What Increased Defence Spending Means For The Cybersecurity Sector

As geopolitical tensions continue to rise globally, 2025 has seen a dramatic increase in defence spending not witnessed since the Cold War.

In recent weeks, NATO members agreed to spend 5% of their gross domestic product on military expenditure by 2035. Many, including Britain, already spend over 2% on their militaries. NATO’s new target is split into two parts: 3.5% on conventional military and the rest on other initiatives aimed at bolstering national security, like cybersecurity.

While these uncertain times are scary, increased defence spending can be a good thing by injecting more money into the private sector and improving economic conditions as a result. Cybersecurity firms, in particular, are set to benefit from NATO’s new spending target. But what else needs to be done to improve our cyber defences against rising nation-state threats?

Businesses Are Collateral Damage

Amid heightened geopolitical tensions and rising nation-state cyber threats, IT security is now a “frontline issue” for NATO countries, their allies and critical infrastructure organisations.

That’s according to James Lei, chief operating officer of application security testing firm Sparrow. He argues that businesses providing critical services and resources crucial to the running of modern societies – such as telecoms, finance and energy – are now direct targets of NATO’s enemies.

Lei explains that by attacking such organisations, NATO’s adversaries aren’t just trying to steal sensitive data to sell to the highest bidder. They’re also on a mission to “disrupt economies” and “undermine public trust” as they look to inflict maximum damage on their targets. He adds: “That makes businesses both direct targets and collateral damage.”

With these risks in mind, Lei urges national governments to allocate “a meaningful portion” of their increased defence budgets to helping small and medium businesses counter the growing risk of nation-state cyber-attacks.

Lei says SMEs, especially those classed as critical national infrastructure providers, may not have the budgets to splash out on fancy cybersecurity systems or in-house cyber specialists, creating “weak points in the national cyber ecosystem”. He tells ISMS.online: “Funding could help SMBs access better security tools, training, and threat information, which benefits the entire country’s resilience.”

These concerns are shared by Adam Brown, managing security consultant at application security firm Black Duck. He explains that, 30 years ago, cyber-attacks would have had minimal impact on the general population.

But as digital infrastructure plays an integral role in modern life, he says cyber-attacks can be extremely damaging. And, as the digital services and infrastructure upon which we rely are predominantly created and sold by commercial businesses, they have become “prime targets” for nation-state cyber-attacks.

With war raging in Ukraine and the Middle East, Chris Binnie — a cloud-native security consultant — expects cyberattacks launched by nation-states to continue rising. In particular, he’s concerned about the proliferation of supply chain attacks.

He says nation states may see this as an “easier” way to hack into the systems of critical infrastructure providers because their IT suppliers may not possess the “same rigorous security practices”.

Tackling These Risks

With nation states increasingly leveraging supply chain weaknesses to compromise critical infrastructure, government and industry bodies are taking note.

The European Union, in particular, takes a strong stance on supply chain cybersecurity efforts through laws such as the Digital Operational Resilience Act, Cyber Resilience Act and Network and Information Security 2 Directive.

Brown explains that, under such laws, businesses supplying cyber services to critical national infrastructure organisations are compelled to close any cybersecurity weaknesses by following strict cybersecurity procedures.

Industry standards such as ISO 27001, ISO 22301, ISO 42001 also provide businesses with a baseline they can follow to protect themselves from geopolitical cyber threats and, ultimately, keep their operations, data and supply chains safe from nation-state hackers.

TSG Training’s Young explains that ISO 27001 covers information security, ISO 22301 addresses business continuity and, more recently, ISO 42001 has been introduced to counter AI-fueled cyber threats.

He suggests that, by adhering to such standards, third-party IT providers looking to secure contracts from critical national infrastructure organisations can show that they take cybersecurity seriously and have robust measures in place to mitigate supply chain risks.

An Opportunity For Businesses

Although many businesses have become collateral damage as a result of nation-state cyberattacks, some may actually benefit from increased defence spending as countries look to mitigate this risk.

National governments rely on businesses to maintain digital resilience, and as part of their defence budgets, they’ll no doubt pour more money into improving their cyber defences. That means plenty of opportunities for the private sector.

John Young, principal consultant at IT training provider TSG Training, says private-sector businesses will have an instrumental role to play in helping NATO members strengthen their cybersecurity and, ultimately, their overall national security.

He tells ISMS.online: “Sharing threat intelligence between companies, government bodies and international partners strengthens overall awareness and enables faster responses to new threats.”

Like Young, Lei of Sparrow takes the view that NATO can’t respond to today’s myriad cyber threats without collaborating with the private sector. He points out that private companies own and operate many of the critical services used by governments. Because of this, he says governments look to the private sector for threat intelligence and incident response.

Chris Henderson, chief information security officer at managed cybersecurity platform Huntress, is another staunch believer in public-private sector collaboration in the fight against nation-state cyber threats.

He says that, through these partnerships, governments can leverage real-time threat intelligence provided by private-sector organisations to keep pace with the fast-evolving cyber threat landscape.

For such partnerships to be a success, Henderson urges private sector organisations to ensure the intelligence they share with government bodies is formatted so that government-operated computer systems can analyse the data and draw actionable insights from it quickly.

Governments, too, must play their part in ensuring these partnerships are effective. Specifically, Henderson says private sector organisations must be able to disseminate cyber threat intelligence without being slowed down by regulatory bureaucracy. This, he says, is essential in ensuring “timely action” to “novel and critical threats”.

Conclusion

Watching governments increase their defence spending is scary, as one wonders what they know and what could be around the corner. But it’s an absolute necessity to keep countries safe amid fast-changing times. That said, defence spending isn’t just about buying more tanks or missiles – our enemies can inflict just as much damage through cyber-attacks on critical infrastructure.

So, it’s encouraging to see NATO members agree to allocate a significant proportion of their increased defence budgets to shoring up cyber defences. At the same time, this will open up opportunities for cybersecurity firms in the private sector. However, in addition to spending more money on cyber defences, close collaboration between the public and private sectors is essential in ensuring these projects are effective in the long term. And let’s not forget that many businesses are now collateral damage amid geopolitical turbulence, meaning they require support too.