Despite mounting threats and high incident rates, organizations in the UK’s critical national infrastructure (CNI) sector display an alarming overconfidence in their cybersecurity defenses. According to Bridewell’s latest Cyber Security in Critical National Infrastructure Organizations report, confidence that critical systems are protected from cyber threats has grown steadily since 2025, despite 95% of respondents admitting they suffered a breach within the past year.
Organizations Overestimate Cyber Defenses
This overconfidence is most obvious when it comes to risk assessments: 90% of respondents were confident that their organization’s current cyber risk assessment approach reflected their cyber risk posture, but only 25% are conducting valid assessments by identifying threat vectors and assessing controls against each of them, which Bridewell argues is the only effective approach to risk assessment.
According to Martin Riley, Chief Technology Officer at Bridewell, this discrepancy is particularly notable in the OT security space. He argues that “confidence in OT security is high, but our research suggests this confidence may be misplaced. Many organizations are only just beginning to assess risks in their industrial control systems.”
Cloud security is another area riddled with misplaced confidence. While 84% of respondents claim strong cloud protections, 40% also cited cloud services as a major attack vector, highlighting a dangerous gap between perception and reality.
AI: A Double-Edged Sword
The Bridewell also underscores how pressing the AI arms race is becoming. Concern about AI’s potential to cause harm has grown since 2024, with AI-powered phishing attacks causing the most concern (83%). Riley noted that attackers “don’t just use AI to remedy grammar and spelling mistakes; they also use it to gather information for highly targeted spear phishing scams, which is increasing click-through rates.”
However, despite these concerns, cybercriminals are leveraging offensive AI much faster and to much greater effect than organizations are leveraging defensive AI. Although cybersecurity chatbots are the most popular AI-driven cybersecurity tool, with 32% of respondents reporting using them, no single technology has widespread adoption. In fact, some 5% of organizations use no AI tools at all.
Regulation Alone Won’t Save CNI
According to the report, CNI organizations view compliance as being more about reducing the risk of data breaches and cyberattacks (28%) than protecting customer and stakeholder trust (25%), meeting contractual or business partner requirements (16%), or gaining a competitive advantage. However, Riley expressed concern that organizations believe that compliance equals security.
“Relying on regulation alone isn’t enough,” he said. “The threat landscape evolves faster than compliance frameworks can keep up. Companies need to be proactive, not reactive.”
Ransomware Response is Too Slow
Ransomware remains one of the most pressing threats to CNI, yet response times remain dangerously slow. 69% of organizations take up to six hours to respond to attacks, a significant delay in an industry where minutes can mean millions in damages.
Worse yet, one-third of breached CNI organizations have paid a ransom – a risky practice that may soon be outlawed in the UK. However, although he doesn’t suggest paying ransoms, Anthony Young, Bridewell’s CEO, does recommend that CNI organizations negotiate.
“Negotiating buys organizations time. It allows them to carry out incident activity while keeping attackers busy, which the ‘we don’t negotiate with terrorists approach’ doesn’t do. We actually recommend negotiation in the event of a ransomware attack.”
The Urgent Need for Realism
These findings highlight an uncomfortable truth: UK CNI organizations are dangerously overconfident about their cybersecurity posture. “If we don’t act now, we’ll be playing catch-up when it’s already too late,” Young concluded. The lesson is clear – confidence does not equal security. Only by adopting a proactive, AI-driven and risk-aware cybersecurity strategy can UK infrastructure truly safeguard itself from the next wave of cyber threats
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.