What: AI-powered attacks have become the primary concern for CISOs, with 80% citing them as their top threat while companies struggle to implement adequate protection measures.

Why it is important: As AI-enabled threats evolve from theoretical risks to operational realities, organisations must fundamentally rethink their cybersecurity strategies while balancing innovation with protection, particularly as only 30% have implemented specific AI security measures.

BCG's comprehensive survey of CISOs reveals a dramatic shift in cybersecurity concerns, with AI-powered attacks rising from fifth place to become the dominant threat, marking a 19-point increase over the previous year. Social engineering emerges as the most significant AI-enabled threat, with 62% of respondents identifying it as a major or critical concern. Despite this growing threat landscape, implementation of protective measures lags behind, with only 30% of organisations having deployed or tested cyber solutions specifically designed to protect AI-related systems. Companies are responding by increasing investments in cyber awareness training and threat intelligence, with most preferring to adopt AI-driven security features from existing vendors rather than new providers. The survey indicates a projected 10% growth in cybersecurity budgets, remaining resilient despite broader IT spending pressures, as organisations prioritise protection against evolving AI threats while balancing cost considerations with security needs.

IADS Notes: The BCG report's findings on AI security challenges align with significant developments in retail cybersecurity throughout 2025. The report's identification of AI-powered attacks as the top CISO concern mirrors the retail sector's experience, where ransomware accounts for 30% of security incidents with average losses of £1.4 million per attack as of April 2025. The urgency of this threat was dramatically demonstrated in June 2025 when major luxury retailers including Cartier, The North Face, and Adidas faced sophisticated AI-powered attacks. The report's emphasis on vendor consolidation proves particularly relevant given that 41% of retail breaches occur through third-party vulnerabilities, as evidenced by the May 2025 Co-op breach affecting 20 million customers. Implementation challenges remain significant, with only 2% of businesses achieving comprehensive cyber resilience measures by June 2025, while social engineering threats, highlighted in the report as a critical concern, were demonstrated by the Scattered Spider group's devastating attack on M&S, which wiped £700 million off their market value.

AI creates new cyber risks. It can help resolve them, too