Companies across the United States, the United Kingdom and Germany are struggling to cope with the scale of disruption that modern digital shocks can unleash, according to a new Economist Impact study backed by Telstra International, which suggests that years of spending on cyber security and system upgrades have not translated into strong organisational readiness. The report argues that the central weakness lies less in technology itself than in governance, coordination and the ability to manage risks that spread across suppliers, infrastructure and partner networks.
The study, released on April 14, drew on a late-2025 survey of 1,420 senior executives from large and midsize organisations across 14 markets, including benchmark comparisons for the US, UK and Germany. Across all surveyed markets, only 25% of organisations said their response to digital disruption largely goes to plan, while just 21% said they had a dedicated team in place to deliver digital resilience initiatives. Those figures point to a wide gap between boardroom assurances and operational performance when systems fail or external shocks cascade through the business.
That gap becomes sharper once disruption moves beyond a company’s own perimeter. The findings suggest many organisations feel reasonably confident about their internal cyber policies and regulatory frameworks, yet are far less certain about what happens when a supplier, utility, telecoms link or third-party platform becomes the trigger for a wider breakdown. Germany was the strongest of the three western benchmarks in confidence over policy frameworks at 70%, compared with 54% in the US and 51% in the UK, but the broader message of the study is that internal confidence has not solved the problem of ecosystem fragility.
Board oversight also appears weak. Only 27% of organisations said digital resilience strategies are reviewed regularly by their boards, and only 38% said those discussions lead to follow-up action. More than half monitor digital risks only infrequently or on an ad hoc basis, while just 8% track them more often than quarterly. The report also found that responsibility for resilience is often left inside a single function such as IT rather than being shared across the C-suite, a structure that can slow decisions when an incident cuts across operations, communications, procurement and customer service at the same time.
Legacy technology remains another drag on preparedness. Around 60% of organisations in both the US and the UK said older technology still makes up a significant part of their operations, with Germany only slightly better at 54%. That matters because ageing systems are harder to integrate, harder to monitor in real time and harder to adapt when businesses need faster recovery or failover capabilities. Sector differences are marked: 36% of financial services firms and 36% of IT and technology organisations said they had modernised most or all of their core systems, compared with 12% in the public sector and 19% in industrial organisations.
Roary Stasko, chief executive of Telstra International, said the research showed “a gap between ambition and execution”, adding that many organisations believe they are prepared even as disruption continues to expose weaknesses in governance, coordination and decision-making. His remarks underline one of the report’s more commercially significant points: digital resilience is moving from a narrow security or compliance question into a broader test of competitiveness, business continuity and executive leadership.
The report’s findings land at a time when wider policy and industry debates are also shifting from pure cyber defence to resilience across connected systems. The World Economic Forum’s Global Cybersecurity Outlook 2025 says cyber resilience is being complicated by geopolitical tension, supply-chain interdependence and the growing sophistication of digital threats, while OECD work on critical infrastructure resilience has long stressed that essential services rely on cross-border digital infrastructure and cannot be protected in isolation. Together, those strands reinforce the Economist Impact finding that resilience depends on how organisations function inside networks, not only how well they protect a server or a firewall.
Another blind spot is climate and physical infrastructure risk. Just 14% of organisations in the study said they integrate climate-related risks into digital resilience planning, despite the clear effect that extreme weather, power instability and stress on data-centre capacity can have on recovery times and service continuity. The report also notes that faster AI adoption is increasing pressure on energy and water systems, giving resilience a more physical dimension than many corporate risk plans have traditionally recognised.
The study, released on April 14, drew on a late-2025 survey of 1,420 senior executives from large and midsize organisations across 14 markets, including benchmark comparisons for the US, UK and Germany. Across all surveyed markets, only 25% of organisations said their response to digital disruption largely goes to plan, while just 21% said they had a dedicated team in place to deliver digital resilience initiatives. Those figures point to a wide gap between boardroom assurances and operational performance when systems fail or external shocks cascade through the business.
That gap becomes sharper once disruption moves beyond a company’s own perimeter. The findings suggest many organisations feel reasonably confident about their internal cyber policies and regulatory frameworks, yet are far less certain about what happens when a supplier, utility, telecoms link or third-party platform becomes the trigger for a wider breakdown. Germany was the strongest of the three western benchmarks in confidence over policy frameworks at 70%, compared with 54% in the US and 51% in the UK, but the broader message of the study is that internal confidence has not solved the problem of ecosystem fragility.
Board oversight also appears weak. Only 27% of organisations said digital resilience strategies are reviewed regularly by their boards, and only 38% said those discussions lead to follow-up action. More than half monitor digital risks only infrequently or on an ad hoc basis, while just 8% track them more often than quarterly. The report also found that responsibility for resilience is often left inside a single function such as IT rather than being shared across the C-suite, a structure that can slow decisions when an incident cuts across operations, communications, procurement and customer service at the same time.
Legacy technology remains another drag on preparedness. Around 60% of organisations in both the US and the UK said older technology still makes up a significant part of their operations, with Germany only slightly better at 54%. That matters because ageing systems are harder to integrate, harder to monitor in real time and harder to adapt when businesses need faster recovery or failover capabilities. Sector differences are marked: 36% of financial services firms and 36% of IT and technology organisations said they had modernised most or all of their core systems, compared with 12% in the public sector and 19% in industrial organisations.
Roary Stasko, chief executive of Telstra International, said the research showed “a gap between ambition and execution”, adding that many organisations believe they are prepared even as disruption continues to expose weaknesses in governance, coordination and decision-making. His remarks underline one of the report’s more commercially significant points: digital resilience is moving from a narrow security or compliance question into a broader test of competitiveness, business continuity and executive leadership.
The report’s findings land at a time when wider policy and industry debates are also shifting from pure cyber defence to resilience across connected systems. The World Economic Forum’s Global Cybersecurity Outlook 2025 says cyber resilience is being complicated by geopolitical tension, supply-chain interdependence and the growing sophistication of digital threats, while OECD work on critical infrastructure resilience has long stressed that essential services rely on cross-border digital infrastructure and cannot be protected in isolation. Together, those strands reinforce the Economist Impact finding that resilience depends on how organisations function inside networks, not only how well they protect a server or a firewall.
Another blind spot is climate and physical infrastructure risk. Just 14% of organisations in the study said they integrate climate-related risks into digital resilience planning, despite the clear effect that extreme weather, power instability and stress on data-centre capacity can have on recovery times and service continuity. The report also notes that faster AI adoption is increasing pressure on energy and water systems, giving resilience a more physical dimension than many corporate risk plans have traditionally recognised.
Topics
Technology