Systemic inequity in the global cybersecurity economy has worsened compared to the 2024 report. The Global Cybersecurity Outlook 2025 finds that smaller organizations continue to feel the weight of this inequity, with 35% stating that their cyber resilience is insufficient.Inequity as a driver of ecosystem risk Small Large40% 30% 20% 10% 0% 2022 202535% 7%13% 5%My organization's cyber resilience is insufﬁcientSmaller organizations are struggling to ensure cyber resilience, while larger organizations show steady progressFIGURE 12 At the other end of the spectrum, the number of large organizations reporting that their cyber resilience is insufficient has nearly halved. However, in an ecosystem that is becoming increasingly interconnected, the overall resilience of the ecosystem is often determined by its weakest links. Larger, more resilient companies have a strong incentive to support smaller, less-capable organizations, thereby enhancing the resilience of the entire ecosystem. According to 71% of cyber leaders at the Annual Meeting on Cybersecurity 2024, small organizations have already reached a critical tipping point where they can no longer effectively secure themselves against the escalating complexity of cyber risks. This underscores the urgent need for collective action and treating cybersecurity as a strategic leadership imperative. Leadership engagement and oversight can prove to be a key differentiator in strengthening overall resilience. The survey reveals that in 62% of high- resilience organizations, board members received regular updates on recent cyber incidents, trends, vulnerabilities and risk predictions from internal or external third parties; this is in stark contrast to only 29% in low-resilience organizations. Three-quarters of Swiss companies make less than half a million CHF a year. The question is how can we meaningfully enable these companies to invest in security and how can we supply base infrastructure to them that is reasonably secure? We have many small- and medium-sized organizations that are insufficiently resourced. We conducted a pilot with a Swiss logistics company to help them manage their supply chain risks. Through collaboration with the independent National Test Institute for Cybersecurity (NTC), we are testing digital products for which there is a public but no immediate economic interest. We are currently boot-strapping a project where we review open-source software used by government agencies and we provide feedback to open-source developers to fix issues we found. We are additionally investing in capacity-building to help boards ask the right questions, because we believe we need to develop a culture among executives to think about resiliency and factor in the supply chain in their overall risk calculations. Florian Schütz Director, National Centre for Cybersecurity (NCSC), SwitzerlandCASE STUDY 3 Giving small organizations in Switzerland a leg-up with the help of public national infrastructure Global Cybersecurity Outlook 2025 29