Cyber-Enabled fraud is the top cybersecurity threat now
Cyber-enabled fraud has overtaken ransomware as the leading concern for CEOs. And rightly so. We’re not seeing fewer attacks, just smarter, more targeted ones. Fraud doesn’t always hit the headlines in the same way ransomware does, but it quietly causes more damage than you might expect. These attacks are simple by design but effective enough to bypass multiple layers of traditional defense. Executives are dealing with real financial losses, service disruptions, and reputational harm, all from basic phishing, business email compromise, and impersonation tactics.
The important shift here is psychological. Executives have seen these scams work too many times. It’s direct exposure. And that has changed how risk is perceived at the top of companies. While ransomware still causes concern, it’s cyber-enabled fraud that’s actively hurting businesses in both developed tech ecosystems and emerging markets.
What’s significant here is that many of these attacks don’t rely on sophisticated code. They exploit human weaknesses, misplaced trust, distraction, urgency. That makes them harder to fix with just more technology. The real solution is broader: blending frontline detection with smarter internal awareness and clearer leadership engagement. Executive teams need to stop thinking of fraud as a minor problem and start treating it as a core cybersecurity risk that hits the balance sheet directly.
According to the World Economic Forum’s 2026 cyber outlook, CEOs now rank cyber-enabled fraud as their number one security threat, moving it ahead of artificial intelligence vulnerabilities and outdated software systems. That shift happened fast. The prior year, fraud shared the spotlight with ransomware and supply-chain disruptions. So the direction of concern is clear.
Cyber-resilience levels directly impact threat prioritization
Not all organizations look at cyber risks the same way. And that makes sense. A company’s cyber-resilience, how well it prepares for, responds to, and recovers from a cyberattack, determines how its leaders view risk. What’s interesting is this: the more resilient the company, the more it worries about the future instead of just today. That’s a good sign.
Here’s what the World Economic Forum found: executives at highly resilient organizations put AI-related vulnerabilities at the top of their concern list. They’re also paying close attention to fraud and supply-chain risks. That means these companies have moved beyond basic defense. They’re thinking long-term, watching for the advanced threats tied to new technology, and adapting fast.
Compare that to organizations with low resilience. Their top concerns are still fraud and ransomware. That’s reactive thinking, fighting fires instead of building a fireproof system. It tells us something about how risk maturity works. If you’re still focused on patching software or recovering from the last hit, you’re not looking ahead to evolving threats. That’s a gap that needs closing, and fast.
For leadership teams, the takeaway is simple: invest in resilience. That means aligning IT, operations, strategy, and governance through a security-first approach. Resilience gives your organization space to think further ahead, to anticipate rather than just absorb. Executives who understand this aren’t just protecting systems; they’re creating long-term strategic advantage.
The WEF’s data confirms the difference. High-resilience companies see AI as a top concern. Low-resilience companies still rank ransomware and fraud higher. Resilience isn’t just about defense, it changes how leaders see the entire cybersecurity landscape.
AI vulnerabilities are now a primary security concern
Artificial intelligence is changing everything, from product development to operations, but it’s also expanding the surface area for cyberattacks. Executives are starting to see that every AI capability also opens up a new risk vector. This is no longer theoretical. AI systems are being implemented everywhere, and attackers are already exploiting the gaps.
According to the World Economic Forum, 30% of CEOs identified data leaks from AI systems as their top concern. These aren’t just accidental leaks. AI models can inadvertently expose sensitive data through outputs, logs, or misuse of training data. It’s a significant threat, especially in industries like finance, healthcare, or logistics, where data damage becomes a legal and reputational mess.
Right behind that were concerns about hackers getting smarter. About 28% of CEOs said evolving attacker techniques are pushing their teams to rethink AI risk faster than expected. And then there are the structural issues, 15% flagged flaws within the AI systems themselves. Most organizations don’t fully understand how their AI models behave in production. That’s a blind spot. Without control or explainability, it’s hard to detect if something malicious has slipped in or out.
What’s striking is how few, just 6%, mentioned the AI code supply chain, even as dependencies on third-party tools and plugins grow. This gap in attention matters. As AI tooling gets more modular and open, ignoring its origins or its dependencies opens up real attack paths.
Executives need to be more proactive here. AI should not be deployed without a clear audit trail, defined risk thresholds, and tested failure modes. AI is not plug-and-play, and misconfigurations or unchecked access can cause long-term issues. Leadership teams must treat AI security as a core business function, not just an IT responsibility.
Geopolitical shifts are reshaping cyber strategy
Global events don’t stay offline. They shape how cyberattacks are planned, launched, and evolve. That’s why executives are bringing geopolitical volatility into the center of their cybersecurity strategy conversations. They now see that threat actors aren’t just individuals or gangs, they’re increasingly state-backed, coordinated, and strategic.
The WEF report makes this shift clear: 66% of CEOs in 2026 said that geopolitical instability had directly influenced their cyber strategies. That’s down from 87% in 2024, but the threat hasn’t gone away, it’s just transforming. Organizations are no longer reacting only to headlines, they’re embedding geopolitical intelligence into daily operations and strategy.
One-third of companies are prioritizing threat intelligence specifically around nation-state actors. Another third are working more closely with governments and information-sharing groups. That’s essential. If a cyberattack is being planned at a state level, no single company has the footprint or visibility to take it on alone. Alignment with public agencies and multinational partners may not be optional anymore, it’s becoming table stakes for operating securely.
The top drivers behind this strategic shift? Nation-state attacks on infrastructure, intentional disinformation campaigns, and the merging of IT with operational technologies. Each of these brings a different type of pressure. Infrastructure attacks can knock businesses offline. Disinformation undermines trust. IT/OT convergence creates unique vulnerabilities with physical consequences. These aren’t far-off risks, they’re active problems.
For boards and executive teams, the message is direct: cybersecurity strategy can’t ignore global dynamics. Whether it’s tensions in specific regions, shifts in national cyber policies, or aggressive state-backed campaigns, the impact shows up, even for companies operating well outside the immediate conflict zones. The faster organizations build geopolitical awareness into their planning, the better positioned they’ll be to respond when the next incident hits.
Confidence in national cyber readiness is low and uneven
Top executives are starting to question if their countries are truly ready to defend against large-scale cyberattacks. Confidence has dropped. In many regions, it never existed to start with. The concern now is about critical infrastructure, energy grids, financial systems, supply chains. These are systems that don’t just impact one company, but entire economies.
The World Economic Forum’s latest figures show that only 37% of CEOs feel confident in their government’s ability to respond to major cyber incidents targeting critical infrastructure. That’s barely stronger than the 31% who said they have little or no confidence. The decline is visible when compared to the previous year, 42% were confident in 2025, with fewer (26%) expressing doubt. In other words, confidence is trending in the wrong direction.
This matters for a simple reason, if executive teams don’t believe the national response will hold, they must shift resources to fill the gap themselves. That changes how companies prioritize cyber insurance coverage, cross-border data protection, and public-private collaborations. And without faith in national backing, private-sector players bear more of the burden for containment and recovery.
The difference across regions is sharp. In the Middle East and North Africa, confidence is high, 84% of companies believe in their national cybersecurity readiness. In Latin America and the Caribbean, it’s just 13%. That gap reflects policy maturity, infrastructure investment, and public-sector experience in managing cyber risk.
The takeaway is clear. Cybersecurity can’t just be viewed as an internal operations issue. It must be positioned within a broader ecosystem, one that includes national government capability and international response coordination. Smart executives will assess these external dependencies as seriously as they assess their internal defenses.
Operational technology (OT) security is critically underdeveloped
Operational technology is exposed, and most organizations aren’t doing enough about it. While IT security has gained attention over the past two decades, OT has quietly expanded in scope without proportional protection. Today, that’s a problem. Factories, utilities, transport systems, all rely on OT. And most of it was never designed for modern cybersecurity threats.
According to the WEF research, only 32% of organizations monitor the security status of their OT assets. That means nearly 7 in 10 companies could be unaware of an active intrusion on physical systems. Even fewer, just 20%—have dedicated OT security teams. And only 16% report regularly to their boards on OT security issues. These numbers tell the story clearly: OT is being overlooked, not integrated into enterprise security postures.
For C-suite teams, this presents real operational risk. The systems running production lines, managing facilities, or guiding logistical operations don’t have conventional desktops or servers. But they can be hacked, and in many cases, with tools that don’t require advanced skill sets. The impact from a compromised OT system is different, it disrupts availability, damages assets, and slows down or halts core outputs. That translates directly into financial losses.
Most boardrooms are still under-informed on OT vulnerabilities. That needs to change. Executives should insist that OT security gets the same level of oversight as IT. This includes regular reporting, accountability tied to key stakeholders, and embedded security teams with domain-specific expertise. Underinvestment in OT isn’t just a blind spot, it’s a liability. And attackers are already aware of how to exploit it.
Closing the visibility gap in OT is not optional anymore. It’s a requirement if organizations plan to stay operational in a threat landscape that no longer distinguishes between digital and physical targets.
Executives support cyber regulations, despite regional complexity
Most executives today recognize the role that cybersecurity regulations play in raising standards inside their organizations. These rules aren’t just compliance checklists, they’re pressure mechanisms that force companies to improve how they handle risk. That’s a good thing. It drives awareness at the board level and gives CISOs more leverage internally to prioritize security across departments.
According to the World Economic Forum, nearly 60% of CEOs said that cyber regulations have helped raise security awareness across their companies. More than half went further, stating that these regulations directly contributed to stronger overall cybersecurity outcomes. That level of consensus isn’t common in executive circles. It tells us that regulation, when well-designed, is functioning as both a motivator and a framework.
Still, not all regions view regulation the same way. Support is lower in North America and Europe, regions with the most developed cybersecurity laws and oversight bodies. The reason is clear. Complex, overlapping rules can slow down implementation, create compliance challenges, and force legal teams to interpret ambiguous requirements. Even well-prepared organizations end up allocating more time to documentation than meaningful defense.
Yet the sentiment is not against regulation as a concept. It’s a call for intelligent design in regulation, security measures that scale with risk, simplify integration, and avoid unnecessary administrative buildup. Executives in high-regulation markets are asking for precision and coordination, not fewer rules.
The takeaway for leadership: don’t wait for regulatory compliance to drive your security agenda. Use it as a floor, not a ceiling. Regulations can prompt action, but strategic security leadership should go further. Stay ahead of baselines, simplify your internal controls, and ensure that your compliance team is supporting, not slowing down, your ability to move fast and stay secure.
Final thoughts
Cyber risk isn’t static. What matters most to executives today didn’t make the top of the list just a year ago. That shift tells us one thing: leadership needs to stay agile. The threats, fraud, AI vulnerabilities, geopolitical tension, aren’t surface-level issues. They strike at operational continuity, reputational strength, and long-term resilience.
High-performing organizations aren’t waiting to react. They’re moving now, investing in visibility, aligning IT and OT security, building resilience into their architecture, and treating regulatory complexity as a strategic input, not just compliance overhead.
For business leaders, the roadmap is clear. Prioritize cyber as a business enabler. Make room for security at the table where strategy happens. Get closer to your CISO. Don’t wait for an incident to expose what could have been prevented. Cyber risk isn’t an IT problem, it’s a boardroom responsibility with bottom-line impact.
The organizations that do this well won’t just stay secure. They’ll move faster, make smarter decisions, and remain in control while others scramble to catch up.
