News + Resources

Industry news, Astaara press releases & maritime cyber risk resources

Monday, April 24, 2023
Reductions in cyber security budgets: music to the bad guy – avoidable self-harm    


A recent survey in CSO Online this week indicated that 65% of CNI operators expected their cyber security budgets to fall this year.  Companies need to resist the false trade off, or Government needs a bigger stick. 


“The Cyber Security in Critical National Infrastructure Organisations: 2023 report” found that over a third (34%) of organisations across UK CNI anticipate a rise in cybercrime as a direct result of the current economic crisis, with almost two-thirds (65%) of respondents having seen some reduction or a significant reduction in their organisation’s cybersecurity budget this year.” (CSO Online, 19th April 2023) 

The threat to UK Critical National Infrastructure is high. Recent NCSC comment about pro-Russian ideology-driven groups targeting CNI for sport; Russian ghost ships that might be surveying with malign intent the pipelines and cables that connect us to our energy, trade and information partners globally; and the latest attacks on Advanced and Capita are all evidence that CNI defences need beefing up.  The EU is strengthening its Network and Information Systems Regulations to include service providers to CNI operators, recognising that outsourcing can make an efficient and effective cyber response difficult.  The UK, presumably anxious about cost increases, have been less aggressive on suppliers, so far. 

Unfortunately, beefing up is not a single activity or a one-off investment.  There is no “panic over” point; no “we’ve done enough”.   In a conflict, you throw everything you have at the adversary in the hope that you can outspend them and remove their ability and capacity to fight on.  We are in such a conflict – and while companies are limited in how much they can spend on cyber security, they have to keep investing, reducing vulnerabilities and practicing responses to successful breaches so that interruptions in vital services are minimised. 

Any survey that suggests that 65% of CNI organisations expect their budgets for cyber security to reduce this year is cause for great concern.  If there were to be a successful attack on an important element of our CNI that caused chaos and cost lives, would it be acceptable to the public that the breach succeeded because the company refused to update its systems on the grounds of cost? 

When we engage our clients, we look not only at how much they are spending on cyber security, but also on what they are spending their money.  We have seen cases where clients are spending too much on technology (for example, on systems or technology that are not appropriate for their level of cyber maturity), or too little on training, or planning for incidents and disasters.  We advocate to all our clients that they seek to get the basics right first (e.g. cyber essentials). 

There is still a tendency to want to trade off security cost today against ransom or other attack tomorrow. In the absence of robust regulations, it is only the shareholders and customers who can in every sector challenge their suppliers and investees to do better (and not just the minimum).  Even in the absence of such pressure we urge our customers to update their systems, train their people, and practice their contingency plans. Again. And again… 

As with any cyber issue, please feel free to contact us. 

  • William Egerton
    Chief Cyber Officer