Cyberattacks against critical national infrastructure have risen by 30% this year, says a new study – with the US power grid proving particularly vulnerable. According to the report from cybersecurity firm KnowBe4, the number of weak points in that network is increasing by 60 per day, with the total count rising from 21,000 in 2022 to an estimated 23,000-24,000 at present.
“The findings in our report are a wake-up call for critical infrastructure sectors,” said KnowBe4 CEO Stu Sjouwerman. “While the surge in cyberattacks on them is deeply concerning, it’s important to remember that we’re not powerless in this fight. By fostering a strong security culture that combines technology, processes, and people, we can significantly mitigate these risks.
CNI increasingly vulnerable, says KnowBe4 study
The report, titled ‘Cyber Attacks on Infrastructure: The New Geopolitical Weapon’, highlights the alarming growth in attacks targeting critical sectors and underscores the urgent need for organisations to enhance their defences. Globally, the average number of weekly cyberattacks against utilities has quadrupled since 2020, with a doubling of incidents occurring last year alone. Between January 2023 and January 2024, critical infrastructure across the world sustained over 420 million attacks, equivalent to 13 attacks per second, further illustrating the escalating threat landscape.
“Every organisation, regardless of size or sector, has a role to play in safeguarding our collective infrastructure,” argued Sjouwerman. “It’s time we view cybersecurity not as just an IT issue, but as a fundamental aspect of our operational resilience and national security.”
KnowBe4’s 2024 study also involved an analysis of over 54 million simulated phishing tests, covering 11.9 million users across 55,675 organisations in 19 different sectors.
The findings indicate that without modern training, organisations are at significant risk, with an average industry baseline phish-prone percentage (PPP) of 34.3%, an increase from the previous year. This indicates that almost one in three employees within an organisation could be susceptible to phishing attacks.
According to the report, the healthcare and pharmaceuticals industry is consistently among the most vulnerable, with a high PPP reflecting significant susceptibility to phishing attacks. The hospitality industry also showed a notable increase in vulnerability, particularly in mid-sized organisations, with an 11-point rise in PPP from the previous year.
KnowBe4’s latest study categorised organisations by industry type and size, assessing their PPP by measuring the percentage of employees who clicked on simulated phishing links or opened simulated malware attachments during testing campaigns.
Results were gathered across three key phases, namely baseline phishing security test results, phishing security test results within 90 days of training, and phishing security test results after one year plus of ongoing training. The results demonstrated that organisations could improve their security posture within as little as three months through consistent and targeted end-user training.
Additionally, the report underscores the effectiveness of continuous and comprehensive security awareness training.
After one year of training, the average PPP dropped to just 4.6%, showing a significant improvement in employee awareness and resistance to phishing attempts. Phase two results, measured within 90 days of training, show an average PPP reduction of 18.9%, nearly a 50% improvement from the baseline.
Geographic variety in phishing intensity
A regional analysis within the report shows varying levels of susceptibility to phishing attacks across different regions. In North America, the PPP improved dramatically from 35.1% at the baseline to 4.5% after one year of training.
Africa, while initially showing a higher baseline PPP of 36.7%, saw a reduction to 5.9% after a year of training. The Asia-Pacific region, with a baseline PPP of 28.4%, experienced a reduction to 5.5% after one year of consistent training.
The UK saw a significant reduction in phishing susceptibility, with PPP dropping from 32.3% at baseline to 4.5% after one year of training. This improvement aligns with broader trends observed across Europe and North America.
The report also emphasised the critical role of executive support in the success of security training initiatives. To change security behaviours within an organisation, leaders are advised to ensure that their programmes are clearly defined, aligned with organisational security policies, and actively connected to the overall security culture.
Read more: As AI transforms cybersecurity, Cisco’s Martin Lee has only one piece of advice for IT managers: expect the unexpected
