Despite a projected 15% rise in cybersecurity budgets for 2025, three out of four companies still lack full visibility into their IT assets, and half have no disaster recovery plan in place. New data from CYE reveals that poor password practices, unpatched systems, and unmonitored third-party risks continue to leave organizations exposed, even as they spend more than ever on cyber defense.
Visibility Without Control
CYE’s 2025 Cybersecurity Maturity Report, based on data from 17 countries and 15 industries, highlights a troubling trend – rising spend isn’t translating into a stronger security posture. A staggering 75% of companies admit they don’t have a clear inventory of their IT assets, a basic requirement for identifying and mitigating threats. Meanwhile, foundational issues like weak password protocols and outdated software remain widespread, despite their known link to most breach incidents.
Geography appears to matter as much as governance. Countries with cohesive national strategies, including Japan and Norway, significantly outperformed peers such as the U.S. and U.K. in terms of cyber readiness. CYE’s leadership warns against chasing advanced tools without first shoring up basic cyber hygiene. “Resilience starts by mapping your attack surface and shoring up the foundations before chasing advanced tools,” said Dr. Nimrod Partush, VP of Data & Innovation at CYE.
Third-Party Risk: The Persistent Weak Spot
Vendor-related exposure is another area where strategic gaps persist. Verizon’s 2025 Data Breach Investigations Report found that 30% of breaches this year involved a third party, yet many companies still operate without formalized supplier risk protocols. As digital ecosystems grow more complex, the lack of visibility and oversight at the edges becomes increasingly dangerous.
CYE’s findings show that 50% of companies surveyed do not have a disaster recovery plan in place. According to CYE founder Reuven Aronashvili, cyber resilience must evolve into a continuous and contextual process, grounded in real-time visibility, not static compliance. “It’s about continuously understanding your environment and tailoring defenses to the threats most relevant to your operations,” he said in an official statement.
Why Overspending Can Mask Underperformance
Budget growth can create the illusion of security progress. But when funds are funneled into advanced tools without addressing foundational weaknesses, companies risk building brittle defenses. As recent breaches demonstrate, it’s not always nation-state actors or novel exploits that cause the most damage, it’s the overlooked software patch, the weak password, or the unsecured vendor connection. Sustainable cyber resilience depends not on how much is spent, but on how wisely the basics are managed.