Geopolitics pushes cybersecurity to the center of corporate strategy
Geopolitical tensions are increasingly shaping companies’ technology strategies and their approach to building cyber resilience. Faced with a rapidly changing global security environment, businesses are now analyzing risks that only a few years ago were considered extreme scenarios.
According to the latest edition of the “Cybersecurity Barometer 2026. Cyber Resilience in an Era of Change” report by KPMG in Poland, 37% of companies consider the potential loss of a key cloud provider, 36% take into account the risk of prolonged power outages, and 26% include hybrid warfare and sabotage in their risk scenarios. Despite this growing awareness, the scale of preparations still fails to keep pace with the evolving security landscape, where digital infrastructure is increasingly becoming one of the first targets of destabilization.
The report also highlights a doubling in the number of organizations with a dedicated Chief Information Security Officer (CISO). However, the most frequently cited barrier to building effective cybersecurity has shifted to insufficient engagement from top management.
Growing complexity of cyber incidents
The increasing complexity of cybersecurity incidents, their connection with geopolitical instability, and the rapid evolution of technologies used both in cyberattacks and defensive tools are prompting companies to reassess the adequacy of their current security solutions.
Most of the mechanisms declared by respondents for ensuring cyber resilience focus on organizational and process-oriented measures. Nearly 46% of companies report implementing supply chain security management programs, including supplier audits. Meanwhile, 35% are preparing comprehensive business continuity plans (BCP), and 30% conduct regular cybersecurity and business continuity risk analyses.
The range of threat scenarios included in these risk assessments illustrates the extent to which organizations are preparing for systemic and long-lasting disruptions. The most commonly cited scenarios include the loss of a key cloud service provider (37%) and prolonged electricity outages (36%). Additionally, 29% of surveyed companies consider the risk of extended internet outages.
At the same time, one in four respondents (26%) already considers hybrid warfare and sabotage as part of their threat landscape. Other scenarios included in corporate risk analyses involve failures in the technological supply chain, such as infected software updates (23%), large-scale ransomware attacks (21%), and even the possibility of a full-scale armed conflict, which 16% of respondents consider a realistic risk.
The unstable geopolitical situation is forcing Polish companies to update their security strategies. Full-scale war scenarios are now appearing in risk analyses, and one in four organizations is preparing for threats related to hybrid warfare and sabotage. The simultaneous loss of all data processing centers due to sabotage is becoming a plausible scenario.
“As a result, we are observing accelerated adoption of public cloud solutions, including for security purposes,” said Michał Kurek, Partner and Head of the Cybersecurity Advisory Team at KPMG in Poland and Central and Eastern Europe.
Cybersecurity increasingly moves beyond IT departments
The findings of the KPMG report confirm the ongoing professionalization and specialization of information security management within Polish enterprises. Although cybersecurity responsibilities are still most often assigned to the Chief Information Officer (CIO) or other IT department representatives, the share of such responses has declined to 36%, compared with 47% in 2023.
At the same time, more than one quarter of companies now have a dedicated Chief Information Security Officer (CISO), which represents a doubling compared with last year’s results. The number of organizations that have not assigned responsibility for cybersecurity at all has dropped dramatically—from 11% to just 2%.
Perceptions of the main barriers to cybersecurity development have also changed. The most significant challenge is now a lack of support from top management, cited by 29% of respondents. This is followed by difficulties in recruiting and retaining qualified personnel and limited business engagement in cybersecurity initiatives, each indicated by 26% of companies.
Phishing and independent hackers remain the leading threats
According to the survey, the most significant threat to companies comes from individual hackers, cited by 46% of respondents. Cyberterrorists rank second, with 35%, followed by hacktivists, mentioned by 24% of participants.
In this year’s edition of the study, phishing once again emerged as the cyber threat generating the most serious operational risk, surpassing attacks exploiting application vulnerabilities and data theft by employees.
The record share of companies affected by security incidents is not accidental. Organizations are entering an era in which artificial intelligence fundamentally transforms the nature of cyberattacks.
“We are already observing phishing campaigns that use language models to generate personalized, grammatically flawless messages capable of bypassing traditional filters. Deepfake audio and video technologies enable increasingly convincing social engineering attacks, while automation allows criminals to conduct thousands of targeted attacks simultaneously,” explained Michał Kurek.
“In the coming years, the complexity of cyberattacks will grow exponentially. AI will learn to identify vulnerabilities faster than security teams can patch them, making attacks more adaptive and intelligent. The key question is whether organizations will manage to build cyber resilience at a pace matching the evolution of threats.”
Declining perceived maturity of cybersecurity protections
Survey respondents assessed the maturity of their cybersecurity protections lower than the previous year in 11 out of the 14 analyzed categories. For the second consecutive year, none of the surveyed organizations declared full maturity across all cybersecurity areas.
Only 3% of companies considered their cybersecurity protections fully mature in most evaluated categories.
The highest ratings were given to incident response capabilities, while the only category showing absolute year-on-year improvement was identity and access management.
At the same time, only one third of companies believe their cyber resilience level is adequate for the current threat landscape, while 58% acknowledge the need for improvements in selected areas.
Cybersecurity investment priorities for 2026
In 2026, companies plan to focus their cybersecurity budgets primarily on malware protection, employee awareness programs, and internal network security. There has also been a noticeable increase in investments in business partner security management, reflecting growing regulatory pressure.
As many as 94% of organizations outsource at least one cybersecurity function, although most do so selectively. More than half of companies (51%) entrust external providers with only a single, specific cybersecurity area.
The implementation of the NIS2 Directive and the ongoing adoption of the AI Act create new challenges for companies but also offer an opportunity to organize and strengthen the foundations of cybersecurity.
“As the study shows, the biggest barrier is no longer a lack of budget or technology, but insufficient support from top management and limited business engagement. This clearly indicates that cybersecurity must cease to be solely the domain of IT departments and become a strategic priority for the entire organization,” said Marcin Kieszkowski, Director in the Cybersecurity Advisory Team at KPMG in Poland.
About the report
The report “Cybersecurity Barometer 2026. Cyber Resilience in an Era of Change” was prepared by KPMG in Poland based on a CATI survey conducted in December 2025 among 100 individuals responsible for IT security in organizations operating in Poland.
The sample included small enterprises (30%), medium-sized companies (50%), and large organizations (20%), representing 16 different industries.
Source: CEO.com.pl / KPMG Cybersecurity Barometer 2026.
