Cybersecurity leaders know the attack surface has been growing for years, but the latest State of Information Security Report 2025 from IO shows how fast new risks are converging. Drawing on responses from more than 3,000 security professionals in the UK and US, the report points to three areas shaping board-level conversations this year: AI, compliance, and supply chain security.
AI: A tool and a target
AI is now woven into security operations and business processes. Almost eight in ten respondents said their organizations adopted AI or machine learning in the past year, but many are struggling to manage it responsibly. The report identifies shadow AI as a significant issue, with 37% of employees using generative tools without approval. That creates risks ranging from accidental data leaks to GDPR violations.
Threat actors are also exploiting AI. Data poisoning, deepfake impersonation, and AI-generated phishing campaigns are emerging as mainstream attack methods. Respondents flagged AI-powered misinformation and disinformation as their top concern for the next 12 months. At the same time, most organizations are planning to invest in AI-powered defences, including detection, validation, and governance tools. AI expands the attack surface while also being central to resilience efforts.
“AI has always been a double-edged sword. While it offers enormous promise, the risks are evolving just as fast as the technology itself. Too many organizations rushed in and are now paying the price. Add shadow AI to the mix, and it’s clear we need stronger governance to protect both businesses and the public,” said Chris Newton-Smith, CEO of IO.
Compliance pressures intensify
The report notes that 71% of organizations were fined in the past year for data breaches or compliance failures, with nearly a third paying penalties above £250,000. In response, many firms now see compliance frameworks like ISO 27001 and SOC 2 not only as a way to avoid penalties but also as tools for building trust, improving decision-making, and opening new markets.
Even so, compliance is far from easy. Two-thirds of respondents admitted they are struggling to manage requirements in-house, with smaller firms feeling the crunch most acutely. The speed and complexity of regulatory change is a recurring complaint, and many respondents want more alignment across jurisdictions. Despite these challenges, nearly all organizations say achieving or maintaining certifications remains a top priority.
Supplier security still a weak point
Supply chains continue to be exploited by attackers, and 61% of respondents said their organizations had been affected by a third-party incident in the past year. These events often led to customer or employee data breaches, financial loss, and reputational harm.
The regulatory spotlight is also moving to this area. New requirements under NIS2, DORA, and the UK’s Cyber Security and Resilience Bill are pushing firms to step up oversight of their suppliers. According to the report, 64% of organizations plan to increase spending on third-party risk management this year, and 80% have already strengthened their programs. Even so, smaller suppliers remain a concern, as they often lack the same level of investment in risk controls.
Source link
