Data centres must prioritise cybersecurity as cyber threats grow
The UK government’s recent decision to designate certain data centres as Critical National Infrastructure (CNI) represents a significant shift in recognising their role in safeguarding the nation’s essential services. Data centres are the backbone of industries like healthcare, finance and telecommunications, placing them at increased risk of cyberattacks. While this move enhances protection for specific facilities, it also raises important questions for the wider industry. Here, Martin Wegrostek, cyber security portfolio manager at managed IT services provider OryxAlign, explores the implications of the CNI designation and why all data centres should take action to bolster their security.
A rising threat landscape
According to the National Cyber Security Centre (NCSC), the UK saw a 16 per cent increase in hostile cyber activities in 2024 compared to the previous year. This growing threat has prompted the government to strengthen the defences of critical sectors. The CNI designation means that selected data centres now receive prioritised support from agencies such as the NCSC, as well as enhanced collaboration with emergency services during cyber incidents.
However, the designation also introduces new challenges. The government does not disclose which data centres hold CNI status as a protective measure. While this helps protect truly critical facilities from targeted attacks, it increases the likelihood of attackers targeting multiple data centres indiscriminately, hoping to strike a critical one. This puts all data centres, regardless of designation, at heightened risk.
Operational and IT vulnerabilities
The evolving cyber threat landscape necessitates a shift in how data centres approach their security. Traditionally, operational technology (OT) systems, such as building management and power control systems, have not been as well-protected as IT environments.
However, attackers are increasingly exploiting these systems as entry points to compromise broader infrastructure. Devices like surveillance cameras, access control systems and cooling units often lack robust encryption or up-to-date firmware, making them attractive targets.
A critical first step for data centres is to conduct a thorough security audit. This process helps to create a complete inventory of all endpoints across both OT and IT environments, including legacy devices that may have been overlooked. Understanding the scope of connected systems and their potential vulnerabilities provides a clear foundation for implementing effective security measures.
Once an inventory is established, technologies like Endpoint Detection and Response (EDR) can be deployed to monitor critical endpoints, including servers and workstations, for signs of malicious activity. EDR solutions enable rapid containment of threats, preventing them from spreading across the network.
Extended Detection and Response (XDR) builds on this by unifying threat detection across endpoints, networks and servers, offering a holistic view of vulnerabilities and enabling more comprehensive protection.
In parallel, data centres must address the human factor in cybersecurity by providing regular phishing awareness training for staff. This equips employees with the knowledge to identify and respond to phishing attempts and social engineering tactics, reducing the likelihood of breaches caused by user error.
Network segmentation can further enhance security by isolating different parts of the network, limiting the ability of attackers to move laterally if an initial breach occurs. Regular patch management also plays a key role in ensuring all systems, including OT devices, are up to date with the latest security fixes.
Meeting regulatory and client expectations
For data centres designated as CNI, the government’s move brings significant regulatory implications. Facilities must now comply with stringent standards, including enhanced security protocols, mandatory incident reporting and regular audits to ensure adherence. Non-compliance could result in reputational damage, loss of critical clients and financial penalties.
But what about those outside the CNI designation? It is important for data centres to adopt similar standards because clients across all sectors are becoming increasingly security conscious. Even non-CNI data centres can differentiate themselves by demonstrating robust security practices, which can be a decisive factor in winning new business.
Securing client confidence is a key driver for data centres to adopt CNI-level security measures. Government organisations, like the NHS, require stringent evidence of compliance before engaging with a provider. Demonstrating adherence to high security standards not only attracts critical clients but also builds trust and reputation in a competitive market. This makes proactive investment in compliance an essential part of long-term success.
A call for collaboration and investment
The government’s designation underscores the need for greater collaboration between the public and private sectors. Measures like tax breaks or incentives could support data centres in meeting heightened security requirements. Prioritising investment in security extends beyond compliance — it is a strategic move to build resilience and earn client trust in an increasingly competitive market.
Additionally, service providers like OryxAlign play a key role in this ecosystem. By conducting audits, identifying vulnerabilities and implementing tailored solutions, they help data centres achieve a higher standard of security.
Preparing for the future
In light of these changes, data centre operators should conduct a thorough assessment of their current security posture. Understanding where the gaps lie and creating a clear roadmap to address them is essential. Proactive planning will position data centres for long-term success, whether they are already well-established or striving to meet the heightened expectations of a critical security designation.
As the threat landscape continues to evolve, the government’s move is a reminder that no facility is immune. The CNI designation may focus on specific facilities, but it’s a wake-up call for the entire industry. By prioritising security, data centres can protect their clients, safeguard their reputations and contribute to the resilience of the UK’s digital infrastructure.
About the Author
Martin Wegrostek is OryxAlign’s Cyber Security Portfolio Manager. OryxAlign creates true alignment that delivers the right outcomes for all. By listening closely, adjusting along the way, and delivering to the highest standards, we align our client’s ambitions with the technology they need to achieve them.
We offer managed IT and cyber security, cloud and digital transformation, and tailored professional and consulting services.
For more information about how to strengthen your cyber security posture, visit www.oryxalign.com
