As 2026 begins, we round up some of the themes that are front of mind for the wider field as we start the new year.
With 2025 now done, it was certainly an eventful year. Critical industries such as manufacturing and healthcare saw, according to one survey, a 34% ramp-up in ransomware incidents. Almost half of the incidents that the UK’s National Cyber Security Centre (NCSC) worked on were, in its CEO’s words, “of national significance”. A joint paper published by the National Security Agency and its worldwide peers specifically called out state-sponsored attacks from China. Attacks on producers and supply chains were significant, with car manufacturer Jaguar Land Rover suffering an attack that is believed to be the most costly ever, with a £1.9bn ($2.5bn) financial impact. We also saw the advent of attackers perpetrating social engineering attacks on the IT providers of retailers such as the U.K.’s Marks & Spencer (M&S) – the attackers’ premise being that if the retailer has a good standard of security, maybe its outsourced support providers do not.
As the year ends and a new one begins, it is often the first time that many of us in the cybersecurity field can take a moment to review and think about what we need to consider for the coming year.
The More Things Change, the More They Stay the Same
First, we need to prepare for “more of the same”. Ransomware, phishing (including social engineering) and supply chain attacks have been the top three threats for a while now and will continue to be so. As we saw from incidents such as M&S, Co-op and Asahi in 2025, bad actors will continue to get more and more clever – or sneaky: this is no surprise, because these approaches continue to be very lucrative for the bad actors (even if ransom demands do seem to be going down in value over the years).
Operational Technology (OT) is also seen as an area that is at risk for cybersecurity attacks in the coming years. We have discussed OT in previous ISC2 Insights articles, but it feels like equipment such as network-connected plant machinery has now reached a critical mass that makes it a tangible, attractive target for attackers. Brett Leatherman, assistant director of the FBI’s cyber division, shares this view and has pointed his LinkedIn readers to a guidance document for securing OT that was put together by a raft of national cybersecurity agencies worldwide including his own and the U.S. CISA, noting in his blog post that: “In Operational Technology (OT) environments, the consequences of a cybersecurity attack go far beyond data theft”, warning that “Disruption here can impact safety and national security”.
Protecting Critical Infrastructure and Shared Services
Next, there is a need to look wider than just securing our infrastructure and consider the security risks associated with others’ infrastructure. This does not just mean at our organizational scale, but also at the levels of entire countries. The U.S.’s Cybersecurity & Infrastructure Security Agency (CISA) states, in its 2025-26 strategic plan, that: “Recognizing that much of U.S. critical infrastructure interconnects and/or is interdependent with foreign assets, systems or networks, CISA will work closely with domestic and international partners to bolster the security and resilience of the international critical infrastructure on which the U.S. depends”.
Alongside the security of foreign states noted above, the CISA’s report also references the need to “increase information sharing exchanges with global partners to promote U.S. security and resilience priorities and to enhance CISA’s programs, services, and products”. Scaling this down to the organizational level: working jointly with our peers and even our competitors will most likely bring a benefit that easily offsets any perceived risk of competitors stealing our ideas or using our unfortunate experiences against us.
AI and Quantum
Moving on, it would be impossible not to mention Artificial Intelligence (AI), particularly given that the experience through the second half of 2025 aligned with one of the predictions ISC2 made in December 2024. We said: “The hype cycle around AI has been going for several years, suggesting it’s time to start recognizing the limitations of the technology and that it isn’t a magic wand that can solve everything for everyone”, and ISC2 board member James Packer warned that although “we are learning more and more that cybersecurity can benefit from the use of AI”, the fact remains that “AI is limited in many areas, and so it is not the answer to everything”.
Quantum Computing generally follows hot on AI’s heels, so we shall look there next. The general view is still that despite predictions in past years that Quantum attacks are about to start beating down our doors, these attacks have yet to happen and in fact it’ll still be a few years before they do: we are now being told by reputable sources that we need to have migrated our worlds to post-quantum cryptography (PQC) by 2035. Of course, there is no time like the present to embark on this journey, as it will certainly not be an overnight job, and so the feeling is that we will start to actually do something about Quantum-aware defenses in 2026.
There is one final consideration to discuss: identity. We have written extensively about zero trust (ZT) – including pieces about how to make it align with real life and how it has taken 15 years for it to really become implemented at scale. ZT and identity are closely aligned, because if you trust nothing then you clearly have to authenticate everything and be absolutely sure about its identity. We already live in a world where there is more bot-generated traffic than human-generated traffic, so ZT is an approach for defending against such traffic. We are, however, inadvertently making the problem more difficult for ourselves: agentic AI is getting close to achieving critical mass and may well do so in 2026, which means we are employing clever, robotic agents to carry out activities on our own systems on our behalf. Identity has the potential to replace the traditional network perimeter as the primary attack surface and we need to be ready.
