UK and US cybersecurity leaders become more alarmed by escalating nation-state threats

A new report reveals that 88% of organisations in the UK and US are increasingly concerned about the threat of state-sponsored cyber attacks, prompting a shift towards prioritising cyber resilience and board-level oversight amid mounting geopolitical risks.

A deepening sense of urgency is now evident among cybersecurity and information security leaders at organizations in the UK and the US, with 88% expressing concern over the escalating threat of state-sponsored cyber attacks. This finding comes from the latest State of Information Security Report by IO (formerly ISMS.online), which highlights the growing recognition that geopolitical cyber risks have evolved from purely technical challenges into critical strategic business threats requiring board-level attention. The increasing sophistication and frequency of nation-state cyber activities targeting critical infrastructure and the private sector underscore this trend.

The survey reveals strong apprehension across several dimensions of risk. Widespread data loss or inaccessibility, through attacks like DNS outages or major cloud service disruptions, tops current concerns, affecting 41% of respondents. Nearly as many worry about reputational damage from indirect compromises (40%) and operational interruptions caused by supply chain vulnerabilities (38%). In addition, threats to essential national infrastructure, such as power grids, transportation, and communications networks, are a source of unease for 36% of organizations. The security of data housed in regions identified as adversarial jurisdictions concerns 35%, reflecting a globalised risk landscape. These fears are compounded by increasing regulatory demands and customer expectations for demonstrable resilience.

Despite these mounting threats, about one-third of the surveyed organizations feel that governments are not adequately supporting or protecting businesses, indicating a perceived gap in public-private collaboration. This aligns with official government assessments; for example, the US Cybersecurity and Infrastructure Security Agency attributes heightened risk to actors linked to China, Iran, and Russia, each pursuing distinct objectives ranging from critical infrastructure infiltration to cyber espionage and political interference.

The report’s authors stress that organizations can no longer view themselves as peripheral to nation-state cyber campaigns, any connected business might inadvertently become collateral damage in broader geopolitical conflicts. Recent incidents confirm this risk: the US Department of Justice has investigated scams involving North Korean nationals posing as IT job applicants to infiltrate enterprises. Such activity exemplifies the covert and multifaceted tactics employed by state-sponsored actors.

This harsh environment has fertile grounds for breaches, as evidenced by the finding that 89% of organizations experienced a cyber incident in the past year. Data breaches (31%), phishing (30%), malware (29%), and cloud breaches (27%) were prevalent, with employee and customer data identified as especially vulnerable. The consequences have been severe: 71% of organizations faced regulatory fines related to breaches within 12 months; nearly half endured penalties ranging from $131,000 to $1.3 million, and 30% faced fines exceeding $320,000. Beyond financial costs, nearly one-third of leaders experienced job losses or disciplinary action, and 18% of organizations either shut down or had to undertake significant strategic changes following major data breaches.

In light of these challenges, cyber resilience is escalating to a boardroom priority. Organizations are revisiting risk registers, enhancing oversight of supply chains, and refining incident response plans. Yet there remains a significant confidence gap. Around 74% of cybersecurity leaders are actively investing in resilience actions targeted at state-linked threats, but the ongoing frequency of breaches and penalties indicates many may be overly optimistic about their readiness. Encouragingly, nearly all organizations concerned about nation-state risks are tailoring incident response and recovery plans, ramping up investment in threat intelligence, and strengthening supply chain security.

The risk posed by supply chains is increasingly recognised as particularly complex; over 60% of cybersecurity leaders view third-party risks as unmanageable, despite 97% expressing confidence in their breach response capabilities. Moreover, 61% reported that their organizations suffered a third-party or supply chain attack within the past year. This discrepancy underscores the pressing need for more robust and realistic supply chain security strategies to accompany internal cyber defences.

Further reinforcing the ubiquity of state-sponsored cyber threats, external studies confirm that a vast majority of organizations have been targeted or expect to be targeted. Research by Trellix and the Center for Strategic and International Studies found that 86% of organizations believed they had been targeted by nation-state actors, while 92% anticipated future attacks or suspected having faced them recently. Similarly, Venafi’s research shows that 64% of organizations suspect direct impacts or targeting, with geopolitical conflicts prompting cybersecurity strategy changes in 66% of cases. VikingCloud highlights rising anxieties fuelled by geopolitical volatility, artificial intelligence advances, and insider threats, with nearly 80% of cybersecurity leaders fearing imminent nation-state attacks, amplified by concerns over reduced US federal cybersecurity funding.

As IO’s leadership notes, national efforts to defend critical infrastructure are substantial, but the interconnectedness of business systems means that virtually any organisation could be drawn into the crosshairs of adversaries. In this environment, resilience rather than retaliation will be the defining measure of effective defence going forward. Strategic investment in intelligence gathering, supply chain oversight, and rigorous incident preparedness, combined with enhanced public-private collaboration, will be essential to withstand the next generation of cyber threats. With these elements in place, companies and the national infrastructure they support can bolster their capacity to endure the ever-more sophisticated cyber onslaughts that define today’s geopolitical landscape.

📌 Reference Map:

• [^[1]^](https://vmblog.com:443/archive/2025/12/02/88-of-uk-and-us-organizations-concerned-about-state-sponsored-cyber-attacks-as-national-threat-levels-surge-io-research-reveals.aspx) (VMblog) – Paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11
• [^[2]^](https://betanews.com/2025/12/02/88-percent-of-organizations-worried-about-state-sponsored-cyberattacks/) (BetaNews) – Paragraph 2
• [^[3]^](https://www.infosecurity-magazine.com/news/companies-fear-state-attacks-more/) (Infosecurity Magazine) – Paragraph 4
• [^[4]^](https://www.businesswire.com/news/home/20250918317096/en/Nearly-80-of-Cybersecurity-Leaders-Fear-They-Could-Be-the-Target-of-a-Nation-State-Cyberattack-in-the-Next-12-Months-According-to-VikingCloud-Data) (BusinessWire VikingCloud) – Paragraph 12
• [^[5]^](https://www.prweb.com/releases/supply-chain-security-risks-now-innumerable-and-unmanageable-for-majority-of-cybersecurity-leaders-io-research-reveals-302590146.html) (PRWeb IO Supply Chain) – Paragraph 9
• [^[6]^](https://www.infosecurity-magazine.com/news/organizations-faced-nationstate/) (Infosecurity Magazine Trellix & CSIS) – Paragraph 11
• [^[7]^](https://www.businesswire.com/news/home/20220824005102/en/The-Nation-State-of-Cyber-64-of-Businesses-Suspect-Theyve-Been-Targeted-or-Impacted-by-Nation-state-Attacks) (Venafi) – Paragraph 11

Source: Fuse Wire Services