More than one-third of critical infrastructure organisations admitted they hadn't carried out basic checks recommended by the government