confidently address supply chain vulnerabilities at 28%. Almost half (46%) of UK security professionals in all sectors have said they’re reconsidering suppliers as a direct result of the Ukrainian conflict.
“The first of the minimum set of requirements for NIS2 is to have adequate risk analysis. This alone is a major issue for many essential or important entities, because risk analysis is founded on an understanding of the critical assets that comprise the essential function, and for most organisations an up to date and accurate asset register is either non-existent, out of date or partial at best,” said Andy Norton, European Cyber Risk Officer at Armis. “To validate cyber security expenditure is not simply a house of cards, it will be vital for organisations to prove their risk analysis is adequate and appropriate and in line with NIS2 law. The study indicates that UK organisations are taking some action to comply with new regulations and validate cybersecurity programmes against best practice frameworks, but also that there is still significant room for improvement.”
For further information on the Armis State of Cyberwarfare and Trends Report: 2022-2023, including the availability of the full report, visit: https://www.armis.com/cyberwarfare/
Methodology
Armis surveyed 6,021 IT and security professionals in firms with more than one hundred employees across the UK (1003), USA, Spain, Portugal, France, Italy, Germany, Austria, Switzerland, Australia, Singapore, Japan, the Netherlands, and Denmark. Those findings were gathered between September 22, 2022 and October 5, 2022 and depict the state of cyberwarfare globally across various regions and industries.