Ninety-eight percent of UK critical national infrastructure organisations say they are cyber
resilient. That figure comes from Bridewell's 2026 Cyber Security in CNI report, a survey of
senior security leaders across energy, transport, government, finance, and civil aviation.
In the same report, 93% of those organisations experienced a cyber attack in the past 12
months.
Read those numbers again. Nearly every CNI organisation in the country got hit, and nearly
every one of them considers itself resilient. Something is badly wrong with how the sector
measures its own security posture. Either the definition of "resilient" has been stretched beyond
meaning, or there is a systemic disconnect between what leadership believes and what is
actually happening on the network.
The data from both Bridewell and Rapid7's 2026 Global Threat Landscape Report suggests it is
the latter. The fundamentals (asset management, access control, patching, staff training) are
failing across the board. And attackers have noticed.
The Rapid7 report includes a detail that should worry anyone responsible for public sector
security: government is the number one sector targeted by Initial Access Brokers globally,
accounting for 14.2% of all IAB listings.
Initial Access Brokers are exactly what they sound like. They break into organisations (or buy
stolen credentials) and sell that access to ransomware operators. It is a supply chain for
attackers, and government sits at the top of the catalogue.
The access types being traded are not exotic. RDP accounts for 21.2% of IAB listings, VPN
access 12.8%, and RDWeb 11.2%. "Domain User" privileges are the most commonly sold level
of access. These are not sophisticated zero-day exploits. They are standard remote access
services with weak or stolen credentials.
While bulk access to smaller organisations sells for under $1,000, access to large
organisations averages over $113,000 per listing. That price reflects the value attackers expect
to extract once inside. The UK accounts for 5% of all ransomware leak site posts, tied with
Germany.
There is a functioning, mature marketplace for access to these organisations. The barrier to entry for attacking CNI is a budget, not a skill set.
Cloud infrastructure is now the number one attack vector for UK CNI at 25%, followed by
applications and software at 19%, with the human layer and supply chain tied at 14% (Bridewell
2026).
Dig into why and the same gaps keep appearing:
Only 29% of CNI organisations use centralised asset management. The other 71% do not have a single, reliable view of what is on their network.
38.3% cite skills shortages as the top contributor to vulnerabilities persisting. Only 26% are making new cyber hires.
36.5% cite lack of staff training and awareness.
33.8% cite inadequate patching or outdated systems.
Government averages 16.3 phishing and business email compromise attacks per year, the
highest of any CNI sector. Outdated software and legacy systems account for an average of 7
attacks per year across CNI.
None of these are novel attack techniques. They are the same problems the industry has been
talking about for a decade, persisting in the organisations that can least afford them.
On our CNI engagements, we consistently find the same gaps these reports highlight.
Unmanaged assets, missing MFA on remote access services, and compliance frameworks
treated as a ceiling rather than a floor.
The pattern is predictable. An external infrastructure test turns up a forgotten staging
environment or a legacy system that was supposed to be decommissioned two years ago. No
one owns it. No one patches it. It is sitting on a flat network segment with no segmentation from
production systems. Default or weak credentials get us in. From there, lateral movement is
straightforward because internal network controls assume the perimeter will hold.
Rapid7's own incident response data tells the same story. Valid credentials with no MFA
accounted for 43.9% of all incidents they investigated in 2025. Nearly half of real-world
compromises start with someone logging in through the front door.
This is not theoretical. Look at what happened across UK CNI in 2024 alone.
A ransomware attack on Synnovis, a pathology services provider, brought down blood transfusion systems across London hospitals for four months. One supplier compromise cascaded across the NHS because network segmentation between the third party and production systems was not adequate.
Scattered Spider used social engineering to breach Transport for London, accessing 10 million
customer records. Damages reached an estimated £39 million. The attack exploited the human
layer, the same vector that 14% of CNI organisations already identify as a primary risk.
Black Basta hit Southern Water. £4.5 million in costs, 270,000 customers' data exposed. A
water utility serving millions of people. INC Ransom exfiltrated 1.3TB of data from Leicester
City Council, affecting 400,000 residents. Local government, limited security budget, massive
data holdings.
The NCSC's own figures back this up. In the 2024-25 reporting period, there were 204
nationally significant cyber incidents, a 50% increase year on year. The National Audit Office
found 228 unassessed legacy systems across government departments and cyber vacancy
rates exceeding 50%.
The sector knows it has a problem. The breaches keep proving it. And yet the confidence
numbers stay high.
Part of the explanation lies in how organisations measure maturity. Regulation is now the
number one driver of cyber maturity in UK CNI at 35%, up from 26% the previous year (Bridewell 2026). That is not inherently bad. Regulation raises the floor. The problem is when
compliance becomes the goal rather than a byproduct of good security.
Framework adoption is widespread but fragmented: Cyber Essentials at 54%, the Cyber
Assessment Framework at 46%, Cyber Essentials Plus at 44%, ISO 27001 at 43%, and NIS2
at only 29%. Organisations are collecting certifications, but only 35% believe regulations are
delivering "very well" in practice.
The incoming Cyber Security and Resilience Bill, currently at Committee stage and expected
late 2026 or early 2027, will expand scope to managed service providers, data centres, and
critical suppliers. CAF v4.0 is the assurance backbone. The direction is right. But legislation
takes time, and attackers do not wait for parliamentary schedules.
The gap between compliance and security is where pen testing earns its value. A compliance
audit asks whether controls exist. A pen test asks whether they work. We regularly find
organisations that tick every box on the framework but fall apart under realistic attack
simulation. The firewall rules are documented but the exceptions list is a mile long. The MFA
policy exists but half the VPN accounts have exceptions. The patching process is defined but
the legacy system in the corner has not been touched in three years.
Compliance tells you what you said you would do. Pen testing tells you what actually happens
when someone tries to break in.
Even when attacks are detected, the response gap is alarming.
Rapid7 reports that attackers now exfiltrate data in minutes, not hours. The smash-and-grab
model is dominant — get in, grab what is valuable, get out before anyone reacts. The median
time from CVE disclosure to active exploitation has dropped from 8.5 days to just 5 days. The
window between "patch available" and "actively exploited" is shrinking fast.
Against that speed, Bridewell's data on UK CNI response times is concerning. Government
organisations average around 10 hours to respond to ransomware and approximately 21 hours
for data theft. Finance and insurance take nearly a full day to respond to data theft at roughly
24 hours.
Ten hours to respond to ransomware when the attacker finished exfiltrating in minutes. The
maths does not work. By the time the incident response process kicks in, the damage is done.
This is not just a tooling problem. It is a rehearsal problem. Organisations that do not exercise
their incident response under realistic conditions — tabletop exercises with actual time
pressure, not a workshop with biscuits — will always be slower than the threat.
The reports from Bridewell and Rapid7 paint a consistent picture. UK CNI is being attacked
constantly, the attacks succeed because fundamentals are missing, and response times are
too slow to limit damage. Confidence is high but outcomes are poor.
Here is what we think needs to change.
Start with asset visibility. You cannot secure what you do not know exists. Only 29% of CNI
organisations have centralised asset management, which means 71% are guessing. The
NCSC published dedicated OT asset visibility guidance in September 2025 specifically
because this gap persists. Everything else depends on getting this right.
Expand Penetration Testing beyond compliance scope. Test what actually gets exploited, not just what the framework says to test. If your pen test scope does not include legacy systems, cloud assets, and third-party integrations, you are testing a subset of your attack surface and calling it comprehensive.
MFA on every remote access service should be non-negotiable at this point. VPN, RDP,
RDWeb. These are the access types being sold on IAB marketplaces. Valid credentials with no
MFA accounted for 43.9% of real-world incidents. This is the single highest-impact control most
organisations still have not fully deployed.
Reduce response times by actually rehearsing. Measure your real response time, not your
theoretical one. If your IR plan says "respond within 4 hours" but your last exercise took 18, you
have a plan that does not reflect reality.
And be honest about where you stand. The 98% resilience figure is a measurement problem. If
your organisation experienced a significant breach and still considers itself resilient, the
definition needs revisiting. Security maturity starts with an honest gap analysis, not a
confidence survey.
This is the work Echo Secure does every day — testing CNI organisations against realistic
attack scenarios, finding the gaps that compliance audits miss, and giving teams the evidence
they need to fix what matters. If the numbers in these reports look familiar, we should talk.