Organizations are investing more in cyber resilience and seem to have a lot of confidence in their strategy. However, their preparedness for disruptive external threats leaves much to be desired.

This is outlined by Zscaler in a new study. Nine out of ten organizations have increased their investments in cyber resilience over the past year. Yet 61 percent of organizations still consider their strategies to be too perimeter-focused. Zscaler notes that this internal focus makes companies vulnerable to external disruptive events, such as cyber incidents, supply chain attacks, and geopolitical uncertainty. More than half even expect a major disruption by an external party within twelve months, while outdated infrastructure and emerging technologies such as AI and quantum computing are increasing uncertainty.

“Disruptions today extend far beyond the walls of one’s own organization,” said Brian Marvin, SVP EMEA at Zscaler. “True resilience must extend to all layers of the ecosystem, including partners, platforms, and supply chains.” A “resilient by design” approach can help organizations withstand breaches or inevitable failure.

External risks are increasing

Sixty percent of companies have already experienced a major disruption within their organization in the past year. Despite these figures, less than half have taken steps to update their resilience strategies. Only 34 percent consider their current measures highly effective against supply chain volatility. Across the EMEA region, that confidence drops further to 30 percent. Zscaler sees Zero Trust as the answer, because it allows all connections to be secured (including external ones). By applying least privilege access rights, a company can make significant progress by minimizing permissions for users and accounts. This prevents malicious actors from spreading further into the network.

Outdated infrastructure is a major obstacle. 81 percent of the organizations still rely on outdated systems (firewalls, VPNs, and perimeter-based security models). A majority says that their current IT architecture limits their ability to respond effectively to breaches, malfunctions, and defects.

AI and quantum technology increase uncertainty

52 percent of the IT leaders acknowledge that their existing security systems are not equipped to deal with advanced threats. The rapid adoption of agentic AI does nothing to alleviate these concerns. Exactly half of the organizations implementing or testing this technology lack robust governance frameworks for it.

Meanwhile, 63 percent of the Dutch, 54 percent of the Swedish, 51 percent of the German, and 43 percent in the UK & Ireland fear the exposure of sensitive data through public AI apps. These figures are close to the same for each country when looked at not having insight into the use of shadow AI, further showing a gap. Zscaler previously introduced an AI security suite to protect AI applications through prompt and data classification across more than 200 sensitive categories.

Post-quantum cryptography remains underexposed. 57 percent of the organizations have not yet included this in their security strategy. Yet a majority recognizes that data stolen today could pose a risk in three to five years when quantum computers can decrypt it.

Sovereignty policy drives change

Dependence on non-European technology has sparked discussions about sovereignty policy. The IT leaders are actively working to mitigate this risk. 79 percent are evaluating their dependence on foreign technology, while 60 percent have updated their cybersecurity strategy in the past year to comply with new or changing sovereignty requirements. Last year, 44 percent updated their cybersecurity in response to regulations such as NIS2, DORA, and GDPR.

“While it is understandable that organizations are reluctant to invest in digital transformation in this geopolitical climate, this could cause laggards to fall behind,” says James Tucker, Head of EMEA CISOs in Residence at Zscaler. In his view, forward-thinking organizations are opting for distributed models with localization at their core.

Three actions for ‘resilient by design’

The report outlines three actions to effectively counter external threats. First, organizations must prioritize visibility. A Zero Trust platform provides end-to-end visibility across the entire risk surface, including partners and supply chains.

Second, a platform approach with Zero Trust security principles based on least-privilege access rights helps. This allows organizations to quickly adapt their market strategies or data flows to changing circumstances. Finally, a future-proof Zero Trust architecture makes it possible to immediately adapt security strategies when new threats arise, without radical innovations with new tools.