Only 2% of companies worldwide say they are fully resilient against cybersecurity threats this year, according to PwC’s 2025 Global Digital Trust Insights. The report sets the tone for 2025: spending is rising, regulations are tightening, yet most organizations remain dangerously exposed.
Fresh findings from various reports also highlight the widening gap between investment and outcomes. The picture is uneven across industries and regions. So what does this mean for your enterprise’s security in an AI-driven world?
This article breaks down the paradox, exploring spending versus resilience, evolving attack tactics, readiness gaps, supply-chain risks, and a strategic playbook for 2025.
Spending vs resilience
PwC’s study continues with a stark detail: 66% of technology executives now rank cyber as their top business risk, ahead of economic and operational concerns. It also places the average breach at $3.32 million, showing how quickly one incident can become a material hit to earnings and reputation.
Cisco’s Cybersecurity Readiness Index reinforces this mismatch. It notes that 93% of organizations raised their cyber budgets by at least 10%, yet 70% remain stuck in formative or beginner stages of maturity.
The report goes on to highlight how fragmented investments, often spread across dozens of vendors, are slowing detection and recovery rather than improving them.
PwC adds a sector split: financial services and technology firms report higher maturity, while manufacturing and healthcare continue to lag under the strain of legacy systems and compliance pressures.
The new attack playbook
IBM’s X-Force Threat Intelligence Index 2025 shows that 30% of intrusions last year used valid credentials rather than brute force methods.
The report adds that infostealers delivered via phishing grew by 84% year on year, flooding underground markets with credentials. It goes on to note that ransomware still accounts for 28% of malware cases, though attackers are increasingly focusing on stealthy identity-based tactics.
The regional detail is striking. IBM highlights a 13% increase in attacks across Asia-Pacific, reflecting the region’s role as a global supply chain hub. For multinational boards, this ties supplier geography directly to enterprise exposure.
Readiness gaps in identity and AI
Cisco’s Readiness Index shows that only 6% of organizations are mature on identity intelligence, leaving identity controls as the weak point in most enterprises.
The report continues, stating that 86% of security leaders experienced at least one AI-related incident in the past year, yet fewer than half of employees understand how AI is exploited by attackers.
The World Economic Forum’s Global Cybersecurity Outlook 2025 echoes this gap. It finds that while 66% of organizations expect AI to reshape cybersecurity within the next year, only 37% have safe deployment practices in place.
The study also underscores the disparity between public and private sectors: 38% of public agencies report insufficient resilience, compared to just 10% of large private firms.
The expanding blast radius
The WEF’s Outlook highlights the ecosystem challenge. It shows that 54% of large organizations see third-party risk as the biggest barrier to resilience.
The report continues by noting that nearly 60% of organizations say geopolitical tensions are influencing their cyber strategy, with CEOs most concerned about intellectual property theft while CISOs worry about operational disruption.
Regional disparities are pronounced. The Outlook goes on to reveal that while only 15% of leaders in Europe and North America lack confidence in national cyber resilience, the figure rises to 36% in Africa and 42% in Latin America.
For global enterprises, resilience is therefore only as strong as the weakest regional partner.
From spend to strategy
PwC’s survey shows that 78% of organizations increased investment in generative AI over the past year. The report adds that executives see GenAI as both an opportunity for cyber defense and a source of new vulnerabilities.
Cisco continues this picture, noting that 63% of firms are upgrading existing platforms and 44% are investing in skills and training to close capability gaps.
IBM’s X-Force points to the consequences of not acting. It finds that manufacturing remains the most targeted industry for the fourth year running, with ransomware and extortion exploiting outdated OT systems.
The report goes on to show how identity-first architectures and vendor consolidation improve detection and recovery times, demonstrating that strategy, not just spend, delivers results.
