Compliance Matters

WP_Post Object ( [ID] => 135988 [post_author] => 34 [post_date] => 2025-12-12 09:00:03 [post_date_gmt] => 2025-12-12 09:00:03 [post_content] => IO’s latest State of Information Security Report highlights an industry that is both indispensable to the digital economy and uniquely exposed to risk. IT providers and MSP organisations sit at the heart of interconnected supply chains, manage complex customer environments, and are adopting emerging technologies at speed. This year’s findings reveal how those pressures are reshaping their security priorities, and why many are reassessing how they structure governance, compliance and resilience.Our respondents included senior cyber leaders across the UK and the US. Their insights uncover the most pressing threats facing the sector today, the operational challenges shaping day-to-day security work, and the strategic direction organisations are taking to strengthen resilience.Below, we unpack 11 key statistics every IT, and MSP leader should understand from this year’s Report.

Key Information Security Statistics for the IT & MSP Sector

Governance & Strategy

1. 50% say senior leadership still treats information security compliance as an afterthought.
2. 67% say the speed and volume of regulatory change is making it increasingly difficult to stay compliant.

Skills, Capacity & Operational Pressure

3. 42% cite the information security skills gap as a top challenge.
4. 34% report burnout within infosec and compliance teams due to increasing workload.
5. 41% say tasks are being replaced by AI without the right human oversight to ensure compliance.

Fragmentation & Process Challenges

6. 38% struggle with tech sprawl, and 24% say siloed security efforts are a key issue.
7. 44% say shadow IT is now the most common employee security mistake.

Compliance Execution & Outcomes

8. Only 35% feel fully equipped to manage compliance with GDPR, NIS 2 and DORA in-house.
9. 74% of organisations received at least one regulatory fine in the last 12 months.
10. Improved quality of business decisions (46%) and customer retention (44%) are the top ROIs from information security compliance.

Business Risk & Impact

11. 66% were impacted by third-party incidents, with consequences ranging from financial loss (36%) to operational disruption (34%) and regulatory scrutiny (33%).

Third-Party and Supply Chain Security

Few sectors feel the ripple effects of supply chain compromise as sharply as IT and MSP organisations, especially those embedded directly into their clients’ infrastructure. The finding that 66% experienced a security incident originating from a third-party or supplier underscores just how interdependent the ecosystem has become. These incidents rarely stay contained: respondents reported financial losses, scrutiny from regulators, operational disruption and customer-facing outages as a result of supplier failures.This growing dependency explains why 80% strengthened their third-party risk management over the past year. For many, the shift is from reactive due diligence to a more continuous, evidence-based approach: monitoring, validating and documenting partner controls on an ongoing basis. The businesses most at risk are those relying on fragmented processes or inconsistent governance, precisely where structured, repeatable compliance practices make a measurable difference.

The Changing Threat Landscape

While familiar threats still dominate security workloads, the sector is seeing a sharp rise in AI-enabled and AI-targeted attacks. The standout statistic is that 41% report AI replacing tasks without sufficient human oversight, which, when combined with 27% experiencing data poisoning, illustrates how quickly organisations can lose visibility of process integrity when emerging technologies outpace governance.At the same time, incident data remains stubbornly high across the board:

• 32% experienced data breaches
• 29% were hit by cloud breaches
• 31% reported malware infections
• 22% experienced insider threats

Layered on top of this is the continued rise in social engineering, manipulation of authentication systems and multi-vector attacks that blend technical and human deception. For IT and MSP environments, where a single set of credentials may unlock access to multiple customer networks, even small lapses can have far-reaching consequences, a risk intensified when shadow IT (reported by 44%) becomes part of everyday workflows.

Skills, Burnout and Operational Overload

The Report also reveals a sector wrestling with resource constraints and structural capacity challenges. The 42% who cite the cybersecurity skills gap represent an industry where demand for expertise outpaces supply, particularly in areas like cloud security, AI security and compliance.Yet it’s not only about skills. The 34% reporting burnout within their infosec and compliance teams reflects rising expectations without a corresponding increase in headcount, tooling or budget. Many respondents described workloads that have expanded alongside new technologies, new regulations and greater upstream/downstream dependencies.This pressure is intensified by tech sprawl, cited by 38% as a major challenge and siloed teams (24%), which create duplicated effort, inconsistent processes and greater reliance on individual heroics. As security teams juggle multiple tools, overlapping dashboards and unconnected workflows, it becomes harder to maintain a single source of truth, ensure consistent evidence trails, and keep governance practices aligned.

Regulatory Pressure and Compliance Complexity

Regulation is evolving faster than many organisations can adapt. This year, 67% said the speed and volume of regulatory change makes compliance difficult, a significant indicator of how quickly requirements around data protection, AI governance, operational resilience and supply chain security are expanding.The data also shows that organisations are not equally prepared. Only 35% feel fully able to manage GDPR, NIS 2 and DORA compliance in-house. The majority require external support, struggle with limited expertise, or lack the necessary time and board backing to stay ahead of obligations.This capability gap is reflected in outcomes: 74% of organisations received at least one regulatory fine in the last 12 months, including substantial penalties for breaches, data loss and inadequate controls.What emerges from the data is a picture of organisations trying to comply, but often doing so through manual, inconsistent or siloed approaches that are difficult to scale.However, the data also shows that when organisations get compliance right, the benefits are substantial. Respondents identified improved quality of business decisions (46%) and customer retention (44%) as the top returns on strong information security compliance. This underscores a shift in how IT and MSP leaders view governance: not as an obligation, but as a strategic advantage when executed consistently

Employee Behaviour and Internal Risks

Security culture remains a significant challenge. Shadow IT is the most common reported employee mistake (44%), closely followed by unapproved use of generative AI tools (38%) and insecure device or network practices.These behaviours point to a wider issue: when processes aren’t clear, consistent or embedded into everyday workflows, employees fill the gaps with tools and methods that introduce new risk. This is especially risky in IT and MSP settings where staff often have privileged access to customer systems or sensitive data.The challenge, then, isn’t simply training, it’s equipping teams with frictionless, well-structured processes that make the secure way the easy way.

Leadership and Strategic Direction

One of the more encouraging findings from the Report is that 87% say their organisation has a clear, well-communicated security strategy, and 88% believe every business should have someone responsible for information security at board level. This shift towards executive engagement suggests a maturing understanding of cyber risk as a strategic issue, not merely a technical one.However, this progress sits alongside the finding that 50% still feel senior leadership treats compliance as an afterthought, revealing a notable gap between strategic intent and day-to-day prioritisation.For organisations already constrained by skills shortages, operational risks and regulatory demand, this misalignment can have real consequences. Leadership signals what “good” looks like, and without consistent signals, teams are left to fill the gaps.

Staying Ahead Through Structured Resilience

The IT and MSP sector is navigating an environment where risks are multiplying, expectations are increasing, and internal capacity is under strain. Yet the direction of travel is clear: organisations are investing in resilience, strengthening supply chain oversight, and placing more emphasis on strategic governance and leadership alignment.The challenges highlighted in the Report, from tech sprawl to skills shortages, from shadow IT to regulatory fines, are not isolated issues. They are indicators of an ecosystem that has outgrown manual processes and fragmented tooling. The organisations best positioned for the next 12 months will be those that adopt integrated, repeatable, organisation-wide systems that support consistency across people, processes and technology.By embedding strong, organisation-wide approaches to information security and compliance, businesses can reduce risk, strengthen customer trust and create a more stable foundation for innovation in an increasingly unpredictable landscape.Read the full State Of Information Security Report here. [post_title] => State of Information Security Report: 11 Key Statistics and Trends for the IT and MSP Industry [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => open [post_password] => [post_name] => state-of-information-security-report-11-key-statistics-and-trends-for-the-it-and-msp-industry [to_ping] => [pinged] => [post_modified] => 2025-12-11 11:36:49 [post_modified_gmt] => 2025-12-11 11:36:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.isms.online/?p=135988 [menu_order] => 0 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw )

WP_Post Object ( [ID] => 135988 [post_author] => 34 [post_date] => 2025-12-12 09:00:03 [post_date_gmt] => 2025-12-12 09:00:03 [post_content] => IO’s latest State of Information Security Report highlights an industry that is both indispensable to the digital economy and uniquely exposed to risk. IT providers and MSP organisations sit at the heart of interconnected supply chains, manage complex customer environments, and are adopting emerging technologies at speed. This year’s findings reveal how those pressures are reshaping their security priorities, and why many are reassessing how they structure governance, compliance and resilience.Our respondents included senior cyber leaders across the UK and the US. Their insights uncover the most pressing threats facing the sector today, the operational challenges shaping day-to-day security work, and the strategic direction organisations are taking to strengthen resilience.Below, we unpack 11 key statistics every IT, and MSP leader should understand from this year’s Report.

Key Information Security Statistics for the IT & MSP Sector

Governance & Strategy

1. 50% say senior leadership still treats information security compliance as an afterthought.
2. 67% say the speed and volume of regulatory change is making it increasingly difficult to stay compliant.

Skills, Capacity & Operational Pressure

3. 42% cite the information security skills gap as a top challenge.
4. 34% report burnout within infosec and compliance teams due to increasing workload.
5. 41% say tasks are being replaced by AI without the right human oversight to ensure compliance.

Fragmentation & Process Challenges

6. 38% struggle with tech sprawl, and 24% say siloed security efforts are a key issue.
7. 44% say shadow IT is now the most common employee security mistake.

Compliance Execution & Outcomes

8. Only 35% feel fully equipped to manage compliance with GDPR, NIS 2 and DORA in-house.
9. 74% of organisations received at least one regulatory fine in the last 12 months.
10. Improved quality of business decisions (46%) and customer retention (44%) are the top ROIs from information security compliance.

Business Risk & Impact

11. 66% were impacted by third-party incidents, with consequences ranging from financial loss (36%) to operational disruption (34%) and regulatory scrutiny (33%).

Third-Party and Supply Chain Security

Few sectors feel the ripple effects of supply chain compromise as sharply as IT and MSP organisations, especially those embedded directly into their clients’ infrastructure. The finding that 66% experienced a security incident originating from a third-party or supplier underscores just how interdependent the ecosystem has become. These incidents rarely stay contained: respondents reported financial losses, scrutiny from regulators, operational disruption and customer-facing outages as a result of supplier failures.This growing dependency explains why 80% strengthened their third-party risk management over the past year. For many, the shift is from reactive due diligence to a more continuous, evidence-based approach: monitoring, validating and documenting partner controls on an ongoing basis. The businesses most at risk are those relying on fragmented processes or inconsistent governance, precisely where structured, repeatable compliance practices make a measurable difference.

The Changing Threat Landscape

While familiar threats still dominate security workloads, the sector is seeing a sharp rise in AI-enabled and AI-targeted attacks. The standout statistic is that 41% report AI replacing tasks without sufficient human oversight, which, when combined with 27% experiencing data poisoning, illustrates how quickly organisations can lose visibility of process integrity when emerging technologies outpace governance.At the same time, incident data remains stubbornly high across the board:

• 32% experienced data breaches
• 29% were hit by cloud breaches
• 31% reported malware infections
• 22% experienced insider threats

Layered on top of this is the continued rise in social engineering, manipulation of authentication systems and multi-vector attacks that blend technical and human deception. For IT and MSP environments, where a single set of credentials may unlock access to multiple customer networks, even small lapses can have far-reaching consequences, a risk intensified when shadow IT (reported by 44%) becomes part of everyday workflows.

Skills, Burnout and Operational Overload

The Report also reveals a sector wrestling with resource constraints and structural capacity challenges. The 42% who cite the cybersecurity skills gap represent an industry where demand for expertise outpaces supply, particularly in areas like cloud security, AI security and compliance.Yet it’s not only about skills. The 34% reporting burnout within their infosec and compliance teams reflects rising expectations without a corresponding increase in headcount, tooling or budget. Many respondents described workloads that have expanded alongside new technologies, new regulations and greater upstream/downstream dependencies.This pressure is intensified by tech sprawl, cited by 38% as a major challenge and siloed teams (24%), which create duplicated effort, inconsistent processes and greater reliance on individual heroics. As security teams juggle multiple tools, overlapping dashboards and unconnected workflows, it becomes harder to maintain a single source of truth, ensure consistent evidence trails, and keep governance practices aligned.

Regulatory Pressure and Compliance Complexity

Regulation is evolving faster than many organisations can adapt. This year, 67% said the speed and volume of regulatory change makes compliance difficult, a significant indicator of how quickly requirements around data protection, AI governance, operational resilience and supply chain security are expanding.The data also shows that organisations are not equally prepared. Only 35% feel fully able to manage GDPR, NIS 2 and DORA compliance in-house. The majority require external support, struggle with limited expertise, or lack the necessary time and board backing to stay ahead of obligations.This capability gap is reflected in outcomes: 74% of organisations received at least one regulatory fine in the last 12 months, including substantial penalties for breaches, data loss and inadequate controls.What emerges from the data is a picture of organisations trying to comply, but often doing so through manual, inconsistent or siloed approaches that are difficult to scale.However, the data also shows that when organisations get compliance right, the benefits are substantial. Respondents identified improved quality of business decisions (46%) and customer retention (44%) as the top returns on strong information security compliance. This underscores a shift in how IT and MSP leaders view governance: not as an obligation, but as a strategic advantage when executed consistently

Employee Behaviour and Internal Risks

Security culture remains a significant challenge. Shadow IT is the most common reported employee mistake (44%), closely followed by unapproved use of generative AI tools (38%) and insecure device or network practices.These behaviours point to a wider issue: when processes aren’t clear, consistent or embedded into everyday workflows, employees fill the gaps with tools and methods that introduce new risk. This is especially risky in IT and MSP settings where staff often have privileged access to customer systems or sensitive data.The challenge, then, isn’t simply training, it’s equipping teams with frictionless, well-structured processes that make the secure way the easy way.

Leadership and Strategic Direction

One of the more encouraging findings from the Report is that 87% say their organisation has a clear, well-communicated security strategy, and 88% believe every business should have someone responsible for information security at board level. This shift towards executive engagement suggests a maturing understanding of cyber risk as a strategic issue, not merely a technical one.However, this progress sits alongside the finding that 50% still feel senior leadership treats compliance as an afterthought, revealing a notable gap between strategic intent and day-to-day prioritisation.For organisations already constrained by skills shortages, operational risks and regulatory demand, this misalignment can have real consequences. Leadership signals what “good” looks like, and without consistent signals, teams are left to fill the gaps.

Staying Ahead Through Structured Resilience

The IT and MSP sector is navigating an environment where risks are multiplying, expectations are increasing, and internal capacity is under strain. Yet the direction of travel is clear: organisations are investing in resilience, strengthening supply chain oversight, and placing more emphasis on strategic governance and leadership alignment.The challenges highlighted in the Report, from tech sprawl to skills shortages, from shadow IT to regulatory fines, are not isolated issues. They are indicators of an ecosystem that has outgrown manual processes and fragmented tooling. The organisations best positioned for the next 12 months will be those that adopt integrated, repeatable, organisation-wide systems that support consistency across people, processes and technology.By embedding strong, organisation-wide approaches to information security and compliance, businesses can reduce risk, strengthen customer trust and create a more stable foundation for innovation in an increasingly unpredictable landscape.Read the full State Of Information Security Report here. [post_title] => State of Information Security Report: 11 Key Statistics and Trends for the IT and MSP Industry [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => open [post_password] => [post_name] => state-of-information-security-report-11-key-statistics-and-trends-for-the-it-and-msp-industry [to_ping] => [pinged] => [post_modified] => 2025-12-11 11:36:49 [post_modified_gmt] => 2025-12-11 11:36:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.isms.online/?p=135988 [menu_order] => 0 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw )