WEF Report: Fraud Is Now CEOs’ Biggest Cyber Concern, but It’s Not the Only One

Five years is a long time in cybersecurity. Yet that’s how long the World Economic Forum (WEF) has been polling CEOs for its Global Cybersecurity Outlook reports. The hope is that the resulting insight will empower business leaders to adjust strategy and navigate a fast-evolving threat landscape. This year’s offering places fraud, AI and geopolitics firmly at the top of a growing list of concerns. And as was the case last year, cyber resilience is the goal all are aspiring to.

Yet as we discussed in the IO (formerly ISMS.online) State of Information Security Report 2025, there’s often quite a gap between diagnosing the problem and doing something about it.

What WEF Found

WEF polled just over 800 C-level executives for this year’s report. Among its key findings are the following:

Fraud takes top spot

CEOs and CISOs diverged a little in terms of their top two concerns. While CISOs remained consistent from last year in citing (in order) ransomware and supply chain disruption, their CEO counterparts placed cyber-enabled fraud in top spot, followed by AI vulnerabilities. By fraud, they mean enterprise-focused threats like phishing/smishing/vishing, invoice fraud (like BEC), and insider fraud, but also crime types more commonly associated with consumer losses like ID theft and even investment fraud/crypto scams.

The IO report seems to agree. It revealed that 30% of respondents experienced phishing over the previous 12 months, up from just 12% in 2024.

As a recent report from Microsoft highlights, there’s a sophisticated and resilient global infrastructure in place to facilitate certain types of fraud like BEC which impact enterprises. But even nominally consumer-focused campaigns centred around things like ID theft can touch the corporate world.

As Check Point argued in a recent write-up, when scammers are able to harvest personal and device information, including “liveness” selfies, from individuals they could use the info beyond ID fraud. Specifically, it could be operationalised to bypass corporate authentication systems, and impersonate employees in IT helpdesk password resets. And if individuals lose big sums in investment scams, they might be more vulnerable to coercion/blackmail as malicious insiders.

AI is supercharging cyber risk

AI was also highlighted by WEF respondents as a key driver of cyber risk. But interestingly, less in terms of its ability to power phishing, deepfakes and malware (which concerned 28%), and more in terms of data leaks which could arise from misuse of GenAI (30%). This points to a concern about the growing enterprise use of AI expanding the cyber-attack surface. In fact, 87% of respondents believe AI vulnerabilities are increasing (versus 77% who say the same about fraud and 65% supply chain disruption).

IO data sheds more light on the issue. A third (34%) of respondents told us they’re concerned about shadow AI, with 54% admitting they adopted GenAI too quickly and now face challenges implementing it more responsibly. Risk tends to thrive in the shadows: what organisations can’t see, they can’t manage.

Geopolitics is a key influencer of security strategy

Nearly two-thirds of respondents told WEF that geopolitically motivated cyber attacks are a key consideration when devising their cyber-risk management strategies. Volatility in this area has forced almost all (91%) large organisations to adjust their approach to security, the report found. That matches IO’s take, which found that 88% of US and UK firms fear state-sponsored attacks, and nearly a quarter (23%) say their biggest concern for the year ahead is a lack of preparedness for “geopolitical escalation or wartime cyber operations”. A third (32%) claim that managing geopolitical risk is their primary motivation for strong infosec and compliance.

More worryingly, 31% of WEF survey respondents reported low confidence in their nation’s ability to respond to major cyber incidents, up from 26% last year. The figure rises to 40% in Europe. The government must accelerate implementation of the measures in its Cyber Security and Resilience Bill and Cyber Action Plan.

Supply chains remain a barrier to resilience

Supply chains continue to be a significant source of cyber risk, and one that remains difficult to manage. Two-thirds (65%) of respondents told WEF it is their greatest challenge to becoming cyber resilient, up from 54% last year and just above the fast-moving threat landscape (63%) and legacy systems (49%).

They’re right to be concerned. Some 61% of UK/US organisations told IO their business has been impacted by a security incident caused by a third-party vendor in the past year. Many said it led to customer/employee data breaches (38%), financial loss (35%), operational disruption (33%), churn/loss of trust (36%), and increased partner scrutiny (24%).

Towards Resilience

Against this backdrop, business and security leaders know they can’t stay 100% breach proof. So, the focus must shift towards resilience: how to anticipate, withstand and recover quickly from incidents, maintaining as close to “business as usual” as possible. As the JLR and M&S breaches have shown, this is easier said than done.

According to WEF, the biggest barriers to cyber resilience are a rapidly evolving threat landscape and emerging technologies (61%); third-party vulnerabilities (46%); and cyber skills and expertise shortages (45%). Legacy and funding were also cited as key. So how can organisations surmount these challenges?

Interestingly, the report found that more resilient organisations were more likely to:

• Hold board members personally liable in the event of breaches
• Have a positive view of cyber-related regulations
• Have adequate skills to achieve their cyber objectives
• Assess the security of AI tools before deployment
• Involve security in procurement
• Simulate incidents and plan recovery exercises with partners
• Assess the security maturity of suppliers.

Many of these things are mandated by best practice standards like ISO 27001 and ISO 42001. The latter is particularly well suited to helping organisations close the governance gap and manage risk (including data leakage) across an expanding AI attack surface.

According to IO, 80% of UK/US organisations have aligned with standards like this to build resilience in a structured, risk-based way. Against the backdrop of a volatile business and threat landscape, those who do not are at an increasing disadvantage.