Global firms are raising cybersecurity investments to counter growing threats
We’re seeing a shift across major industries. Cybersecurity is no longer an IT issue tucked away in some corner, it’s becoming a top-line strategic agenda item. Business leaders around the world are recognizing the reality: the risk doesn’t stop at firewalls or login credentials. It hits revenue, operations, and trust with your customers. That’s why more organizations, across different sectors, are planning to increase their cybersecurity spending heading into 2026. What’s driving this? Greater attack volume, growing sophistication in methods, and larger consequences when defenses fail.
This isn’t about adding another tool to your stack. It’s about expanding organizational resilience, adjusting how companies safeguard their data, systems, and reputations. There’s no “perfect” defense here, but there is a right direction. Whether you’re in finance, automotive, retail, or tech, this move to boost spending is a step toward building enduring capability, not just temporary protection.
Good security investments have to lead to fast action. Detection and response times need to be near real time. If it takes hours to spot a breach or days to trace its root, you’ve already lost valuable ground. That’s where strategic cybersecurity spending comes in, it’s not just about plugging gaps, it’s about speeding up your response capability and reducing potential downtime before it even happens.
The evidence is clear. According to a global survey conducted by Marsh, over 2,200 cybersecurity leaders across 20 countries, spanning North America, Europe, Asia-Pacific, and the Middle East, report that the majority of their organizations plan to increase cyber spending in the next two years.
The companies making these calls aren’t just reacting; they’re redesigning their approach to corporate risk. That’s what it takes. In a world where the threat doesn’t sleep, smart, scalable, and fast cyber strategy becomes not just a technical ambition, but a business imperative.
U.K. organizations are leading cybersecurity investments due to recent high-impact cyber incidents
In the U.K., the response to cyber threats has moved fast, and for good reason. Over the last year, British companies have faced a series of targeted attacks that exposed real and urgent weaknesses. These weren’t minor incidents. The attack on Jaguar Land Rover disrupted vehicle production for more than a month. Retail groups were hit by coordinated social engineering campaigns. These events pushed cybersecurity into executive conversations, boardrooms, and risk planning across industries.
That shift matters. What we’re seeing now is a market where decision-makers aren’t waiting for policy or regulation to catch up. They’re acting. According to Marsh’s global cybersecurity survey, about 75% of U.K. companies plan to increase their cybersecurity investments heading into 2026. That’s currently the highest percentage of any country in the survey. It’s a strong signal to other markets: adapting early has strategic advantages.
Security isn’t just a technical consideration here, it’s clearly tied to continuity. When core operations grind to a halt due to ransomware or coordinated system disruptions, the direct cost is high. But the indirect cost, losing customer trust, delaying product cycles, disrupting service, is higher. U.K. organizations, particularly those in critical infrastructure and consumer-facing sectors, have understood that better resilience means tighter coordination between business leaders and tech leaders.
Government pressure has been a factor as well. U.K. authorities have actively urged corporate leaders to elevate cyber resilience to a board-level issue. That’s already translating into policy shifts, executive accountability, and a greater emphasis on business continuity planning.
For C-level executives, this isn’t optional anymore. If your supply chain, customer records, or production systems are exposed, your ability to operate is compromised. U.K. companies got the wake-up call. Their rapid investment commitments show what it means to turn exposure into action, efficiently, strategically, and without delay.
Strengthening cybersecurity governance through enhanced vendor management and structured protocols is essential
Most organizations depend on third-party vendors for critical operations, from cloud services to payment systems to data storage. That dependency comes with exposure. Weak vendor oversight can become the entry point for breach events that ripple across the business. The solution isn’t just more technology, it’s stronger governance. You need structured policies and enforceable measures to control how vendors interact with your systems.
Basic cyber hygiene isn’t optional. That means conducting due diligence before onboarding vendors, regularly auditing collaborators, and defining clear offboarding protocols. If a service provider has access to sensitive systems, that access should match the company’s current operational need, no more, no less. When vendors are no longer active, their access should end immediately. Gaps here create vulnerabilities. Most Executive teams understand this at a high level, but what’s often missing is accountability at scale.
Contractual protections also matter. If data breaches originate from a third party, your exposure extends into legal and compliance territory fast. Structuring strong clauses around data handling, breach notification timelines, and liability ensures that partners share responsibility. It’s practical risk management, and more companies are beginning to view it as essential, not optional.
Payal Patel, Managing Director in Marsh’s Cyber Practice, made a clear recommendation to businesses: “Organizations need to create a framework to vet vendor security and audit their vendors frequently.” She also stressed the importance of “adhering to a robust governance framework, negotiating strong contractual protections, reviewing access control rights, and off-boarding vendors when they are no longer utilized.” These are actionable steps, not abstract principles. They close systemic gaps before adversaries can exploit them.
Cybersecurity is not decided solely by how sophisticated your software stack is. It’s tightly connected to how disciplined your processes are, especially when it comes to vendor ecosystems. Governance, visibility, and control need to improve in parallel with technical capability. For leadership, this means asking hard questions about supply chain access and internal accountability. What companies don’t see is often what puts them at the greatest risk. Fixing that takes clear structure, not guesswork.
There is significant regional disparity in cybersecurity confidence among professionals
Confidence in cybersecurity readiness varies widely by region, and that speaks volumes about the differences in infrastructure maturity, investment levels, and talent availability. According to Marsh’s global survey, 83% of cybersecurity professionals in the Middle East and Africa expressed confidence in their organization’s ability to manage cyber threats. In contrast, only 50% of respondents in the Asia-Pacific region shared that same level of confidence. For executive leadership teams managing global operations, these disparities should raise important strategic questions.
Some of this comes down to security culture and resource allocation. Regions that have integrated cybersecurity early and consistently across the organization, at leadership, technical, and operational levels, tend to show higher confidence. In the Middle East and Africa, security teams often report directly to executive leadership and operate with clearer mandates, enabling faster decisions and better response times. That structure, combined with new investments and regulation-driven standards, is yielding stronger confidence in readiness.
Asia-Pacific, despite being home to several major economies, still faces challenges across fragmented markets. Inconsistent legal frameworks, variable cyber awareness among business leaders, and underinvestment in advanced talent development contribute to the gap noted in the survey. Large variations in size and scale of enterprises across the region also impact standard adoption. Even high-tech economies in this region are struggling with shortages of skilled security personnel and leadership alignment on cyber risk.
From a decision-making standpoint, these gaps carry real implications. If part of your operation spans multiple continents, your weakest region can become your highest exposure. Ignoring that asymmetry won’t make the risk disappear. It only delays your recovery time when incidents hit.
Cyber confidence is not just a feeling, it reflects actual capacity. High-performing companies measure that confidence against metrics like response speed, policy enforcement, threat detection coverage, and incident recovery times. If a region is underperforming in those areas, it needs focus, funding, and leadership attention.
In today’s threat environment, regional imbalances are not acceptable margin for error. The right response is focused action, closing gaps, empowering teams, and leveling up defenses everywhere your business operates. That’s how sustained resilience is built.
Key executive takeaways
- Cybersecurity budgets are rising globally: Most firms plan to increase cyber investments by 2026 in response to rising attack complexity and risk to customer data and operations. Executives should prioritize cyber strategy alignment across business units to improve resilience.
- U.K. firms lead due to disruption-driven urgency: 75% of U.K. organizations are boosting cybersecurity spend following high-impact incidents, including attacks on Jaguar Land Rover and major retailers. Leaders should treat cyber resilience as a board-level priority tied directly to business continuity.
- Governance and vendor oversight are critical: Weak third-party security can expose entire systems. Executives should enforce strict vendor vetting, ongoing audits, and offboarding policies while formalizing governance frameworks to reduce systemic risk.
- Regional cyber readiness varies sharply: Confidence in cyber capabilities is 83% in the Middle East and Africa but drops to 50% in Asia-Pacific. Leaders managing global operations must assess and address these regional gaps to prevent weak links in enterprise-wide security.
