Cyber risk awareness is high but readiness leaves firms exposed

A third of businesses with cyber security plans are still not testing their defences, according to new research from leading global risk management partner, LRQA.

The report reveals that while 72% of organisations claim partial or full cyber security integration (33% say full), readiness and control implementation remains uneven. One in four organisations (25%) never conduct independent cyber assessments and nearly a third (31%) of those with incident response plans have never tested them.

The findings are drawn from LRQA’s 2026 Cyber Security Risk Outlook survey of 133 organisations operating across multiple regions and sectors, including financial services, technology and telecoms, transportation and construction.

Chris Oakley, Business Director for LRQA’s cybersecurity division in the Americas, said:

“Proof has become the baseline; boards, insurers and regulators need evidence that controls hold up when tested. This research shows the gap. Most surveyed organizations have an incident response plan, but a third have never tested it. Meanwhile, 74% don’t formally assess their tier one suppliers. Those are gaps SEC disclosures and insurance renewals will find first.”

Supply chain risk outpacing supplier governance

Third-party exposure is one of the clearest structural gaps in the data, in spite of being one of the most common entry points for breaches. Although 32% of organisations identify supply chain vulnerabilities as a leading cyber concern, 74% have no formal cyber risk assessments for their Tier-1 suppliers. Added to this, 30% impose no cyber requirements on suppliers at all.

With supplier access expanding and digital ecosystems becoming more interconnected and dependent on cloud platforms, software vendors and operational partners, resilience increasingly extends beyond the organisational perimeter – often without adequate oversight.

To manage this risk, supplier assurance, contractual security requirements and active validation of third-party practices will become critical.

Cyber approach consistency needed to enhance resilience

Concerns around ransomware, AI-enabled attacks and cloud compromise are widespread, and organisations’ cyber priorities closely mirror the threat landscape, with investment levels strengthening.

Half of organisations (50%) have increased cyber budgets in the past year, alongside baseline controls such as:

· multi-factor authentication (56%)

· backup and recovery capability (56%)

· security awareness training (47%)

Cyber insurance not a substitute for risk management

For many organisations, insurer expectations are becoming a driving force to strengthen cybersecurity and demonstrate resilience to customers, insurers and regulators.

The adoption of cyber insurance gives a vital indicator of cyber maturity, with 31% stating that they hold cyber insurance, 46% reporting they do not, and 23% unable or preferring not to disclose. In practice, organisations are finding that coverage, pricing and terms depend on how clearly they can demonstrate that controls are implemented and effective.

While insurance can support recovery and manage financial exposure, however, it does not change an organisation’s threat profile or exposure to an attack.

Ben Turner, Business Director for LRQA’s cybersecurity division in the UK, said: “Resilience is not a checklist – it’s the ability to prove that controls perform under pressure and that recovery is predictable, not hopeful. The market is clearly alert, engaged and investing with organisations increasingly aware of the cyber threat landscape and prioritising the right areas. However, the real differentiator will be execution. It’s not about whether controls exist, but how consistently they are applied, how rigorously they are tested and how confidently organisations can evidence resilience under scrutiny.

“While investment is rising, areas such as testing, response readiness and supplier oversight are not yet keeping pace with the expectations of boards, regulators and customers. Those organisations that overcome this evidence disconnect to demonstrate assurance will reduce disruption and build trust faster – turning cyber resilience into a genuine competitive advantage.”

Availability pressure and uneven assurance in transportation

Transportation organisations operate in availability-critical environments where operational continuity is non-negotiable. Strategy maturity, however, is mixed with 33% reporting established cyber strategies and 25% advanced or optimised approaches.
Integration into business strategy is also largely partial (58%), with only 25% stating full integration.

Incident exposure is comparatively high, with 33% reporting a cyber incident within the last 12 months, while only 42% report conducting annual third-party testing. This disparity suggests exposure levels may be outpacing independent validation.

As operational technology, distributed infrastructure and supplier connectivity increase complexity across mobility, rail, logistics and smart infrastructure, resilience maturity will depend on scaling assurance alongside digital transformation.