Top Business Cyber Security Issues

Oleksandr Filipov CTO (Chief Technology Officer)

May 4, 2026 3 min

Business cybersecurity has become notably more complex in recent years. Nowadays, companies rarely face a single, obvious cybersecurity issue: according to Verizon data, the human factor was a driver in approximately 60% of confirmed breaches in 2025, third-party involvement accounted for 30%, and exploitation of vulnerabilities increased by 34%.

In our view, it is particularly dangerous when a business faces multiple security flaws at once: poor management-level decisions, process gaps, and technical shortcomings. We often see this in Datami projects: "on paper" the protection exists, but in practice, risks accumulate at the intersections — between people, the IT environment, contractors, and management decisions.

What is considered a cybersecurity issue

Cybersecurity issues are typically defined as technical, organizational, or managerial factors that create vulnerabilities in the protection of information technology systems and increase the probability of a cyber incident. In other words, this means more than just infrastructure vulnerabilities or configuration errors. The problem can be a lack of strategy, insufficient control, and an underestimation of risks by leadership.

We have noticed that businesses typically encounter not a single isolated problem, but a combination of them. During security audits and security assessment projects, it is revealed that organizational gaps or management errors almost always compound technical flaws. Consequently, they should be evaluated not in isolation, but within the company's overall risk picture.

Types of cybersecurity issues

In practice, it’s helpful to look at IT security issues from at least two perspectives:

1. Classification by the nature of factors

Type	Issues
Human	Poor security culture, shortage of specialized professionals, underestimation of risks, employee errors, and weak management involvement
Organizational	Lack of a systematic approach, undocumented processes, weak internal regulation, unclear responsibilities
Technical	Infrastructure vulnerabilities, weak protection of accounts and NHI, supply chain risks, insecure configurations, and outdated systems

2. Classification by manageability

Type	Issues
Internal	Factors the company can influence directly: processes, configurations, access control, training, security policy
External	Factors the business can only adapt to: increasing number of attacks, changing threat landscape, risks from contractors and suppliers, and new attack schemes

Criticality levels of cybersecurity issues

Not all information technology security issues affect a business’s cybersecurity equally. Some create a background risk, others directly undermine the company's resilience and render even formally implemented protection measures largely ineffective. Therefore, during the assessment, we consider not only the mere fact of its presence, but also its criticality:

Critical level. The issue destroys cyber protection at a fundamental level. In its presence, other protection measures either work poorly or not at all.
High level of criticality. Requires immediate remediation. The problematic factor does not yet completely destroy the system, but it already poses a high risk of serious incidents, financial losses, or operational downtime.
Medium level. The impact depends on the context: business scale, industry, infrastructure maturity, number of contractors, regulatory requirements, and other factors. Such risks cannot be ignored, but their priority is determined individually.

The most frequent mistake businesses make is evaluating an issue solely by its visibility. However, the most dangerous risks are not always the most obvious ones. Frequently, the root causes of serious technical incidents are basic managerial and organizational gaps, while computer security issues are merely their manifestation.

Top 9 business cybersecurity issues

I. Critical level

Top cybersecurity issues: critical level

1. Underestimation of cyber risks

In our view, this is a root issue from which many others grow. As long as management treats cybersecurity as a secondary technical matter rather than as part of business resilience, the protection system cannot function effectively. The necessary budget does not materialize, processes are not established, responsible individuals are not appointed, and decisions are postponed until the first serious incident.

From our own practical experience, we can say that this is exactly where the chain of future cyber-related issues most often begins. A company may invest in individual protection tools yet fail to recognize cyber risks as factors affecting business continuity, finances, reputation, and client relations. As a result, cybersecurity remains a formality and does not become part of the management agenda.

2. Lack of a systematic approach

Even with an understanding of threats, a company can remain vulnerable if protection is built unsystematically. Our specialists frequently observe this during security audits: isolated solutions are implemented, certain protection measures are in place, and one-off checks are performed periodically, but none of this is integrated into a single system.

Without a strategy and a clear security architecture, a company begins to operate in a constant "patching holes" mode. One risk is addressed, while another is left unattended. One incident is handled, but the takeaways are not integrated into processes. Ultimately, the business does not prevent threats but is constantly playing catch-up with them.

3. Poor cybersecurity culture

The human factor is discussed often, but usually too superficially. The issue lies not only in employee errors but also in the fact that, without a proper cybersecurity culture, a company creates new risk points every day with its own hands.

We regularly observe this during client security assessments: weak passwords, careless handling of emails, sharing access credentials, ignoring basic rules, and a lack of habit of reporting suspicious activity. All of this looks like minor details until they turn into an incident.

At the same time, it is important to understand that a poor security culture rarely emerges on its own. It is typically a consequence of management failing to take cybersecurity seriously. If leadership does not prioritize it, employees will likewise not treat it as a genuine part of their responsibility. Therefore, we consider culture a critical issue, but secondary relative to risk awareness and a systematic approach.

II. High level

Top cybersecurity issues: high-level

4. Shortage or insufficient experience of professionals

For many companies, this is a truly major pain point. Even when management understands the significance of cybersecurity, in practice, there is a lack of people within the business capable of building and maintaining protection at the required level and making mature decisions in complex situations.

We frequently observe two extremes. The first — when security matters are distributed among IT professionals, for whom this is just one of many tasks. The second — when specific functions are formally assigned to dedicated staff, but the team lacks sufficient experience to handle real risks, complex architectures, and modern cyberattack scenarios.

This is a serious issue, but not a fundamental one. Unlike underestimating risks or lacking a strategy, these issues can be resolved through external expertise, outsourcing, the MSSP model, engaging highly specialized professionals, and automating portions of the processes. We know from our own experience that, for many companies, this exact path is the most realistic and cost-effective.

5. Existing cybersecurity vulnerabilities

Weak spots exist in practically any infrastructure. The question is not whether they exist at all, but whether the company knows how to detect, assess, and remediate vulnerabilities before they are exploited by attackers.

Having conducted hundreds of pentests and security audits, we can confidently state that almost always the issue lies not in the mere presence of vulnerabilities but in the lack of a process to handle them. In some cases, there is a lack of regular checking, in others, there is no prioritization, and sometimes critical weak spots are postponed "for later" because the business perceives the risk as not so urgent.

6. Growth in the number and complexity of cyberattacks

This is an external factor that an individual company cannot influence. A business is incapable of stopping the overall growth in the number of attacks, the development of new compromise scenarios, or the increasing sophistication of threat actor tools. However, it can adapt to this.

Attacks have become not only more frequent but also more complex: alongside mass automated scenarios, businesses increasingly encounter well-thought-out, prolonged cyber campaigns, particularly APT attacks, which aim to achieve stealthy penetration, establish a foothold in the infrastructure, and gradually expand access.

We note that cyberattacks have also become more targeted. Threat actors make better use of automation, find weak spots faster, and operate more actively through contractors, credentials, cloud infrastructure, and the human factor.

However, in our ranking, this cybersecurity issue ranks lower than manageable internal factors. The reason is clear: an external threat is always dangerous, but if proper processes, strategy, and control are established within the company, adapting to the changing threat landscape is much easier.

III. Medium level

Top cybersecurity issues: medium level

7. Supply chain issues

Today, a company's security increasingly depends not only on itself but also on contractors, suppliers, integrators, cloud services, and platforms. The more digital connections a business has with the external environment, the higher the risk that the weak link will be outside the company, rather than within it.

During cybersecurity assessments, we frequently notice that clients pay close attention to their own infrastructure while exerting significantly weaker control over external dependencies. At the same time, it is exactly through contractors, service team access, and third-party components and solutions that additional attack vectors often emerge.

This issue is indeed growing, but its criticality depends on the business's maturity and scale. For companies with a developed partner ecosystem, it can be highly significant. For organizations with simpler structures, it does not always rank at the top of the risk list.

8. Regulatory pressure and legal liability

For many companies, cybersecurity is becoming a priority not only because of the threats themselves but also because of regulatory requirements, contractual obligations, and potential legal liability. This concerns industry standards, data protection requirements, obligations to clients and partners, and the repercussions of the incident in terms of fines and claims.

In our view, this is an important factor, but still not the root cause of a vulnerability. Regulatory pressure by itself does not make a company more vulnerable. Rather, it acts as an external stimulus: it forces a review of processes, elevates the maturity of protection, and compels businesses to treat cybersecurity not as an option, but as a mandatory element.

9. Uncontrolled growth of NHI (Non-Human Identities)

The issue of managing machine NHIs is currently noticeably underestimated, although in a number of companies it has already become a practical issue. This refers to non-human identities — service accounts, tokens, keys, integration accounts, automated access rights, and other entities that participate in the operation of the infrastructure and applications but do not belong to specific users.

We have noticed that as the infrastructure grows, such identities multiply rapidly. They are created for services, integrations, scripts, containers, cloud environments, and CI/CD processes. Over time, some of them cease to be properly controlled: permissions become overprivileged, usage periods are not tracked, and the entities themselves become almost invisible to the company.

Why is this cybersecurity issue currently at the medium level? For a significant portion of businesses, it does not yet look like priority number one. Usually, it manifests most acutely in companies with a mature, distributed, and complex IT infrastructure. But we already see a pattern: the more actively a business automates and utilizes cloud and integration scenarios, the faster the uncontrolled growth of NHIs transitions from a "niche topic" to a real risk.

What unites all these cybersecurity issues

When you look at them together, one key pattern becomes clear: the majority of serious risks do not begin with an attack or a specific vulnerability. Most often, everything begins earlier — with underestimating threats, a lack of a systematic approach, and a weak internal security culture. It is only later, against this backdrop, that technical weak spots, personnel limitations, and external risks accumulate.

Therefore, when handling cybersecurity, Datami recommends starting not with a chaotic set of protective measures, but with a clear-eyed assessment of the company's real state: how security management is structured, where the key gaps lie, and which of them are truly critical for the business.

Top issues depending on business scale

The prioritization of a company's cybersecurity issues depends on its scale: at different stages, a business encounters different types of challenges. Therefore, the approach to addressing cybersecurity problems in large corporations differs from solutions for small businesses.

Top cybersecurity issues by business scale

Here are the most common cyber security challenges by company size:

For startups (up to 50 employees)

Presence of vulnerabilities. Security often takes a back seat to development speed, so weak spots accumulate from the very beginning.
Lack of a systematic approach. Processes are not yet built, and protection relies on individuals rather than on a system.
Regulatory pressure. The requirements of clients, investors, and standards often become the first trigger for establishing order.

For small and medium businesses (up to 250 employees)

Poor cybersecurity culture. Employees are rarely trained, and security rules are followed merely as a formality or not followed at all.
Shortage of professionals. Cybersecurity issues are usually handled by the IT department without sufficient specialized expertise.
Underestimation of cyber risks. A common mistake is assuming that a small business is of no interest to threat actors.

For large companies (250+ employees)

Lack of a systematic approach. Even with vast resources, security often remains siloed across teams and departments.
Supply chain issues. The more contractors and integrations there are, the higher the risk of an attack through a third-party link.
Uncontrolled growth of NHI. Service accounts, tokens, and keys accumulate faster than the company can manage or control.

Practical recommendations from Datami experts

In this section, we have gathered the practical advice that Datami specialists most frequently provide to their clients for resolving key cybersecurity issues.

Issue	Recommendations
1. Underestimation of cyber risks.	Regularly conduct cyber risk assessments, include them in the company's overall risk management system, and involve leadership and business units in discussions of cybersecurity issues. A good starting point is often a security audit, which helps identify hidden cybersecurity issues and assess the actual protection level of the systems.
2. Lack of a systematic approach.	Develop a cybersecurity strategy and implement security policies and procedures. Use international standards as a guideline, such as ISO 27001 or NIST. Regularly assess the systems' protection level and implement incident response processes. A pentest clearly demonstrates how siloed solutions perform in real attack scenarios and where the system lacks integrity.
3. Poor cybersecurity culture.	Conduct systematic employee training, implement rules for secure data handling, run phishing attack simulations, and foster a responsible attitude toward information security across the entire company.
4. Shortage or inexperience of professionals.	Develop an internal security team, invest in training and certification for specialists, engage external experts for an independent assessment, and use managed cybersecurity services. In many cases, a business addresses a lack of internal expertise through a pentest or a code security audit to obtain an external professional assessment of key cybersecurity issues.
5. Existing cybersecurity vulnerabilities.	Regularly conduct checks, implement vulnerability management processes, control software updates, and utilize automated security scanning tools. For critical digital products, pentests, secure code audits, and, regarding Web3 solutions, smart contract audits are particularly sought after in practice.
6. Growth in the number and complexity of cyberattacks.	Utilize intrusion detection systems, analyze cybersecurity events and logs, and apply proactive protection methods. For early threat detection, implement security monitoring and alerts for suspicious activity.
7. Supply chain issues.	Conduct a security assessment of suppliers, control third-party system access rights, verify the components and libraries used, and implement third-party risk management policies. In projects with many external dependencies, a secure code audit is a useful step, especially when it is important to review third-party modules and integrations.
8. Regulatory pressure and legal liability.	Regularly conduct compliance audits, implement data management policies, document cybersecurity processes, and control compliance with industry and regulatory requirements. In many cases, a pentest is a practical measure that helps confirm the company's serious approach to system protection and security requirements.
9. Uncontrolled growth of NHI.	Implement identity management systems; control the use of API keys and tokens; regularly review access permissions; automate the management of machine identities.

How to assess your company's cyber protection level

The actual state of cyber protection can be revealed by an expert cybersecurity assessment. An approximate evaluation of the protection level can be obtained by honestly answering a series of basic questions. Such a checklist does not replace a professional assessment, but it helps quickly identify vulnerable areas at the levels of management, processes, people, infrastructure, and access control.

Checklist for self-diagnosis

Management and priorities

Does the company's leadership perceive a cyberattack as a real business threat, rather than an abstract risk?
Does the company have a dedicated cybersecurity budget?
Are cybersecurity issues discussed at the leadership level at least once a quarter?

Strategy and processes

Does the company have a documented cybersecurity strategy, policy, or basic rules?
Is there an incident response plan in place?
Are audits, checks, or protection level assessments conducted regularly?

Employees and security culture

Do new employees undergo cybersecurity onboarding training?
Do employees know how to recognize phishing emails and other basic threats?
Are clear rules in place regarding passwords, two-factor authentication, and data handling?

Expertise and accountability

Is there a designated person responsible for cybersecurity within the company — either in-house or outsourced?
Do IT professionals possess up-to-date knowledge in the field of cyber protection?
Does the company know who to contact in the event of an incident?

Technical protection

Are systems and software updated regularly?
Is regular vulnerability scanning performed?
Are backups created regularly and stored separately from the primary systems?

Monitoring and attack resilience

Does the company track up-to-date cyber threats relevant to its industry?
Is suspicious activity detected in near real-time?
Are basic protection measures against ransomware and DDoS attacks implemented?

Contractors and external dependencies

Are cybersecurity requirements included in contracts with contractors and suppliers?
Is third-party access to systems limited and controlled?
Are third-party services, libraries, and external components regularly checked for security?

Compliance and data

Does the company understand which regulatory requirements apply to it?
Is there a data breach notification procedure in place?
Is the responsibility for protecting personal and sensitive data formally assigned within the company?

Access Rights and Machine Identities

Does the company know how many service accounts, API keys, and tokens it has, and where they are used?
Are automated system access rights regularly reviewed and revoked when necessary?
Is the principle of least privilege applied to accounts and service entities?

How to interpret the result

If the answer to most of the questions is "yes", the company already has a baseline maturity level on which it can build further.

If the answers are predominantly "no" or "not sure", this usually means that cyber security issues already exist — it is just that some of them have not yet become noticeable. For Datami, signals such as a lack of strategy, unclear accountability, poor vulnerability management, and insufficient access control are particularly revealing.

Conclusion

In this article, we examined key business cybersecurity issues by criticality level — from basic managerial factors to technical and external challenges. Managerial factors remain the most critical, as they determine how effectively a business can control other risks.

Key issues of cybersecurity do not exist in isolation; they accumulate and reinforce one another. Therefore, a business's priority should not be the piecemeal "closing" of risks, but rather the building of a holistic cyber protection system that begins with a professional security assessment — an audit, a pentest, or a comprehensive protection evaluation.

This will allow for an objective assessment of the systems' state and effective planning to remediate issues related to cybersecurity.

Updated: 04.05.2026

(0 assessments, average 0/5.0)