Cybersecurity biggest risk for 2026 as businesses reel from wave of major attacks
Annual poll of chief internal auditors reveals cybersecurity remains the number one risk, with digital threats intensifying following attacks on M&S, the Co-Op, Harrods, The North Face and Jaguar Land Rover
A new survey of nearly 900 chief internal auditors across the UK and Europe has found that cybersecurity and data security has been ranked the top risk facing organisations, with more than eight in ten respondents identifying it as a leading threat. The findings are published in this year’s Risk in Focus 2026 report, produced by the Chartered Institute of Internal Auditors in partnership with thirteen other European Institutes of Internal Auditors and the European Confederation of Institutes of Internal Auditing (ECIIA).
This warning comes amid a wave of high-profile cyberattacks targeting major UK businesses, underscoring the urgent need for stronger cyber resilience. At the same time, with geopolitical tensions on the rise, the UK’s National Cyber Security Centre (NCSC) has issued stark warnings about the “enduring and significant” threat to the UK’s critical infrastructure from hostile states such as China, Iran, North Korea and Russia.
Top findings:
Cybersecurity and data security were ranked as the top five risk by over 80% of respondents. It is also the risk area that internal audit teams are spending the most time and effort auditing.
Human capital, diversity and talent management retained its position as the 2nd largest threat to organisations in 2026 – with almost half (48%) ranking it a top five risk. Fears of deskilling because of AI, and an inability to attract and retain the right skills to combat evolving threats, were major concerns.
Digital disruption, new technology, and AI continued to be one of the fastest-growing risks, moving from 4th place last year to 3rd place this year, with 47% ranking it a top risk.
Macroeconomic and geopolitical uncertainty was in joint 4th place for 2026, together with changes in laws and regulations. Chief Internal Auditors who took part in the research agreed that the threat permeated every other risk category. Underscoring the interconnected and complex risk landscape organisations now face.
Cyber Threats Rising Amid High-Profile Attacks
The dominance of cybersecurity as the biggest risk comes as no surprise, given the recent spate of attacks that have disrupted operations, compromised customer data, and damaged the reputations of some of the UK’s most recognisable brands. These incidents are having a real and measurable impact on profitability and long-term sustainability. For example, M&S has estimated losses of £300m in operating profits, while Jaguar Land Rover has been forced to shut its factories for weeks, triggering a ripple effect that had a devastating impact on smaller businesses throughout its supply chain.
Although chief internal auditors participating in Risk in Focus 2026 indicated that cybersecurity is the risk area where they spend the most time and effort auditing, the recent attacks raise serious questions about whether organisations are taking the threat as seriously as they should. Notably, the research also reveals that organisations are not only facing more frequent attacks, but these incidents are becoming increasingly severe, sophisticated, and often powered by advances in AI.
Internal Audit: A Critical Partner Against Fast-Evolving Threats
The Chartered Institute of Internal Auditors is urging boards and senior management to harness the power, experience and expertise of their internal audit teams to independently assess and strengthen the effectiveness of their cyber controls and risk management. Where weaknesses are identified, internal audit can play a vital role in recommending improvements to protect businesses from these fast-evolving threats. This reflects the principles set out in the Cyber Governance Code of Practice, published in April 2025, which advises boards to ‘gain assurance that cyber security considerations are integrated and consistent with existing internal and external audit and assurance mechanisms’.

Anne Kiem OBE, chief executive of the Chartered Institute of Internal Auditors, said: “The recent wave of cyberattacks on major UK businesses is a stark reminder that cybersecurity must remain at the top of every board’s agenda. Our Risk in Focus 2026 research shows that chief internal auditors are acutely aware of the escalating threat landscape, particularly as AI and digital disruption accelerate. Internal audit is uniquely positioned to provide independent assurance for boards that cyber and digital controls are robust and effective, helping organisations to build resilience and protect their bottom lines.”
The survey included the views of chief internal auditors from fifteen European countries, including Austria, Belgium, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Norway, Spain, Sweden, Switzerland and the UK.

