Shocking surge: Cyber attacks on vital infrastructure skyrocket by 30% in just one year!

The threat landscape for critical infrastructure has taken a dire turn, with cyberattacks soaring by a staggering 30% in just the past year, according to a comprehensive report by KnowBe4. Titled “Cyber Attacks on Infrastructure: The New Geopolitical Weapon,” the 2024 study offers a sobering look at how cyber threats are increasingly targeting vital sectors such as healthcare, pharmaceuticals, utilities, and the power grid. These sectors form the backbone of modern society, and their compromise could have catastrophic consequences on national security, economic stability, and public safety.

The Scope of the Problem: A Dramatic Surge in Cyber Attacks

The KnowBe4 report is based on an extensive analysis involving over 54 million simulated phishing tests conducted across 55,675 organisations spanning 19 industries. This massive dataset, encompassing 11.9 million users, provides a unique insight into the vulnerabilities that exist within critical sectors. The report’s findings are alarming: not only has the frequency of cyberattacks increased dramatically, but the sophistication and targeting of these attacks have also evolved, making them more challenging to defend against.

One of the key indicators of this growing threat is the industry baseline Phish-Prone Percentage (PPP), a metric used to gauge the susceptibility of employees to phishing attacks. According to the report, the average PPP has risen to 34.3%, up from the previous year. This means that over one-third of employees in any given organisation are likely to fall prey to phishing attempts, potentially opening the door to devastating cyber intrusions.

Sector-Specific Vulnerabilities: Healthcare, Pharmaceuticals, and Beyond

The report highlights specific industries that are particularly vulnerable to cyberattacks. The Healthcare and Pharmaceuticals sector, which handles sensitive patient data and is integral to public health, has consistently ranked among the most at-risk. The sector’s high PPP reflects a significant susceptibility to phishing attacks, which could lead to data breaches, ransomware incidents, and other forms of cyber sabotage.

The Hospitality industry, traditionally less associated with high-stakes cyber threats, has also emerged as a target. The report notes a worrying 11-point increase in PPP for mid-sized organisations within this sector, underscoring the expanding reach of cybercriminals. As these organisations often lack the robust cybersecurity infrastructure of larger corporations, they are increasingly becoming low-hanging fruit for attackers.

A Critical Vulnerability: The U.S. Power Grid

Perhaps the most alarming finding of the KnowBe4 report is the growing vulnerability of the U.S. power grid. The number of weak points within this critical infrastructure is increasing by approximately 60 per day. This rapid expansion has resulted in the total count of vulnerabilities rising from 21,000 in 2022 to an estimated 24,000 today. The implications of this are profound: a compromised power grid could lead to widespread blackouts, disrupting everything from healthcare services to national defense operations.

Globally, the average number of weekly cyberattacks against utilities has quadrupled since 2020. The year 2023 alone saw a doubling of incidents, with critical infrastructure worldwide sustaining over 420 million attacks between January 2023 and January 2024. This equates to 13 attacks per second, painting a grim picture of an increasingly hostile cyber environment.

Mitigating the Threat: The Role of Security Awareness Training

Despite the bleak outlook, the KnowBe4 report offers a glimmer of hope through its findings on security awareness training. The study categorised organisations by industry type and size, assessing their PPP through simulated phishing tests conducted in three key phases: Baseline Phishing Security Test Results, Phishing Security Test Results Within 90 Days of Training, and Phishing Security Test Results After One Year Plus of Ongoing Training.

The data reveals that organisations can significantly improve their cybersecurity posture through consistent and targeted end-user training. Within 90 days of implementing security awareness training, the average PPP dropped to 18.9%, nearly a 50% improvement from the baseline. Even more encouraging is the result after one year of continuous training, where the PPP plummeted to just 4.6%. This demonstrates that with the right training and education, organisations can drastically reduce the human risk factor in cybersecurity.

Regional Disparities in Phishing Susceptibility

The report also delves into regional differences in susceptibility to phishing attacks, revealing that while North America has made significant strides in reducing its PPP, other regions still face substantial challenges. In North America, the PPP improved dramatically from 35.1% at the baseline to 4.5% after one year of training. Africa, however, with an initial PPP of 36.7%, saw a reduction to 5.9% after a year of training. The Asia-Pacific region, starting with a baseline PPP of 28.4%, experienced a reduction to 5.5% after consistent training efforts.

These regional disparities highlight the need for tailored security awareness programs that take into account the specific challenges and threat landscapes faced by organisations in different parts of the world.

The Importance of Executive Support

The report emphasises that the success of security awareness training is closely linked to the level of support it receives from organisational leadership. To effectively change security behaviours, training programs must be clearly defined, aligned with broader security policies, and actively integrated into the organisation’s culture. Without strong and consistent backing from executives, these initiatives are likely to fall short, leaving organisations vulnerable to the growing cyber threat.

Expert Opinion: The Path Forward

Stu Sjouwerman, Chief Executive Officer at KnowBe4, provided his perspective on the report’s findings, stating: “The surge in cyberattacks on critical infrastructure is a wake-up call. But it’s crucial to remember that we are not powerless in this fight. By fostering a robust security culture that combines technology, processes, and people, we can significantly mitigate these risks. Every organisation, regardless of its size or sector, has a role to play in safeguarding our collective infrastructure. Cybersecurity must be viewed not just as an IT issue but as a fundamental aspect of our operational resilience and national security.”

Sjouwerman’s remarks underscore the need for a holistic approach to cybersecurity—one that extends beyond technological solutions to include process improvements and, critically, the education and empowerment of employees at all levels of an organisation.

The KnowBe4 report is a stark reminder of the escalating cyber threats facing critical infrastructure worldwide. As cyberattacks become more frequent and sophisticated, the need for proactive measures has never been more urgent. Organisations are urged to prioritise ongoing security awareness training, integrating it into their culture through continuous education, testing, and communication. The report’s findings make it clear that with executive support and a commitment to comprehensive security training, organisations can dramatically improve their defences against the ever-growing tide of cyber threats.

In an era where cyberattacks are increasingly used as geopolitical weapons, the security of our critical infrastructure must be seen as a top priority. The time to act is now, before the next breach has the chance to disrupt the systems that society relies on most.