72% of cyber leaders say risks are rising. Here's how states and businesses are responding

As global reliance on digital infrastructure deepens, the world’s cybersecurity is under unprecedented strain. Modern attacks continue to increase in scale, sophistication and strategic intent. This is exhibited in recent operations by threat actor Salt Typhoon, which infiltrated US critical infrastructure, and the cybercrime group Lazarus, which stole $1.5 billion in cryptocurrency.

We see an increased use of cyberattacks as policy levers in a geopolitically volatile era, alongside evolving tactics like living off the land malware.

Consequently, many nations are recalibrating their approach to cybersecurity. The World Economic Forum’s Global Cybersecurity Outlook (GCO) 2025 shows that nearly 60% of organizations report that geopolitical tensions have directly influenced their cybersecurity strategy.

A staggering 72% of respondents to the Global Cybersecurity Outlook survey reported an increase in organizational cyber risks, with ransomware remaining a top concern. In addition, nearly half of global organizations now cite the malicious use of generative AI as their top cybersecurity concern, and over 40% have already suffered successful social engineering attacks in the past year.

One in three CEOs now cites cyber espionage and intellectual property theft as top concerns, while 45% of cyber leaders worry about operational disruption. These concerns are no longer theoretical; they’re baked into strategic planning at the highest levels of government and industry.

To better understand how nations are responding to these pressures, Harvard University’s Belfer Center recently developed the Cybersecurity Strategy Scorecard. The scorecard analyzes seven prominent cyber powers’ national cybersecurity strategies – Australia, Germany, Japan, Singapore, South Korea, the UK and the US – to determine the most effective and innovative policy approaches that should inform global standards.

The work reveals that there is no universal blueprint for national cybersecurity strategy. Rather, the most successful approaches are tailored to the unique combination of threats, resource constraints and social and political dynamics faced by the country.

Still, certain technical best practices apply across the board. Effective strategies are typically anchored around five foundational pillars: (1) protection of infrastructure and people; (2) development of cyber capacity, including workforce and R&D; (3) public-private and international partnerships; (4) clear accountability and enforcement mechanisms; and (5) adaptive policy processes that are well-communicated and regularly updated.

Most countries demonstrate a strong commitment to developing their technical workforce, investing in upskilling initiatives and expanding educational pipelines to address the growing cyber talent shortage. There is also broad emphasis on defending critical infrastructure and building international partnerships, inter-agency coordination and efficient public-private cooperation, like the UK's i100 and the US JCDC initiatives that grant security clearance to industry professionals.

The most common shortcomings include a significant neglect of focus on how to protect small- and medium-sized enterprises (SMEs) and vulnerable population groups, which remain poorly protected despite facing growing threats. Similarly, few strategies meaningfully invest in non-technical cybersecurity roles, such as cyber lawyers, policy-makers and compliance professionals, despite the increasingly cross-disciplinary nature of cybersecurity. Regulatory approaches to data privacy and accountability vary widely, especially within the US. Perhaps most critically, few strategies include robust mechanisms for accountability, measurable outcomes or risk quantification. Without better incentives and clearer enforcement structures, the strategies risk becoming hand-wavy aspirations rather than achievable goals.

Naturally, a healthy strategic posture doesn’t always equal strong real-world capabilities. Though most national strategies highlight the importance of strengthening the cyber workforce and outline practical policy actions, the GCO finds that the cyber skills gap has worsened, rising by 8% since 2024. Today, two out of three organizations report moderate-to-critical talent shortages, including a lack of essential skills to meet core security needs. Alarmingly, just 14% of organizations are confident they currently have the people and capabilities required.

The strategic posture is sometimes more aligned with reality regarding shortcomings. Data from the GCO confirms that cyber inequity regarding the aforementioned SMEs and vulnerable population groups is a significant and growing concern: 35% of small organizations now believe their cyber resilience is inadequate, a sevenfold increase since 2022. In contrast, the proportion of large organizations reporting insufficient cyber resilience has nearly halved.

Despite widespread recognition that the private sector underpins national cyber resilience, most governments still lack robust, forward-looking strategies to shape and incentivize private-sector security practices. Regulation remains a major driver: According to the GCO, 78% of CISOs and 87% of CEOs say new cyber-related regulations are primarily motivated by the need to improve security and mitigate risk. CISOs also stress that regulation helps reduce systemic risk and increase customer trust.

However, two-thirds of organizations report that navigating an increasingly fragmented global compliance landscape adds costly complexity. Many strategies discuss cyber-related subsidies; governments should not rely solely on financial aid, but facilitate a better understanding of returns on investment for cybersecurity solutions, including a stronger quantification of cyber risk, accountability and best practices. Countries like Japan, Germany and Singapore subsidize vetted solutions for SMEs, while Australia reduces regulatory burdens.

Meanwhile, initiatives like the US Cybersecurity Apprenticeship Program and secure-by-design proposals (shifting liability toward producers of insecure products) attempt to create incentives to foster healthy, long-term cybersecurity cultures and workforces. Ultimately, cybersecurity ought not to be viewed as a compliance requirement, but as a business enabler that builds trust, protects innovation and enhances market competitiveness. For that to be true, we must create clear, quantified incentives that show business leaders how and why their cyber investments will translate into net positive financial savings.

Cyber threats are evolving at an alarming pace, with ransomware, state-sponsored intrusions and AI-powered attacks now posing serious risks to national security, economic stability and public trust. At the same time, emerging technologies are expanding the attack surface: AI is enabling adversaries to automate spear phishing, generate convincing deepfakes and identify software vulnerabilities at scale, while advances in quantum computing threaten to break existing encryption standards.

Regulators are beginning to act, such as the EU’s Cyber Resilience Act, which sets baseline security requirements for digital products. But the window for reactive policy-making is closing. Governments must urgently modernize their cybersecurity strategies, invest in measurable and adaptive defence structures, and lead with actionable and measurable policies. Anything less risks leaving critical systems exposed in an era when cyberattacks are bound to proliferate.