A surge in nation-state cyber activity is driving deep anxiety across boardrooms in the UK and US, with 88% of cybersecurity leaders now concerned about state-sponsored attacks, according

to new research from IO (formerly ISMS.online).

The 'State of Information Security Report' highlights how fast-escalating geopolitical tensions are reshaping corporate risk assessments, with national-level cyber threats becoming a core business concern rather than a technical issue. The findings arrive amid a sharp upswing in hostile activity directed at critical infrastructure, supply chains and private-sector networks.

Despite those risks, one in three organisations say their governments are failing to provide adequate protection or support—underscoring growing calls for deeper public-private coordination to defend national and commercial interests.

Organisations no longer ‘off the radar’

The report shows firms are increasingly aware they may be swept into geopolitical conflict. A third fear they are directly exposed to an expanding threat landscape. Recent incidents have reinforced the risks: the UK government is investigating whether hundreds of Chinese-made Yutong buses could be remotely accessed, while the National Cyber Security Centre recently designated China, Russia, Iran and North Korea as the UK’s primary state-based cyber adversaries.

“If an organisation is connected to critical systems or handles sensitive data, it could become a target,” said Chris Newton-Smith, CEO of IO. “Eighty-eight per cent of organisations recognising this risk shows that geopolitically linked cyber threats have become strategic board-level issues.”

Rising fears over data loss, reputational damage and supply chain weakness

The most pressing concern for organisations is the prospect of major data loss or service disruption—highlighted by 41% of respondents—whether through DNS attacks, cloud outages or other nation-state techniques. Reputational damage (40%) and supply-chain-driven operational impact (38%) follow closely behind.

Other worries include potential disruptions to power, transport and communications infrastructure (36%) and the security of data hosted in regions considered adversarial (35%). Increasing regulatory scrutiny and growing demands for proof of resilience from customers and partners are adding further pressure.

High incident rates, heavy penalties

The report reveals that 89% of organisations experienced at least one cyber incident in the past year. Data breaches topped the list (31%), followed by phishing (30%), malware (29%) and cloud-related attacks (27%). Employee and customer information remain the most at-risk assets.

The fallout has been costly:

- 71% of businesses received fines for data breaches or related violations.

- 30% of those fined paid more than £250,000.

- Nearly half faced penalties between £100,000 and £1 million.

- One-third of leaders were fired or disciplined.

- 18% of organisations were forced to shut down or make major strategic changes after a significant breach involving employee data.

Resilience becomes the priority

With consequences mounting, cyber resilience is rapidly moving to the top of corporate agendas. Risk registers are being overhauled, supply chains scrutinised, and incident response plans tightened. Yet IO cautions that many firms may still overestimate their readiness.

Still, there are signs of progress. Seventy-four per cent of cybersecurity leaders say they are actively ramping up resilience efforts. Among organisations concerned about nation-state threats:

- 97% are updating incident response and recovery plans

- 97% are increasing investment in threat intelligence

- 97% are strengthening supply-chain security and resilience

“State-level cyber activity is now a very real concern for businesses,” said Sam Peters, IO’s Chief Product Officer. “In 2026, resilience—not retaliation—will define effective national and corporate defence. Organisations that test their defences, understand their exposure and secure their supply chains will be best positioned to withstand the next wave of attacks.”

Peters added that strong preparation, collaboration and compliance will be essential to protecting both critical infrastructure and the businesses that support it. Photo by BlueHypercane761, Wikimedia commons.