ICAEW.com works better with JavaScript enabled.

Cyber security biggest risk as businesses reel from major attacks

Author: ICAEW Insights

Published: 23 Sep 2025

Contents
Annual poll of Chief Internal Auditors highlights cyber security as the number one risk, with digital threats intensifying following attacks on European airports over the weekend and recent cyber breaches at M&S, the Co-op, Harrods, The North Face and Jaguar Land Rover.

Cyber security and data security are the top risks facing organisations, with more than eight in 10 respondents identifying it as a leading threat, according to a survey of nearly 900 Chief Internal Auditors across the UK and Europe conducted by the Chartered Institute of Internal Auditors (Chartered IIA). It is also the risk area that internal audit teams are spending the most time and effort auditing.

Human capital, diversity and talent management retained its position as the second largest threat to organisations in 2026 – with almost half (48%) ranking it a top five risk. Fears of deskilling because of AI, and an inability to attract and retain the right skills to combat evolving threats, were major concerns.

Digital disruption, new technology and AI continue to be one of the fastest-growing risks, moving from fourth place last year to third place this year, with 47% of respondents ranking it a top risk.

High profile cyber attacks

A recent wave of high-profile cyber attacks targeting major UK businesses – including a cyber breach that affected systems at Heathrow Airport this weekend and attacks at retailers including M&S, the Co-Op and Harrods – has underscored the urgent need for stronger cyber resilience. 

M&S has estimated losses of £300m in operating profits, while a cyber attack at the UK’s biggest carmaker Jaguar Land Rover forced it to shut its factories for weeks, triggering a ripple effect that had a devastating impact on smaller businesses throughout its supply chain. The automotive company, which has plants in Solihull, Wolverhampton and Merseyside, had been unable to make any cars this month.

Attacks powered by advances in AI

The Chartered IIA says the recent attacks raise serious questions about whether organisations are taking the threat as seriously as they should. Notably, the research also reveals that organisations are not only facing more frequent attacks, but these incidents are becoming increasingly severe, sophisticated and often powered by advances in artificial intelligence (AI).

Macroeconomic and geopolitical uncertainty ranked in joint fourth place for 2026, together with changes in laws and regulations. Chief internal auditors who took part in the research agreed that the threat permeated every other risk category, underscoring the interconnected and complex risk landscape organisations now face.

With geopolitical tensions on the rise, the UK’s National Cyber Security Centre (NCSC) has issued stark warnings about the “enduring and significant” threat to the UK’s critical infrastructure from hostile states such as China, Iran, North Korea and Russia.

This year’s Risk in Focus 2026 report was produced by the Chartered IIA in partnership with 13 other European Institutes of Internal Auditors and the European Confederation of Institutes of Internal Auditing (ECIIA).

The role of internal audit

The Chartered IIA is urging boards and senior management to harness the power, experience and expertise of their internal audit teams to independently assess and strengthen the effectiveness of their cyber controls and risk management. Where weaknesses are identified, internal audit can play a vital role in recommending improvements to protect businesses from these fast-evolving threats. 

Anne Kiem OBE, Chief Executive of the Chartered IIA, says: “The recent wave of cyber attacks on major UK businesses is a stark reminder that cyber security must remain at the top of every board’s agenda. 

“Internal audit is uniquely positioned to provide independent assurance for boards that cyber and digital controls are robust and effective, helping organisations to build resilience and protect their bottom lines.”

Ian Pay, ICAEW’s Head of Data Analytics and Tech, says: “That cyber security continues to top CIIA's risk rankings should be no surprise given the spate of headline-grabbing, highly disruptive incidents in recent months.” 

Investment in cyber resilience

ICAEW's Evolution of Mid Tier Accountancy Firms research published earlier this year highlighted the value being placed on investment in cyber resilience and in accountants and internal auditors being aligned on the issue. 

As attacks increasingly have far-reaching implications across entire supply chains everyone must play their part in reducing the risk, Pay adds. “Individuals should take personal responsibility for their own cyber hygiene, and it is incumbent on organisations to provide regular training for their staff to spot potential incidents and have the systems and processes in place to minimise the impact of any cyber attack.” 

The top 10 risks for Risk in Focus 2026:

  1. Cyber security and data security (81.80%)
  2. Human capital, diversity, talent management and retention (47.78%)
  3. Digital disruption, new technology and AI (47.33%)
  4. Change in laws and regulations (44.94%)
  5. Macroeconomic, social and geopolitical uncertainty (44.94%)
  6. Business continuity, operational resilience, crisis management and disasters response (38.91%)
  7. Market changes, competition and changing consumer behaviour (32.08%)
  8. Supply chain, outsourcing and 'nth' party risk (28.78%)
  9. Financial, liquidity and insolvency risks (26.96%)
  10. Climate change, biodiversity and environmental sustainability (22.53%)

Cyber security awareness

Each year ICAEW marks global Cyber Security Awareness month with a series of resources and a podcast addressing the latest issues and how to protect your business.

More support Listen to our podcast
Close up of woman's hand holding a mobile phone, with a lap top open in the background. On the phone is the image of a padlock

Latest cyber security articles

Exclusive Navigating cyber threats in construction
  • Article
  • 28 Nov 2025
The construction sector’s rapid move towards digital tools, remote access and cloud collaboration has widened its exposure to cyber threats. Construction firms rely heavily on technology to manage projects, yet many still have limited cyber maturity. The combination of tight deadlines, multiple stakeholders and high-value contracts makes the impact of any disruption especially severe.
Foreign and AI threats grow
  • Article
  • 28 Nov 2025
Cyber espionage and foreign threats were a big topic this month, as the UK continues to focus on beefing up its national security and the resilience of critical infrastructure, operations and services.
Stay up to date with ICAEW podcasts
  • Article
  • 17 Nov 2025
Are you really prepared for a cyber attack? Should we compensate whistleblowers? What is coming in the Finance Bill? Stay in the loop on accountancy’s hot topics with podcasts from the ICAEW. 
International Trade Week: How volatile geopolitics is affecting customs compliance
  • Article
  • 05 Nov 2025
SMEs must include measures to comply with the world’s complex web of trade rules in their risk-management control environment, says a senior economist.
  1. Five steps to more inclusive communication
  2. Your membership: Christmas shopping discounts from BenefitsPlus
  3. Chart of the week: Budget 2025 debt blues
  4. Your membership: Network with your peers
  5. Private law vital for crypto governance, says Master of the Rolls
  1. Budget 25: where’s the growth?
  2. Budget 25: Do the tax changes meet the tenets?
  3. How should audit firms use AI?
  4. The latest on MTD income tax
  5. LLMs and spreadsheets, Companies House IDV, and the OBR’s role

Further resources

Resources
Cyber Security Annual Lecture
Cyber security

Our cyber security resource centre provides a focal point for ICAEW members looking for support in managing cyber risks.

Browse resources
ICAEW Community
Data visualisation on a smartphone
Data Analytics

Helping finance professionals develop the advanced data analytics and visualisation skills needed to succeed in this insight-driven era.

Find out more
  • Free and open to everyone
ICAEW support
A person holding a tablet device displaying various graphs
Training and events

Browse upcoming and on-demand ICAEW events and webinars focused on making the most of the latest technologies.

Events and webinars CPD courses and more
Open AddCPD icon