Are Businesses Overestimating their Cyber Resilience?

For its extremely lucrative nature, cyber threats have been climbing at an alarming pace – with AI in the mix, there is no sign of it slowing down. 

Despite this reality and the near-universal recognition of the destructive nature of cyber risks, many organisations are struggling to align strategy with execution.

Supporting this is a new global study from Kroll, which highlights that while 94% of businesses identify cybersecurity as a critical business risk, 72% report frequent misalignment between cyber initiatives and broader corporate priorities.

“Board-level executives are often shocked by how one vulnerability or compromised system can cascade into a company-wide business interruption,” says Tiernan Connolly, Managing Director of Cyber Risk, Security Advisory at Kroll. 

“They may understand the risk intellectually, but it rarely resonates operationally until they experience the impact firsthand. 

“Until an actual incident forces that awareness, cyber budget line items tend to be treated as checking a box rather than being a strategic priority to protect, restore and maximise business value.

“Understanding business interruption as a core consequence and directly linking it back to proactive controls, is how CISOs and security teams avoid reaching that costly breaking point.”

The terrible cost of misplaced priorities

Ground reality shows that the cost of this disconnect is tangible. 

Businesses face an average annual loss of US$2.2m from downtime and recovery after cyber incidents. 

The study suggests that the gap is largely driven by differing priorities between the C-suite and the teams tasked with day-to-day cyber defence.

All in all, cybersecurity budgets are rising, with 80% of organisations reporting increased spending in 2026. Often it is the allocation that misses the mark. 

The technology protecting most targeted vectors – people, credentials and internal processes – do not receive the bulk of this growing investment.

Data shows that 59% of firms plan to invest more in cloud and third-party security. Yet the most common threats such as phishing (experienced by 39%) and business email compromise (28%) slip down in priority. 

Nearly half of respondents (48%) indicate that the CEO makes the final cyber budget decision, yet 43% acknowledge a limited understanding of cybersecurity among executives.

Alarmingly, many essential security measures are being deprioritised. Red and purple teaming exercises, identity access management (IAM) controls and zero-trust architecture are either not receiving further funding or are being cut. 

Overestimation of cyber resilience

The report reveals a worrying overestimation of resilience.

Nearly all organisations (99%) maintain incident response plans, but a tiny fraction (3%) of these organisations actively update these plans post a cyber incident, rendering these critical documents no more than static plans rather than actionable tools. 

Among those surveyed, only 10% of organisations have reached “very high” cyber maturity. It is not to say that these enterprises are fully safe – far from it. Those organisations with higher maturity experience 50% less financial impact per revenue dollar during an attack.

Differences in risk tolerance and inconsistent threat prioritisation further exacerbates the problem. 

While 72% of organisations believe they can respond to incidents within 1-24 hours, independent research from CrowdStrike shows attackers can establish a foothold in just 29 minutes. 

By the time many companies react, malicious actors have often already moved laterally across networks.

“In today's increasingly turbulent threat landscape, organisations face compounding cyber pressures, from more sophisticated threat actors to widening supply chain vulnerabilities,” says Dave Burg, Global Group Head of Cyber and Data Resilience at Kroll.

“That pressure is amplified by geopolitical activity, such as the situation in the Middle East. 

“Strategic decisions and execution realities can shift without warning. In an environment defined by uncertainty, businesses need to adapt quickly and confidently, even as the risk picture evolves in real time.”

The findings make one thing clear: cyber resilience is inseparable from overall business resilience. 

“Cyber resilience and security aren’t simply technology challenges, they are fundamental to overall business resilience. Too often, cyber leaders are pulled between the drive to innovate and a hard truth: basic cyber hygiene failures remain the most common point of entry,” Kroll notes.

Many companies are heavily investing in advanced tools and threat intelligence while underfunding identity management, incident response readiness and effective threat prioritisation. 

Closing these gaps allows organisations to better align strategy with execution, direct investment where it counts and deliver consistent protection against increasingly sophisticated threats.