Direct attacks on critical infrastructure get a lot of attention, but the bigger danger often lies in something less visible: The poor cybersecurity practices of the businesses that keep these systems running. According to the Cybernews Business Digital Index, a staggering 84% earned a “D” grade or worse for their cybersecurity practices, with 43% falling into the “F” category. Only 6% of companies got an “A” for their efforts. What’s more troubling is that industries at the heart of critical infrastructure — like energy, finance and healthcare — are among the weakest links.
Corporate cybersecurity failures can’t be separated from national security risks. The strength of the U.S.’ critical infrastructure relies on solid digital defenses, and when businesses fail to secure their networks, they leave the entire country vulnerable to potentially devastating attacks.
A mismatch between risks and preparedness
The World Economic Forum’s latest report reveals a worrying disconnect. Two-thirds of organizations are counting on AI to shape cybersecurity this year, but only 37% have processes in place to check if their AI tools are secure before using them. It’s like putting all your trust in a high-tech gadget without reading the manual — risky and potentially asking for trouble. While businesses are grappling with preparation, AI is being leveraged by cybercriminals to orchestrate offensive campaigns against them. For instance, corporate executives are facing a surge of highly targeted phishing attacks created by AI bots.
Cyberattacks of any type are getting harder to repel. Take the finance and insurance sectors, for example. These industries manage sensitive data and are key to our economy, yet 63% of companies in these sectors earned a “D” and 24% failed entirely. It’s no surprise that, last year, LoanDepot, one of the country’s biggest mortgage lenders, was hit by a major ransomware attack that forced them to take some systems offline.
Ransomware continues to be a major issue due to weak cybersecurity measures. Crowdstrike found that cloud environment intrusions surged by 75% from 2022 to 2023, with cloud-conscious incidents rising by 110% and cloud-agnostic incidents by 60%. Despite advances in technology, email remains one of the main methods for cybercriminals to target companies. Hornetsecurity reports that nearly 37% of all emails in 2024 were flagged as “unwanted,” a slight increase from the previous year. This suggests that businesses are still struggling to address fundamental vulnerabilities through proactive measures.
The business-national security nexus
Weak cybersecurity isn’t merely a corporate issue — it’s a national security risk. The 2021 Colonial Pipeline attack disrupted energy supplies and exposed vulnerabilities in critical industries. Rising geopolitical tensions, especially with China, amplify these risks. Recent breaches attributed to state-sponsored actors have exploited outdated telecommunications equipment and other legacy systems, revealing how complacency in updating technology can put national security in danger.
For instance, last year’s hack of U.S. and international telecommunications companies exposed phone lines used by top officials and compromised data from systems for surveillance requests, threatening national security. Weak cybersecurity at these companies risks long-term costs, allowing state-sponsored actors to access sensitive information, influence political decisions and disrupt intelligence efforts.
It’s critical to recognize that vulnerabilities don’t exist in isolation. What happens in one sector — be it telecommunications, energy or finance — can have a domino effect that impacts national security at large. Now, more than ever, it’s essential to collaborate with IT and DevOps teams to close any gaps, and prioritize timely updates, to stay one step ahead of evolving cyber threats.
Mitigating the risks
To tackle these growing cyber threats, businesses need to step up their security game. Taking action in these key areas can make a big difference:
- If not yet, implement AI-based cybersecurity tools that continuously monitor for suspicious activities, including AI-powered phishing attempts. These tools can automate the detection of emerging threats, analyze patterns and respond in real-time, minimizing potential damage from cyberattacks such as ransomware.
- Establish a comprehensive system to evaluate the security of AI tools before deployment. This should include rigorous AI security audits that test for vulnerabilities such as susceptibility to adversarial attacks, data poisoning or model inversion. Companies should also implement secure development lifecycle practices for AI tools, conduct regular penetration testing and ensure compliance with established frameworks like ISO/IEC 27001 or the NIST AI Risk Management Framework.
- As cloud-based attacks increase, especially with the surge in ransomware and data breaches, companies should adopt advanced cloud security measures. This includes robust encryption, continuous vulnerability scanning and the integration of AI to predict and prevent future breaches in cloud environments.
- Let me remind you that legacy systems are a hacker’s favorite target. Keeping systems updated and applying patches promptly can help close the door on vulnerabilities before attackers exploit them.
Collaboration is key
No company can face today’s cyber threats on its own. Collaboration between private businesses and government agencies is more than helpful — it’s imperative. Sharing threat intelligence in real-time allows organizations to respond faster and stay ahead of emerging risks. Public-private partnerships can also level the playing field by offering smaller companies access to resources like funding and advanced security tools they might not otherwise afford.
The aforementioned World Economic Forum’s report makes it clear: Resource constraints create gaps in cyber resilience. By working together, business and the government can close those gaps and build a stronger, more secure digital environment — one that’s better equipped to prevent increasingly sophisticated cyberattacks.
The business case for proactive security
Some businesses may argue that implementing stricter cybersecurity measures is too expensive. However, the price of doing nothing could be much higher. According to IBM, the average cost of a data breach rose to $4.88 million in 2024, up from $4.45 million in 2023, marking a 10% increase — the highest since the pandemic in 2020.
Businesses that have already taken steps towards more secure systems benefit from faster incident response times and greater trust from customers and partners who want to keep their data safe. For instance, Mastercard developed a real-time fraud detection system that uses machine learning (ML) to analyze transactions globally. It has reduced fraud, boosted customer trust and improved security for customers and merchants through instant suspicious activity alerts.
Such companies also save costs. IBM reports that two-thirds of organizations are now integrating security AI and automation into their security operations centers. When widely applied to prevention workflows — such as attack surface management (ASM) and posture management — these organizations saw an average reduction of $2.2 million in breach costs compared to those not using AI in their prevention strategies.
A call to action for business leaders
America’s critical infrastructure is only as strong as its weakest link — and right now, that link is business cybersecurity. Weak private-sector defenses pose a serious risk to national security, the economy and public safety. To prevent catastrophic outcomes, decisive action is needed from both businesses and the government.
Fortunately, progress is underway. Former President Biden’s executive order on cybersecurity, requires companies working with the federal government to meet stricter cybersecurity standards. This initiative encourages business leaders, investors and policymakers to enforce stronger safeguards, invest in resilient infrastructure and foster industry-wide collaboration. By taking these steps, the weakest link can become a powerful line of defense against cyber threats.
The stakes are too high to ignore. If businesses — government partners or not — fail to act, the systems everyone relies on could face more serious and devastating disruptions.
Vincentas Baubonis leads the team at Cybernews.
The post Weak cyber defenses are exposing critical infrastructure — how enterprises can proactively thwart cunning attackers to protect us all appeared first on Venture Beat.
