Kroll warns of widening gap in global cyber resilience

Kroll has published research pointing to a growing gap between how prepared organisations think they are for cyber attacks and how well they can defend and recover when incidents occur.

The study surveyed 1,000 cybersecurity decision-makers across 10 countries, including the UK and Ireland, the US, Japan and Germany. It found that cyber risk is widely recognised at board level, but many organisations struggle to align day-to-day security decisions with broader business priorities.

Respondents estimated that cyber incidents cost an average of USD $2.2 million a year in recovery work and downtime. Many also reported that their incident-response arrangements are not being refined through experience, even as attackers move faster and supply chain risk rises.

Plans vs practice

Almost all organisations surveyed said they have an incident-response plan, with 99% reporting one is in place. Only 3% said they update plans after a cyber incident, suggesting many remain static documents rather than operational playbooks.

Most respondents also expressed confidence in their ability to respond quickly, with 72% saying their organisation can respond within one to 24 hours. Kroll cited CrowdStrike research putting adversary "breakout time", from initial access to wider infiltration, at 29 minutes.

Measures of maturity showed a smaller group at the top end: 10% of organisations reported "very high" cyber maturity. Kroll reported that these organisations see 50% less financial impact per dollar of revenue when cyber incidents occur.

Threat prioritisation also emerged as a weakness. Some 36% acknowledged gaps in how threats are prioritised, and 51% cited differing risk tolerance as the main reason. Separately, 72% reported frequent misalignment between cybersecurity efforts and wider business priorities, even though 94% view cybersecurity as a primary business risk.

Budget control

The research suggests control over cyber spending is becoming more centralised. Nearly half of respondents (48%) said the CEO now makes the final decision on cyber budgets. At the same time, 43% reported limited cyber literacy among executives as a barrier to aligning business strategy with cyber priorities.

Survey responses suggest budgets are still rising, with 80% saying their organisations have increased cybersecurity budgets in 2026. However, the areas receiving investment do not always match the most common attack patterns cited by respondents.

Nearly six in 10 (59%) said their organisations are increasing spending on cloud and third-party security. Yet the most frequently experienced tactics were identity-based: phishing was cited by 39% and business email compromise by 28%.

The research also suggests some proactive measures are becoming a lower priority. Kroll reported that 55% are cutting, or not increasing, investment in red and purple teaming, alongside reduced focus on identity and access management controls and zero-trust architecture (52%).

Operational exposure

Kroll framed the findings as a disconnect between security teams and senior leadership on what resilience requires in practice. It also emphasised business interruption as a primary consequence of cyber incidents, not only data loss.

Tiernan Connolly, Managing Director of Cyber Risk, Security Advisory at Kroll, said executives often have an abstract view of cyber risk until an incident forces operational attention.

"Board-level executives are often shocked by how one vulnerability or compromised system can cascade into a company-wide business interruption. They may understand the risk intellectually, but it rarely resonates operationally until they experience the impact firsthand. Until an actual incident forces that awareness, cyber budget line items tend to be treated as checking a box rather than being a strategic priority to protect, restore and maximize business value. Understanding business interruption as a core consequence, and directly linking it back to proactive controls, is how CISOs and security teams avoid reaching that costly breaking point."

The publication comes as cyber resilience remains a focus for UK policymakers, with the Cyber Security and Resilience Bill keeping governance and preparedness under scrutiny. For organisations, the survey adds detail to a familiar challenge: cyber risk is understood as a material business issue, but budget choices, training and operational planning do not always follow.

Dave Burg, Global Group Head of Cyber and Data Resilience at Kroll, linked the resilience challenge to the pace of change in the threat landscape and broader instability.

"In today's increasingly turbulent threat landscape, organizations face compounding cyber pressures, from more sophisticated threat actors to widening supply chain vulnerabilities. That pressure is amplified by geopolitical activity, such as the situation in the Middle East. Strategic decisions and execution realities can shift without warning. In an environment defined by uncertainty, businesses need to adapt quickly and confidently, even as the risk picture evolves in real time," Burg said.

"Our strategic partner CrowdStrike reports an average breakout time of just 29 minutes for attackers to move from initial access to broader infiltration. Yet many companies are pouring investment into advanced tools and threat intelligence while underinvesting in identity management, effective threat prioritization, and incident response readiness - gaps that can significantly increase exposure. Organisations that strengthen their cyber foundations will be better positioned to align strategy with execution, focus investments where they matter most and deliver stronger, more consistent defense," he added.