A growing sense of unease is gripping boardrooms as 88% of cybersecurity and information security leaders surveyed at UK and US organizations now express concern about state-sponsored cyber attacks. The latest State of Information Security Report from IO (formerly ISMS.online), confirms that geopolitical cyber threats have become a pressing business risk and should now be a board-level concern. The figure comes amid a sharp escalation in hostile activity targeting critical infrastructure and the private sector.
Despite the increase in nation-state threats, a third of UK and US organizations surveyed also believe that governments aren’t doing enough to support and protect businesses – a sentiment that underscores the growing expectation for stronger public–private collaboration in defending both national and commercial interests.
The 88% statistic from IO’s research demonstrates that organizations are increasingly aware of the strategic nature of cyber risk and that the geopolitical threat is increasing, with 33% of organizations surveyed concerned about an expanded threat landscape targeting their own systems.
Organizations can therefore no longer assume they are peripheral to nation-state campaigns as any connected business could become collateral damage. Just this year, the US Department of Justice has investigated several IT worker scams, where nation-state actors from the People’s Republic of Korea posed as US IT job applicants to gain access to enterprise data. Additionally, the US Cybersecurity & Infrastructure Security Agency cites that nation-state actors and state-sponsored entities post an elevated threat to the country’s national security. The agency notes the Chinese government for interests related to “infiltrating critical infrastructure networks,” Iran for “certain social and political activity,” and Russia for “broad-scope cyber espionage.”
Chris Newton-Smith, CEO of IO, said, “When it comes to threats facing CNI, there is a significant national effort going into protecting vital assets. However, at the same time, it also carries a stark warning. If an organization is connected to the right systems, servicing critical infrastructure, or simply handling sensitive data, it could be targeted by nation-state adversaries.
“The fact that 88% of organizations are concerned about this threat is a clear indicator that geopolitically linked cyber risk is now a strategic concern, not just a technical one”, Newton-Smith continues.
Businesses are expressing growing concerns over the escalating risk posed by nation-state cyber activity, with fears spanning operational, reputational and financial impact. The most pressing issue highlighted in IO’s research is the threat of widespread data loss or inaccessibility, such as through DNS attacks or major cloud outages, cited by 41% of respondents.
Close behind are anxieties over reputational damage if systems are compromised indirectly (40%) and the potential for supply chain-driven operational disruption (38%). Organizations are also worried about the possibility of interruptions to critical national infrastructure, including power, transport and communications (36%), as well as the security and availability of data hosted in regions considered to be key adversaries (35%).
These concerns are mounting amid rising regulatory scrutiny and a growing expectation from customers and partners to demonstrate resilience, each cited by around one-third of organizations.
The pressure is compounded by the fact that 89% of organizations have experienced a cyber incident in the past year, according to IO, with the most common being data breaches (31%), phishing attacks (30%), malware infections (29%) and cloud breaches (27%). Employee and customer data remain the most vulnerable assets, heightening both the reputational and financial stakes.
The fallout from these incidents has been severe. Seventy-one per cent of businesses received fines for a data breach or related violation over the past 12 months. Nearly one-third (30%) of those penalized paid more than $320,000, while nearly half (47%) incurred fines ranging from $131,000 to $1,300,000 million. Consequences extended far beyond financial penalties, with one-third of leaders losing their jobs or facing disciplinary measures, and 18% of organizations were forced to shut down or undertake significant strategic shifts following a major breach of employee data.
As a result, cyber resilience is rapidly becoming a board-level priority. Organizations are re-evaluating their risk registers, strengthening supply chain oversight and refining incident response plans. Yet the continued frequency of breaches and penalties suggests that many firms remain more optimistic about their resilience than their current capabilities justify.
Encouragingly, however, IO’s research indicates that 74% of cybersecurity leaders are actively investing in resilience measures to counter nation-state-linked threats. Among organizations concerned about state-sponsored attacks, 97% are tailoring their incident response and recovery plans, 97% are increasing their investment in threat intelligence, and another 97% are bolstering the security and resilience of their supply chains.
Sam Peters, Chief Product Officer at IO, said, “State-level cyber activity is now a real concern for businesses and resilience, not retaliation, will be the accurate measure of national and corporate defense in 2026. Organizations that understand their exposure, test their defenses, and secure their supply chains will be best placed to withstand the next wave of attacks.
“With the right preparation, collaboration, and robust compliance measures, we can collectively ensure that the infrastructure – and the businesses supporting it – are equipped to withstand even the most sophisticated attacks”, Peters concludes.
ENDS
About IO
At IO, we believe compliance should fuel progress, not hold it back.
That’s why we’ve built a modern compliance platform designed to help organizations simplify, strengthen, and scale their information security, privacy, risk and AI governance. Supporting over 100 global standards, including ISO 27001, ISO 27701, ISO 42001, SOC 2, and GDPR, IO gives teams everything they need to stay secure, aligned, and audit-ready in one place.
Our approach is built around people, process, and platform, because lasting compliance isn’t achieved through automation alone. With structured workflows, guided support, and smart integrations that fit how your business already works, IO makes it easier to embed compliance into everyday operations.
From first-time certifications to mature multi-framework global programs, IO helps reduce duplicated work, surface the right insights, and build confidence across your organization. It’s compliance that fits and scales with you.
Trusted by thousands of businesses worldwide, IO is here to turn compliance from a box-ticking chore into a strategic advantage.
