A majority of UK and US organisations now view state-linked cyber activity as a strategic business threat, with 88% of cybersecurity leaders expressing concern about nation-state attacks, according to new research by information security platform IO.
The company’s State of Information Security Report finds that geopolitical cyber risk has escalated sharply over the past year, becoming a top concern across both public and private sectors.
Despite the growing scale of these threats, one in three organisations believes government support remains insufficient — signalling a widening gap between national defence and private-sector resilience.
The findings come amid a series of high-profile warnings from the UK’s National Cyber Security Centre, which last month identified China, Russia, Iran and North Korea as the most active state-based threats to national security.
Chris Newton-Smith, CEO of IO, said, “When it comes to threats facing CNI, there is a significant national effort going into protecting vital assets. However, at the same time, it also carries a stark warning. If an organisation is connected to the right systems, servicing critical infrastructure, or simply handling sensitive data, it could be targeted by nation-state adversaries.”
He added, “The fact that 88% of organisations are concerned about this threat is a clear indicator that geopolitically linked cyber risk is now a strategic concern, not just a technical one.”
Among the businesses surveyed, 41% cited data loss or inaccessibility as their primary concern, while 40% feared reputational damage from indirect compromise. Thirty-eight per cent warned of operational disruption via supply chains, and 36% highlighted potential interference with critical national infrastructure such as energy, transport, and communications.
The report also found that 89% of organisations had experienced a cyber incident in the past year. The most common were data breaches (31%), phishing (30%), malware infections (29%) and cloud-related breaches (27%). Employee and customer data remain the most frequently exposed assets, underscoring the dual financial and reputational impact of modern attacks.
Seventy-one per cent of affected organisations received regulatory fines, with nearly one-third paying penalties above £250,000. Almost half faced fines of between £100,000 and £1 million. Consequences extended to leadership, with one-third of executives disciplined or dismissed following major breaches, and 18% of companies forced to restructure or shut down business units.
Sam Peters, Chief Product Officer at IO, said, “State-level cyber activity is now a real concern for businesses and resilience, not retaliation, will be the accurate measure of national and corporate defence in 2026. Organisations that understand their exposure, test their defences, and secure their supply chains will be best placed to withstand the next wave of attacks.”
According to IO’s data, 74% of organisations are already investing in new resilience measures, including enhanced threat intelligence and supply chain security. Nearly all companies concerned about state-sponsored threats — 97% — reported strengthening their incident response and recovery planning in anticipation of further escalation.
