Large organisations are improving their cyber security only slowly, while AI-related defences remain limited, according to Wavestone. The consultancy said the UK is now experiencing four nationally significant cyber attacks each week.
Its seventh annual Cyber Benchmark assessed more than 200 large organisations, representing nearly 7 million employees, against the NIST CSF v2.0 and ISO 27001 standards. Across the group, average cyber security maturity reached 55.3%, up 1.3 points from the previous year.
The findings show a sharp gap between AI governance and practical protection. While 76% of large organisations said they have a dedicated AI security policy, only 10% have put defences in place against AI-specific attacks such as prompt injection.
The disparity comes as companies face a shifting threat landscape, with attackers using AI tools to automate phishing and refine attack methods. Dedicated AI response teams remain uncommon, though Wavestone identified their emergence as an early trend among larger organisations.
Regulated sectors
The benchmark shows regulated industries ahead of the wider market. Financial services recorded cyber security maturity of 67.6%, up 5.1 points, which Wavestone linked to regulation, including DORA, and continued spending.
By contrast, non-regulated sectors showed no significant improvement. The gap between regulated and non-regulated organisations widened to 8.8 points, up 2.1 points from the previous year.
The data suggests regulation is helping to raise standards, but not uniformly across the economy. That uneven progress may deepen concerns for policymakers and company boards as reporting requirements and resilience expectations expand.
Compliance gap
The survey also found that none of the organisations assessed could yet fully and sustainably meet the requirements of the EU's NIS 2 cyber security directive. Large organisations averaged 60% maturity against those requirements.
The shortfall is notable in the context of the UK's Cyber Security and Resilience Bill, now at Report Stage in the House of Commons. The benchmark indicates that many organisations still face a substantial gap between current practice and the level of readiness expected under tougher resilience rules.
Overall progress appears to be slowing. Although the average maturity score rose, the annual increase was modest, suggesting many large organisations are struggling to keep pace with a threat environment evolving faster than internal controls and operating models.
For businesses, the findings point to a broader problem than technology spending alone. Policies are being written and governance structures are taking shape, but controls for new AI-related risks remain at an early stage of implementation.
That leaves organisations exposed in an area where attackers may move faster than defenders. Prompt injection and other AI-specific attack methods remain relatively new concerns for many corporate security teams, particularly those still focused on more established threats such as phishing, ransomware and supply-chain compromise.
Florian Pouchet, Partner and Head of Cybersecurity and Operational Resilience at Wavestone, said: "The threat environment is changing faster than most organisations can adapt. Geopolitical tensions and AI-powered attacks are intensifying precisely as regulatory pressure mounts. What the benchmark tells us is that the market knows this. The next step is to accelerate security measures."