From fines and data loss to critical infrastructure concerns, organisations say governments aren’t doing enough to protect them from state-sponsored threats
From fines and data loss to critical infrastructure concerns, organisations say governments aren’t doing enough to protect them from state-sponsored threats
LONDON, U.K. – 2 December 2025 - A growing sense of unease is gripping boardrooms as 88% of cybersecurity and information security leaders surveyed at UK and US organisations now express concern about state-sponsored cyber attacks. The latest State of Information Security Report from IO (formerly ISMS.online), confirms that geopolitical cyber threats have become a pressing business risk and should now be a board-level concern. The figure comes amid a sharp escalation in hostile activity targeting critical infrastructure and the private sector.
Despite the increase in nation-state threats, a third of UK and US organisations surveyed also believe that governments aren’t doing enough to support and protect businesses - a sentiment that underscores the growing expectation for stronger public–private collaboration in defending both national and commercial interests.
The 88% statistic from IO’s research demonstrates that organisations are increasingly aware of the strategic nature of cyber risk and that the geopolitical threat is increasing, with 33% of organisations surveyed concerned about an expanded threat landscape targeting their own systems.
Organisations can therefore no longer assume they are peripheral to nation-state campaigns as any connected business could become collateral damage.For example, last month, the UK government investigated whether hundreds of Chinese-made buses could be controlled remotely by their manufacturer, Yutong, making them vulnerable to interference. And in October, the UK National Cyber Security Centre said, “highly sophisticated” China, “capable and irresponsible” Russia, Iran and North Korea were the main state threats, in its annual review.
Chris Newton-Smith, CEO of IO, said, “When it comes to threats facing CNI, there is a significant national effort going into protecting vital assets. However, at the same time, it also carries a stark warning. If an organisation is connected to the right systems, servicing critical infrastructure, or simply handling sensitive data, it could be targeted by nation-state adversaries.
“The fact that 88% of organisations are concerned about this threat is a clear indicator that geopolitically linked cyber risk is now a strategic concern, not just a technical one”, Newton-Smith continues.
Businesses are expressing growing concerns over the escalating risk posed by nation-state cyber activity, with fears spanning operational, reputational and financial impact. The most pressing issue highlighted in IO’s research is the threat of widespread data loss or inaccessibility, such as through DNS attacks or major cloud outages, cited by 41% of respondents.
Close behind are anxieties over reputational damage if systems are compromised indirectly (40%) and the potential for supply chain-driven operational disruption (38%). Organisations are also worried about the possibility of interruptions to critical national infrastructure, including power, transport and communications (36%), as well as the security and availability of data hosted in regions considered to be key adversaries (35%).
These concerns are mounting amid rising regulatory scrutiny and a growing expectation from customers and partners to demonstrate resilience, each cited by around one-third of organisations.
The pressure is compounded by the fact that 89% of organisations have experienced a cyber incident in the past year, according to IO, with the most common being data breaches (31%), phishing attacks (30%), malware infections (29%) and cloud breaches (27%). Employee and customer data remain the most vulnerable assets, heightening both the reputational and financial stakes.
The fallout from these incidents has been severe. Seventy-one per cent of businesses received fines for a data breach or related violation over the past 12 months. Nearly one-third (30%) of those penalised paid more than £250,000, while nearly half (47%) incurred fines ranging from £100,001 to £1 million. Consequences extended far beyond financial penalties, with one-third of leaders losing their jobs or facing disciplinary measures, and 18% of organisations were forced to shut down or undertake significant strategic shifts following a major breach of employee data.
As a result, cyber resilience is rapidly becoming a board-level priority. Organisations are re-evaluating their risk registers, strengthening supply chain oversight and refining incident response plans. Yet the continued frequency of breaches and penalties suggests that many firms remain more optimistic about their resilience than their current capabilities justify.
Encouragingly, however, IO’s research indicates that 74% of cybersecurity leaders are actively investing in resilience measures to counter nation-state-linked threats. Among organisations concerned about state-sponsored attacks, 97% are tailoring their incident response and recovery plans, 97% are increasing their investment in threat intelligence, and another 97% are bolstering the security and resilience of their supply chains.
Sam Peters, Chief Product Officer at IO, said, “State-level cyber activity is now a real concern for businesses and resilience, not retaliation, will be the accurate measure of national and corporate defence in 2026. Organisations that understand their exposure, test their defences, and secure their supply chains will be best placed to withstand the next wave of attacks.
“With the right preparation, collaboration, and robust compliance measures, we can collectively ensure that the infrastructure – and the businesses supporting it – are equipped to withstand even the most sophisticated attacks”, Peters concludes.
ENDS
About IO
At IO, we believe compliance should fuel progress, not hold it back.
That's why we've built a modern compliance platform designed to help organisations simplify, strengthen, and scale their information security, privacy, risk and AI governance. Supporting over 100 global standards, including ISO 27001, ISO 27701, ISO 42001, SOC 2, and GDPR, IO gives teams everything they need to stay secure, aligned, and audit-ready in one place.
Our approach is built around people, process, and platform, because lasting compliance isn't achieved through automation alone. With structured workflows, guided support, and smart integrations that fit how your business already works, IO makes it easier to embed compliance into everyday operations.
From first-time certifications to mature multi-framework global programmes, IO helps reduce duplicated work, surface the right insights, and build confidence across your organisation. It's compliance that fits and scales with you.
Trusted by thousands of businesses worldwide, IO is here to turn compliance from a box-ticking chore into a strategic advantage.
Research methodology
The research was conducted by Censuswide, among a sample of 3001 Cybersecurity and Information security Managers+ (18+) in the UK and USA. The data was collected between 23.07.2025 - 07.08.2025. A separate study was conducted among a sample of 1020 respondents who work in information security across the UK and USA between 22.03.2024 - 02.04.2024. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.
Cybersecurity refers to the practice of protecting systems, networks, and programs from digital attacks, which can lead to data breaches and other cyber threats.
Data loss occurs when sensitive or important information is deleted, corrupted, or made inaccessible, often due to cyber attacks or system failures.
An incident response plan is a documented strategy outlining how an organization will respond to and manage a cybersecurity incident to minimize damage and recover quickly.
Threat intelligence involves collecting and analyzing information about potential or current threats to an organization's security, helping to inform proactive defense measures.
Explore more articles in the Business category
