A significant gap remains between cyber awareness and operational readiness among businesses, according to new research from global risk management partner LRQA.
The findings, published in LRQA’s 2026 Cyber Security Risk Outlook report, reveal that although organisations are increasingly prioritising cyber resilience, many still lack the testing, validation and supplier oversight needed to withstand modern cyber threats.
The research found that 72% of organisations report partial or full integration of cyber security into business operations, with 33% claiming full integration. However, despite this apparent progress, critical gaps remain in preparedness and execution. One in four organisations (25%) never conduct independent cyber assessments, while 31% of businesses with incident response plans have never tested them.
The survey gathered responses from 133 organisations operating across multiple sectors and regions, including financial services, transportation, technology, telecommunications and construction.
Chris Oakley, Business Director for LRQA’s cybersecurity division in the Americas, said:
“Proof has become the baseline; boards, insurers and regulators need evidence that controls hold up when tested. This research shows the gap. Most surveyed organisations have an incident response plan, but a third have never tested it. Meanwhile, 74% don’t formally assess their tier one suppliers. Those are gaps SEC disclosures and insurance renewals will find first.”
Supply Chain Risk Continues to Grow
The report identifies third-party and supply chain exposure as one of the most significant structural weaknesses facing organisations today.
Although 32% of organisations identify supply chain vulnerabilities as a leading cyber concern, 74% have no formal cyber risk assessments in place for Tier-1 suppliers. In addition, 30% impose no cyber security requirements on suppliers at all.
As businesses become increasingly reliant on interconnected digital ecosystems, cloud platforms, software providers and operational partners, LRQA warns that resilience must extend beyond the organisational perimeter.
The report suggests that supplier assurance, contractual cyber requirements and active validation of third-party practices will become increasingly important for reducing operational exposure.
Organisations Increasing Investment in Cyber Controls
The research also highlights growing concern around ransomware, AI-enabled attacks and cloud compromise, with many organisations strengthening investment in cyber resilience.
Half of surveyed organisations (50%) increased cyber budgets over the past 12 months. Common security measures now being implemented include:
- Multi-factor authentication — 56%
- Backup and recovery capability — 56%
- Security awareness training — 47%
Cyber Insurance Not a Replacement for Resilience
The report notes that cyber insurance is becoming an increasingly important factor in how organisations demonstrate resilience to insurers, customers and regulators.
Around 31% of organisations surveyed said they currently hold cyber insurance, while 46% do not. A further 23% either did not know or chose not to disclose their position.
However, LRQA warns that insurance alone cannot reduce cyber exposure.
Ben Turner, Business Director for LRQA’s cybersecurity division in the UK, said:
“Resilience is not a checklist – it’s the ability to prove that controls perform under pressure and that recovery is predictable, not hopeful. The market is clearly alert, engaged and investing with organisations increasingly aware of the cyber threat landscape and prioritising the right areas.
“However, the real differentiator will be execution. It’s not about whether controls exist, but how consistently they are applied, how rigorously they are tested and how confidently organisations can evidence resilience under scrutiny.”
Transportation Sector Facing Rising Pressure
The report also highlights growing cyber resilience challenges within the transportation sector, where operational continuity is critical.
While 33% of transportation organisations report established cyber strategies, only 25% claim advanced or optimised approaches. Incident exposure is comparatively high, with 33% reporting a cyber incident within the last 12 months, yet only 42% conduct annual third-party testing.
As operational technology and supplier connectivity continue to expand across mobility, logistics and infrastructure networks, LRQA says organisations must strengthen assurance frameworks alongside digital transformation initiatives.
For more information or to access the full report, visit LRQA.