The state of
information
security report
2025
Building resilience as the attack surface keeps growing
Organisations are facing broader attack surfaces, stricter regulations, and fast-evolving AI-driven threats. Our third annual State of Information Security Report reveals how leaders are responding, and why resilience has become the top priority.
Independently researched with input from over 3,000 senior security leaders across the UK and USA
This year’s findings shed light on the most pressing security challenges and opportunities:
The scale and impact of regulatory fines
The rising cost of non-compliance and regulatory fines
The next wave of AI-powered threats
Emerging AI threats and how businesses are responding
Escalating supply chain vulnerabilities
Why supply chain security is straining resilience
The human factor
The people and skills challenges security teams can’t ignore
Leadership response
How leaders are embedding resilience at the core of strategy
Get the full data, benchmarks, and expert analysis in the complete report.
Highlights from the report
Fines are widespread
Over 70% of organisations were fined for compliance failures last year, with 30% paying over £250k.
“In total, only 29% say they did not receive a fine for a data breach or violation of data protection rules in the past 12 months. Clearly, much work still needs to be done to improve compliance efforts.”
Highlights from the report
Third-party risk dominates
61% of businesses experienced a supplier-caused incident in the past year.
“Supply chains remain a critical feature of business operations – they also remain a fundamental weakness that threat actors are past masters at targeting”
Highlights from the report
AI needs governance
Shadow AI was linked to 20% of breaches, yet 95% of organisations are now investing in AI governance.
“The big danger is not planned adoption, but so-called “shadow AI” with some 34% of our respondents claim employees are using GenAI without permission.”
Download the free report
Ready to strengthen resilience?
Download the State of Information Security Report 2025 for an in-depth look at the evolving risks, compliance pressures, and opportunities shaping information security today.
- How rising fines and fast-changing regulations are driving the compliance crunch
- The impact of AI-driven threats such as shadow AI, data poisoning, and deepfakes
- Why supply chain and third-party risk remain the top disruptors for security teams
- The people and skills challenges holding organisations back from resilience
- How leading organisations are embedding frameworks, governance, and strategy to improve long-term resilience
Who should read this report?
Security & risk leaders
looking for 12-month priorities
Legal & compliance teams
under pressure to reduce fines and audit risk
Technology leaders
managing identity, cloud, and platform complexity
Executives & boards
seeking to align resilience with growth
Explore the findings in more depth
The US State of Information Security Report 2025
Our US-focused report explores how businesses are strengthening resilience, investing in compliance and tackling key cyber threats.
Securing the Supply Chain
Insights from the IO State of Information Security Report on how supplier ecosystems are reshaping risk, governance, and resilience
Securing the AI attack surface
Insights from the IO State of Information Security Report on how AI is reshaping risk, governance, and resilience
Your questions answered
Third-party incidents and identity compromise are collectively driving the majority of disruptions.
Shadow AI and data poisoning, with one in five breaches linked to unsanctioned AI use.
Two-thirds of organisations struggle in-house due to the pace of regulatory change and skills shortages.
By backing clear, organisation-wide security strategies which our report shows are now in place at 86% of firms.
