Nearly nine in 10 organisations in the UK and US are now concerned about the threat of state-sponsored cyberattacks, according to new research from information security firm IO (formerly ISMS.online), highlighting a sharp rise in geopolitical cyber risk facing businesses.
IO’s latest State of Information Security Report found that 88 percent of cybersecurity and information security leaders view nation-state cyber activity as a significant threat, reflecting escalating attacks on critical infrastructure and the wider private sector. The findings underline a growing consensus that cyber risk linked to geopolitical tensions has become a board-level business issue rather than a purely technical concern.
Despite heightened awareness of the threat, a third of organisations surveyed believe governments are not doing enough to protect businesses from state-sponsored cyber activity, pointing to a widening gap between public expectations and national cyber defence efforts. The sentiment reinforces calls for stronger public–private collaboration to safeguard both commercial interests and national infrastructure.
The research also reveals that 33 percent of respondents are concerned about an expanding threat landscape directly targeting their own systems, suggesting organisations increasingly recognise they could be caught up in nation-state campaigns as indirect or collateral targets.
Recent incidents have reinforced these concerns. In November, the UK government investigated whether hundreds of Chinese-manufactured buses could be remotely controlled by their maker, potentially exposing them to external interference. Meanwhile, the UK National Cyber Security Centre has identified China, Russia, Iran and North Korea as the most significant state-based cyber threats in its annual review, citing their growing sophistication and willingness to target a wide range of sectors.
Chris Newton-Smith, CEO of IO, said that while significant national effort is focused on protecting critical national infrastructure (CNI), the risk extends well beyond traditionally defined “critical” organisations.
“If an organisation is connected to the right systems, servicing critical infrastructure, or simply handling sensitive data, it could be targeted by nation-state adversaries,” he said. “The fact that 88 percent of organisations are concerned about this threat is a clear indicator that geopolitically linked cyber risk is now a strategic concern, not just a technical one.”
Operational, reputational and financial impacts are driving business anxiety. The most frequently cited concern is the risk of widespread data loss or inaccessibility, such as through DNS attacks or major cloud outages, highlighted by 41 percent of respondents. This is followed closely by reputational damage from indirect system compromises (40 percent) and supply-chain-driven operational disruption (38 percent).
If you liked this content…
Whistleblowers Warn of ‘Extreme’ Security Risks in UK Government’s Digital ID System
Cybersecurity for the public sector: increasing identity security and building resilience
Central government leads the way in data analytics and AI for public sector transformation 
Government IT Spending Set to Rise Next Year as AI Priorities Strengthen
London Councils Hit by Coordinated Cyberattacks as NCSC Steps In
More than a third of organisations (36 percent) are also worried about potential disruptions to critical national infrastructure, including power, transport and communications, while 35 percent expressed concern about the security and availability of data hosted in regions viewed as geopolitical adversaries. Rising regulatory scrutiny and growing customer expectations to demonstrate cyber resilience were each cited by around one-third of respondents.
These concerns are compounded by the prevalence of cyber incidents. IO reports that 89 percent of organisations experienced at least one cyber incident in the past year, with data breaches (31 percent), phishing (30 percent), malware infections (29 percent) and cloud breaches (27 percent) the most common. Employee and customer data were identified as the most vulnerable assets.
The financial and organisational consequences have been significant. Seventy-one per cent of organisations reported receiving fines related to data breaches or compliance failures in the past 12 months. Of those fined, nearly one-third paid more than £250,000, while almost half incurred penalties between £100,001 and £1 million. Beyond fines, one-third of leaders faced job losses or disciplinary action, and 18 percent of organisations were forced to shut down or make major strategic changes following serious breaches involving employee data.
In response, cyber resilience is increasingly being elevated to the board agenda. Many organisations are revisiting risk registers, strengthening supply-chain oversight and refining incident response and recovery plans. However, IO warns that the ongoing frequency of incidents suggests a disconnect between perceived and actual resilience in many businesses.
There are signs of progress. The research shows that 74 percent of cybersecurity leaders are investing in resilience measures to counter nation-state-linked threats. Among organisations concerned about state-sponsored attacks, 97 percent are tailoring incident response and recovery plans, increasing investment in threat intelligence and strengthening supply-chain security.
Sam Peters, chief product officer at IO, said resilience rather than retaliation will define effective defence strategies in the coming year.
“State-level cyber activity is now a real concern for businesses, and resilience will be the true measure of national and corporate defence in 2026,” he said. “Organisations that understand their exposure, test their defences and secure their supply chains will be best placed to withstand the next wave of attacks.”
