About the author
Phil Muncaster has been an IT journalist for 15 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.
About isms.online
ISMS.online is a leading SaaS company dedicated to ensuring that every business, regardless of size or sector, can achieve robust data privacy and information security compliance with ease. We love helping organisations solve their compliance challenges so they can succeed and scale securely. Our user-centric platform simplifies the complexities of maintaining security compliance, supporting over 100 global standards and regulations in one place, ensuring our platform meets today’s compliance requirements and anticipates those of tomorrow.
Headquartered in the U.K., with offices and data centres worldwide, ISMS.online has over 20,000 users globally and works with a wide range of organisations — including enterprise brands like Siemens, Emirates and Moneycorp. Discover more about our commitment to secure and sustainable digital operations at isms.online
Chris Newton-Smith
CEO | isms.online
"The reality is that threats will keep changing. What matters is that we are better prepared, treating information security not as a back-office function, but as part of how we build resilience, earn trust and grow."
Over the past year, we’ve seen organisations double down on digital change, rolling out cloud services, experimenting with AI, and adopting new tools to stay ahead. But with each step forward comes added exposure. The attack surface keeps expanding, and attackers are quick to take advantage.
Our State of Information Security 2025 report, based on insights from over 3,000 professionals across the UK and US, shows just how complicated this picture has become. Ransomware is still with us, but criminals are increasingly turning to data theft and extortion. Phishing and malware remain daily frustrations, and misconfigured cloud systems continue to create easy openings. At the same time, AI is proving to be both a powerful asset and a new source of risk, with shadow AI and data poisoning high on the list of emerging concerns.
The financial impact is also hard to ignore. Last year, 71% of organisations received fines, and almost a third of those penalties were more than £250,000. What’s striking, though, is the shift in how businesses now view compliance. Rather than simply treating it as a way to avoid fines, more firms are using frameworks such as ISO 27001 and SOC 2 to strengthen trust, sharpen decision-making, and even open up new commercial opportunities.
The people challenges haven’t gone away. Skills shortages, staff burnout, and awareness gaps remain stubborn problems. But there are real signs of progress: boards are paying closer attention, budgets are increasing, and organisations are moving away from firefighting towards building resilience. Three-quarters of respondents told us they feel more confident about security than they did a year ago, and almost all believe they could respond effectively to a major incident.
The reality is that threats will keep changing. What matters is that we are better prepared, treating information security not as a back-office function, but as part of how we build resilience, earn trust and grow. I encourage you to explore the full report and take a closer look at these and many other risks facing businesses today. We hope you enjoy reading and look forward to the important conversations it will start.
ISMS.online commissioned leading independent market research firm Censuswide to help us better understand the current information security and compliance landscape. Unlike last year’s report, which canvassed the opinions of respondents from the US, UK and Australia, this year we polled 3001 respondents who work in information security across the UK (2,000), and US (1,001).
Their responses have helped us to uncover the main information security and compliance challenges facing organisations in these regions, and particularly the impact of AI on the landscape. We thank them for their invaluable input.
Makeup of total respondents from this year’s survey
UK respondents (2,000)
US respondents (1,001)
01
The attack surface continues to grow
As organisations double down on digital transformation, their attack surface continues to expand. In 2025, the challenge is no longer just transformation, but balancing innovation with resilience in the face of relentless cyber threats.
What are the main challenges facing your business (top responses)
Information security skills gap
Ensuring third-party risk is managed and tracking compliance
Digital resilience (ability to adapt and recover from cyber disruptions)
Last year, we spoke about the catch-22 situation many organisations are finding themselves in. On the one hand, the push for digital transformation is vital to carve out competitive advantage, improve customer experiences and streamline business processes. But at the same time, these efforts expand the cyber-attack surface, providing more opportunities for threat actors to strike.
If anything, these trends are even more pronounced in 2025, as organisations double down on digital amid persistent economic and business uncertainty, and adversaries take advantage. It’s why many respondents cite things like securing emerging technologies (39%), cloud services/apps (37%) and IoT/BYOD (28%), as well as managing third-party risk (41%), among their top challenges. Tech sprawl (35%) resulting from too many siloed point solutions also signifies anxiety over the size of the attack surface. As does the fear of “as-a-service” cyber threats like ransomware- as-a-service (39%), which are democratising the means to compromise corporate networks via under-protected endpoints.
But the attack surface isn’t just comprised of technology solutions. As we’ll discuss later in the report, it’s also distinctly human in parts. A lack of employee awareness, cited as a challenge by 38%, can lead directly to successful social engineering attacks (35%) and compromise. Even more acute is the persistent skills gap in cybersecurity teams, cited by 42%. According to ISC2 figures, the global workforce gap in cybersecurity now stands at nearly 4.8 million professionals, including over 392,000 in Europe and almost 543,000 in North America. AI will be able to absorb some of this shortfall. But even it needs skilled professionals to deploy, manage, train and interpret output.
The global workforce gap in cybersecurity now stands at nearly 4.8 million. AI will be able to absorb some of this shortfall. But even it needs skilled professionals to deploy, manage, train and interpret output.
According to ISC2 figures, the global workforce gap in cybersecurity now stands at nearly 4.8 million professionals, including over 392,000 in Europe and almost 543,000 in North America. AI will be able to absorb some of this shortfall. But even it needs skilled professionals to deploy, manage, train and interpret output.
Against this backdrop, many (37%) organisations are struggling to comply with industry regulations and standards. The former is concerning, given the potentially significant financial penalties that can now be levied by regulators. The latter is disappointing, as best practice standards like ISO 27001 can actually help to reduce the regulatory compliance burden, given many new pieces of legislation – especially in Europe – require similar foundational steps be put in place.
The resilience challenge
A final challenge worth mentioning is digital resilience, cited by 41% of respondents. As ransomware and data extortion attacks cause chaos on both sides of the Atlantic, it has become increasingly important to company boards and stakeholders that organisations can continue to operate, even following a breach. The concept lies at the heart of regulatory efforts like DORA and NIS2. However, IBM claims that 86% of data breach victims over the past year experienced operational disruption affecting customer-facing services, sales processing and production.
The good news is that, despite the relatively large share of our respondents citing challenges achieving digital resilience, many are moving in the right direction. As we’ll see, the threat landscape is undeniably weighted in the favour of our adversaries. But by assuming breach and preparing for the worst – through incident response, recovery planning, threat intelligence and more – organisations can and are improving resilience.
The threat landscape is undeniably weighted in the favour of our adversaries. But by assuming breach and preparing for the worst – through incident response, recovery planning, threat intelligence and more – organisations can and are improving resilience.
Which types of data have been compromised in your organisation in the past 12 months?
Employee data
Customer data
Financial data
Research data
Product data
Intellectual property
Personally identifiable information
Asset data
Partner data
None