Armis, a leading asset visibility and security company, has announced preliminary findings from the Armis State of Cyberwarfare and Trends Report: 2022-2023, which measures global IT and security professionals’ perceptions of cyberwarfare. It found that while 84% of UK organisations claimed they had programmes and practices in place to respond to cyberwarfare threat, only one-third (32%) said their plans are validated by best practice frameworks, which is less than the global average of nearly 40%. In addition, 57% of UK organisations have stopped or stalled Digital Transformation projects due to threat of cyberwarfare – slightly higher than the global average of 55%.
The growing threat of cyberwarfare
The Russian invasion of Ukraine has not only tragically upended the lives of countless people in a sovereign nation, but it is also causing geopolitical shockwaves of cyberwarfare that will reverberate for the foreseeable future. Today’s targets extend well beyond the higher levels of the opposition governments; any organisation is a potential victim, with critical infrastructure and high-value entities at the top of the list. The study shares responses from more than 6,000 respondents globally and across multiple industries, including healthcare, critical infrastructure, retail, supply chain and logistics and more.
The study showed that cyberwarfare was one of the lowest-ranking priorities for UK organisations – despite a majority of organisations (59%) agreeing that the threat of cyberwarfare has increased since the start of the Ukrainian conflict, and 62% claiming to be somewhat or very concerned about the threat of cyberwarfare on their organisations. In the UK, for instance, 42% of security professionals claimed to have had to report an incident of cyberwarfare to authorities, which is significantly higher than the European average of one-third of companies, but lower than the global average of 45%. A further 28% of UK organisations reported more threat activity on their networks in the past six months compared with the six months prior.
Observations on Network and Information Systems (NIS) regulations
A majority of organisations in the UK somewhat (46%) or strongly (25%) support the extension of NIS regulations to all businesses, while 27% remain indifferent to the legislation. Historically, NIS regulations applied to operators of essential services and relevant digital service providers but have since seen updates in the NIS2 iteration that extend to ‘important’ services as well.
The study also examined UK security professionals’ adoption of NIS and found that only one-third (33%) strongly agree that they have mapped their cybersecurity programmes to NIS.
“To validate cybersecurity expenditure is not simply a house of cards, it will be vital for organisations to prove their risk analysis is adequate and appropriate and in line with NIS2 law,” said Andy Norton, European Cyber Risk Officer at Armis. “The study indicates that UK organisations are taking some action to comply with new regulations and validate cybersecurity programmes against best practice frameworks, but also that there is still significant room for improvement.”