A new global survey of cybersecurity professionals suggests a quiet but significant shift in how risk is perceived inside organisations. According to the ISACA State of Cybersecurity 2025 report, only 14% of respondents believe their organisation is unlikely to experience a cyberattack in the next 12 months.
The implication is difficult to ignore. For most security professionals, a cyberattack is no longer a remote possibility. It is an expected event.
The survey, which gathered responses from more than 3,800 professionals worldwide, paints a picture of a field that is increasingly certain about the trajectory of risk, even as organisations vary in how they respond to it.
A widening gap between expectation and confidence
The ISACA data reveals a notable imbalance. While a majority of respondents anticipate the likelihood of a cyberattack, far fewer express strong confidence in their organisation’s ability to respond effectively.
Only 41% say they are highly confident in their team’s ability to detect and respond to threats.
At the same time, 35% report an increase in cyberattacks compared with the previous year.
Taken together, these figures suggest that many organisations are operating in an environment where risk is both rising and, in some cases, insufficiently contained.
The report does not frame this as a failure of awareness. If anything, awareness appears widespread. Rather, it highlights a more subtle challenge, one of alignment between perception, capability, and response.
Email and social engineering remain central
One of the more consistent findings in the report concerns how attacks are carried out.
Among organisations that reported being compromised, 44% identified social engineering, including business email compromise, as a primary attack vector.
This reinforces a pattern that has held steady across multiple years of industry reporting. Despite advances in endpoint protection, network monitoring, and identity management, many successful attacks continue to begin with an email.
The reason is not necessarily technical weakness. Increasingly, it is behavioural.
Modern phishing campaigns are designed to resemble routine communication, requests that appear legitimate, timely, and aligned with everyday business processes. In that context, the distinction between normal activity and malicious intent becomes harder to detect.
A workforce under strain
The report also highlights the human dimension of cybersecurity.
Two-thirds of respondents say their roles are more stressful than they were five years ago, with the complexity of the threat landscape cited as a primary factor.
More than half report that their teams are understaffed.
At the same time, fewer organisations expect a meaningful increase in cybersecurity budgets, and some anticipate reductions.
These pressures intersect in ways that are not always visible outside security teams. Increased workload, limited resources, and rising expectations can affect not only performance, but also retention and long-term capability.
The report notes that burnout remains a concern, even as hiring and retention pressures fluctuate across regions.
Board-level prioritisation and its effects
One of the more revealing sections of the survey examines how cybersecurity is prioritised at the board level.
Just over half of respondents say their boards adequately prioritise cybersecurity. Where that prioritisation exists, the differences are pronounced.
Organisations whose boards actively prioritise cybersecurity report:
- Higher confidence in detection and response
- Better alignment between security strategy and business objectives
- Fewer challenges retaining skilled personnel
Conversely, where cybersecurity is not prioritised at the leadership level, respondents are significantly more likely to report underfunding, lower confidence, and greater staffing challenges.
The findings suggest that cybersecurity outcomes are influenced not only by tools and technologies, but by how risk is understood and managed at the highest levels of the organisation.
The role of artificial intelligence
The report also points to the growing influence of artificial intelligence, both as a defensive tool and as a source of new risk. Use of AI in security operations has increased, particularly in areas such as threat detection and automation. At the same time, respondents acknowledge that AI can be used by attackers to generate more convincing phishing emails and malicious content.
Interestingly, a significant proportion of respondents say they do not know whether AI was involved in attacks against their organisation, suggesting that attribution remains difficult.
Risk, increasingly, is assumed
Taken as a whole, the ISACA report reflects a broader shift in cybersecurity. Risk is no longer framed primarily as something to prevent entirely. It is increasingly understood as something to anticipate and manage.
For security professionals, the expectation of an attack appears to be a given. The more open question is how organisations translate that expectation into decisions, investments, and operational readiness.
That question, while not new, is becoming harder to defer.
Access the full report
The full ISACA State of Cybersecurity 2025 report can be accessed here: https://www.isaca.org/resources/reports/state-of-cybersecurity-2025
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Microsoft 365 or Google Workspace, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a specialist AI-powered email threat detection solution like MailGuard.
For a few dollars per staff member per month, businesses are protected by MailGuard's specialist, AI-powered zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies your client’s intelligence, knowledge, security and defence.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your clients today to ensure they’re prepared and get in touch with our team to discuss fortifying your client’s cyber resilience.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
