Polish companies are intensively expanding their digital security structures, but in parallel, their sense of resilience to threats is declining. KPMG data shows that by 2025, 56 per cent of companies already have dedicated cyber security departments. This is a marked increase compared to the previous year. At the same time, only four in ten leaders believe that their organisations are actually sufficiently protected.
“The Digital Business Transformation Monitor 2025” shows that the cyber security and risk index was 5.9 points this year – one more than in the previous survey. However, the better score does not translate into greater confidence among decision-makers. On the contrary: the percentage of companies claiming to have formalised procedures fell to 59 per cent, 13 points lower than a year earlier. The best performer in this area is the financial sector, where more than eight out of ten companies have formal processes in place and almost three quarters have specialised security teams.
At the same time, investment pressure is increasing. Compared to last year, the percentage of companies planning to increase spending on cyber security has increased by as much as 20 percentage points. Despite this, only 40 per cent of business leaders are confident that these measures will realistically translate into increased organisational resilience. This is a significant drop in confidence compared to 2024.
A second important source of knowledge about the condition of Polish companies is the ‘Cyber Security Barometer’ report. It shows that as many as 83 per cent of organisations have experienced at least one incident in 2024 – the lowest level of resilience since the survey began. Malware causing data leaks remains the most recurring threat. The increase in the intensity of attacks was particularly felt by large companies, where more than half of those surveyed indicated an increased frequency of hacking attempts. In medium and small companies, this percentage was lower and remained between 38 and 40 per cent.
Concerns about the development of artificial intelligence are also a concern. More than half of organisations believe that AI-based implementations will increase the risk of cyber attacks. The barriers cited mainly relate to security issues and a shortage of internal skills.
Juxtaposing the two reports, it is clear that Polish companies are at a transition point. On the one hand, they are expanding their structures, increasing expenditure and starting to treat cyber security as a strategic element, rather than just the domain of IT departments. On the other hand, they lack consistent procedures and confidence in their own solutions. The formalisation of processes is not keeping up with the pace of investment and the increasing number of incidents is undermining the sense of stability.
The future will tell whether this gap between structure and actual resilience will be bridged. October, celebrated as European Cyber Security Month, seems a good time for companies to reassess their approach to data protection and put in place more holistic strategies that encompass not only technology, but also procedures, organisational culture and risk management across the supply chain.
“The scale and complexity of cyber threats are growing faster than the digital competence of companies. Although the cyber security index has improved from previous years, it is still difficult to talk about the full maturity of organisations. Only 59% have formalised security management procedures in place, despite the rising number of incidents, increasingly sophisticated attacks, pressure from regulators and increased awareness among business leaders.
Cyber security is no longer solely the domain of IT departments. It is becoming a strategic discipline that must be embedded in organisational culture, investment decisions and day-to-day processes. The speed of technological change is forcing flexibility – not only in responding to incidents, but also in adapting strategies, integrating security with digital transformation and developing awareness among employees.
With increasingly complex IT ecosystems, increasing reliance on external suppliers and the expansion of AI-based solutions, traditional security approaches are no longer sufficient. Thinking holistically – taking into account the supply chain, the software lifecycle, as well as the human factor – is becoming crucial,” says Michał Kurek, Partner, Head of the Cyber Security Team at KPMG in Poland and Central and Eastern Europe.
