63% of CISOs describe themselves as not very confident in the ability of local government and public higher education to secure public data, up from 35% in 2022.

Only 26% of state CISOs are extremely or very confident that their state's information assets are protected from cyber threats, down from 48% in 2022.

49% of state CISOs name implementing effectiveness metrics as a top cybersecurity initiative, up from 25% in 2024 and 15% in 2022.

84% of state CISOs are involved in Generative AI strategy development.

94% of state CISOs are involved in developing Generative AI security policies.

16% of state CISOs report their budgets have been cut, up from none in 2024.

Roughly one-fifth of CISOs indicate their states are moving toward a "whole-of-state" approach to cybersecurity.

36% of financial services organisations and 36% of IT & technology organisations report modernising most or all core systems, compared with 12% of public sector organisations and 19% of industrial organisations

1.6% of public sector agencies report broad AI deployment across departments.

57% of public sector agencies are actively exploring and learning about AI.

16% of public sector agencies are piloting small AI projects.

In Q3 2025, commerce received 88% of crawler traffic, while the Public Sector received 96%, and Education had the highest fetcher volume at 77%

26% of UK IT leaders in the public sector say they've adopted AI detection.

27% of UK IT leaders in the public sector say they've adopted email security training.

44% of UK IT leaders in the public sector say they've adopted MFA.

Financial services and the public sector currently report the lowest adoption rates of AI tools, at 21% and 16%, respectively.

36% of those in the public sector indicated they are actively evaluating AI tools.

International bad actors were responsible for up to 12% of all incoming applications for government services and/or loans in the study.

At least 1 in 4 fraud attempts targeted more than one government agency at once.

Fraudsters were about four times more likely to use stolen identities instead of synthetic identities.