Overconfidence in cyber security: a silent catalyst for CNI breaches

Securing the supply chain

As economic pressures mount, many CNI organisations are significantly reducing cybersecurity budgets and turning to outsourcing as a cost-saving measure. This trend has seen a growing reliance on Managed Service Providers (MSPs), which, while operationally efficient, introduce new entry points for threat actors within already complex supply chains. Outsourcing, without proper evaluation and due process can potentially leave the door wide open to threat actors to exploit third-party relationships to gain access to otherwise secure systems. This is becoming a growing issue within the sector as 57% of CNI organisations have experienced a supply chain attack in the past year. The recent Marks & Spencer breach, for example, was traced back to vulnerabilities in a third-party provider, demonstrating the risks of relying on external partners without adequate oversight.

Supply chain attacks remain a favoured tactic because they target the weakest link. Threat actors can move laterally and often undetected across networks once access is gained, emphasising the importance of assessing or reassessing supplier security protocols, and ensuring end-to-end visibility and accountability.

Stricter regulations to boost resilience

In efforts to tackle the issue at large, the government is tightening regulations to help strengthen resilience across multiple sectors within CNI. Introduced in April 2025, the UK’s proposed Cyber Security and Resilience Bill, modelled after the EU’s NIS2 Directive, aims to bolster national cyber defences by enforcing stricter standards across CNI sectors. Yet, this legislation will have significant implications, especially for MSPs that support essential services, who will now – quite rightly - be held to the same rigorous standards as the organisations they serve. Under the proposed bill, MSPs will be expected to demonstrate greater transparency and control over their infrastructure and services, including third-party dependencies.

Additionally, it is important for CNI organisations that rely heavily on MSPs for outsourcing, to take into consideration that any failure to comply with the new obligations could result in legal and reputational risks for both parties.  For CNI organisations, compliance demands both technical upgrades and a cultural shift, embedding cyber resilience across all operations, as cybersecurity must be seen not as a cost but a critical business investment.

The escalating nation-state threat

The threat from nation-state actors continues to plague the sector with at least 65% of CNI organisations still rating it as a top-level concern. This is mainly because many CNI organisations are ill-equipped to defend against highly resourced, politically motivated campaigns originating from adversarial states like Russia, China, and North Korea.

Advanced Persistent Threat (APT) groups, such as the Chinese group Salt Typhoon, focus on long-term espionage rather than attacks with immediate financial gain. In 2024, Salt Typhoon targeted major U.S. telecom providers, including AT&T and Verizon, aiming to compromise a U.S. government wiretapping platform. Using sophisticated tools such as the Demodex rootkit, they maintained stealthy, persistent access within the network. This highlights the evolving and covert nature of cyber espionage, where nation-state actors prefer to lie dormant within networks, conducting long-term surveillance or laying the groundwork for future disruption – particularly since the true consequences of this attack are still uncertain. Such threats demand greater vigilance, intelligence sharing and advanced threat detection capabilities from the CNI sector.

The ongoing threat of ransomware

Despite rising awareness and increased defences, ransomware remains one of the most prevalent and prominent cyber threats to the sector, as over half of CNI organisations have experienced a ransomware attack in the last 12 months. Historically, ransomware attacks required a certain degree of deep technical expertise. However, this has changed dramatically in recent years with the democratisation of attack tools such as off-the-shelf ransomware kits and cybercrime-as-a-service platforms, which have made such attacks more accessible and adaptable for threat actors.

Threat actor groups such as Scattered Spider use targeted social engineering and commercial cybercrime tools to infiltrate high-value systems, often bypassing traditional defences with alarming ease. The threat is no longer confined to phishing emails, it is highly targeted, deeply disruptive, and continually evolving.

Tackling overconfidence in CNI

The cyber threat landscape is changing faster than many CNI organisations are prepared for. Overconfidence within the sector isn’t just a gap in defence, it’s a fast track to imminent attacks. When organisations believe they are more secure than they truly are, they fail to invest in the measures necessary to withstand modern threats.

In preparation, organisations within the sector must benchmark their preparedness by identifying and addressing gaps in their defences. Cybersecurity for CNI must be treated as a strategic enabler, not just another expense. It is no longer a question of if a cyberattack will happen, but when. The time for reactive defence has passed and it is vital for organisations to adopt a proactive stance, built on a foundation of best practices aligned to assured frameworks that will help build resilience to withstand the inevitability of future attacks.

Anthony Young is the CEO of Bridewell.