Businesses sucker punched by sub-standard cyber resilience

There’s no shortage of acknowledgment among executives that security is the most concerning risk for organisations – an industry-wide acceptance that translates into increased budgets and enhanced strategies.

The jury isn’t out on this one, the market consensus is clear. Yet despite such sentiment being all too predictable, a distinct lack of execution exists on the topic of cyber resilience.

According to PwC 2025 Global Digital Trust Insights, only 2% of businesses have implemented cyber resilience actions across their organisation aligned to 12 key metrics – spanning people, processes and technology.

That equates to approximately 81 from a survey of 4,042 business and technology executives across 77 countries and territories.

“Cyber resilience is everyone’s responsibility, from the boardroom to the employee,” observed Sean Joyce, Global Cyber and Privacy Leader at PwC.

“We must hold each other accountable and ensure we address emerging risks by leveraging new technology, practicing foundational cyber security principles, and investing in resources that will secure the future of the organisation.”

Despite mounting concern about cyber risk – ranked by more than three-fifths (66%) of executives as the top risk to mitigate during the next 12 months – most businesses remain hindered by an inability to fully implement cyber resilience across core practices.

A review of 12 resilience actions across people, processes and technology indicated that only 42% or fewer of executives believe their organisations have fully implemented any one of those actions.

Most concerning is that only 2% have implemented all 12 resilience actions across their organisation.

“This leaves a glaring vulnerability – without enterprise-wide resilience, companies remain dangerously exposed to the increasing threats that could compromise the entire operation,” the report stated.

But if cyber resilience is a key priority, why are so many companies behind in critical areas? According to PwC, many companies still lag when it comes to demonstrating leading cyber security practices.

Around one in five executives demonstrate these practices on a usual basis. Just 20%, for instance, usually anticipate future cyber risks and only 21% usually allocate cyber budget to the top risks of the organisation.

This lag could be due to several factors, including a lack of strategic foresight, insufficient resources or a reactive rather than proactive approach to cyber security.

From a financial standpoint, 77% of executives expect their cyber budget to increase during the next 12 months. Specifically, 30% of organisations expect cyber budgets to increase by 6-10% while 20% expect budgets to increase by 11% or more.

In the context of deployments, nearly half (48%) of executives surveyed are prioritising data protection and data trust as the top solution investment areas. Cloud security (34%) also remains a key priority.

Overall, under 50% of CISOs are involved to a “large extent” in strategic planning on cyber investments.

In addition to challenges implementing best practices, executives are equally concerned by an increasingly volatile threat landscape.

According to PwC, the top four cyber threats found most concerning – cloud-related threats, hack-and-leak operations, third-party breaches and attacks on connected products – are the same ones security executives feel least prepared to address.

“This gap highlights the urgent need for better investments and stronger response capabilities,” the report outlined.

Amid on ongoing cyber resilience battle, 78% of business and technology leaders have also accelerated investment in GenAI during the past 12 months. Notably, 72% of executives are increasing their risk management investment in AI governance.

Currently, 67% of security leaders note GenAI has expanded the cyber attack surface over the last year, ahead of other technologies such as cloud (66%), connected products (58%), operational technology (54%) and quantum computing (42%).

On the other hand, most organisations are leveraging GenAI to bolster cyber defence tactics as well – chiefly in the areas of threat detection and response, threat intelligence and malware / phishing detection.

But organisations face several challenges when incorporating GenAI, namely:

1. Difficulty incorporating with existing systems/ processes (39%)
2. Lack of trust in GenAI by internal stakeholders (39%)
3. Inadequate internal controls and risk management (38%)
4. Lack of standardised internal policies governing its use (37%)

“Cyber security is predominantly a data science problem,” noted Mike Elmore, Global CISO at GSK. “It’s becoming imperative for cyber defenders to leverage the power of generative AI and machine learning to get closer to the data to drive timely and actionable insights that matter the most.”