As we settle into 2026, the cybersecurity industry is experiencing dramatic change. AI, AI agents, Quantum, and even traditional attack techniques are developing in ways that impact how we protect our organisations and even how we communicate with our customers. Preserving the status quo simply isn’t good enough, so evolving our defences to not only protect against these emerging threats, but also allow us to come out stronger, will drive conversation over the coming months.
Ransomware Casts a Longer Shadow
We can’t look back on 2025 without recalling how ransomware has disrupted some of our most loved brands. M&S, Jaguar Land Rover (JLR), Harrods, and the Co-Op all experienced significant attacks on their business, with consequences that ultimately had a material impact on UK GDP. The Office for National Statistics (ONS) noted the JLR attack reduced the UK’s output by 0.17% in September.
For many years, ransomware has been the go-to tool for extortionists around the world, and they are not holding back. As RaaS (ransomware as a service), with its associated SLAs, additional services, and tiered pricing models, enables the criminally minded, we can expect to see these techniques used more frequently and with devastating effect. Discipline will be required to enable suitable defences, implement end-to-end Zero Trust policies, including entire supply chains, and ensure back-up / disaster recovery plans are designed, communicated, and tested regularly.
AI Lowers the Barrier for Entry for Cyberattacks
As a cyber professional, the tools I use to defend networks have benefited from machine learning and AI for many years. They are not new, but they have enabled us to detect and mitigate sophisticated threats much faster than ever before. At the same time, AI has also empowered the attackers to create content and automate malicious campaigns in ways that challenge our defences every minute of every day. The criminal world has always driven innovation, and it is no different this time.
Well-established tools such as Worm GPT 4 enable low-skilled hackers to launch sophisticated, large-scale attacks that can avoid detection and deceive the most analytical minds. We can expect these tools to improve over the coming months and to become cheaper, so even the least experienced script kiddy can cause havoc. When coupled with the capabilities of Agentic AI, organisations will increasingly need real-time detection, heuristic analysis, and almost instant response capabilities.
Quantum: an emerging security threat
I initially started looking into Quantum risk in 2022, and at that time, the narrative was that Quantum would become relevant and a potential threat in 15-20 years’ time. Since then, timeframes have been reduced to 2035, 2029-32 according to IBM Roadmap Predictions, and more recent reports are now suggesting RSA encryption could potentially be compromised between 2027-2029.
The bottom line for UK organisations is that we need to take this seriously, and we need to act now if we want to protect critical applications that drive our economy. The major service providers will be doing a lot of the heavy lifting for small and mid-size organisations; however, those with critical or custom applications now need to understand how encryption has been implemented, who is responsible for the protection of the applications, and what actions need to happen for organisations to move to a Post Quantum Cryptography (PQC) safe position.
One thing is clear: there aren’t enough professionals in the industry who truly understand cryptography to protect all organisations. It is important to start this work now, understand where your critical data and applications are hosted, how they’re protected, and the steps needed to move them to a Quantum-safe state. The move to PQC algorithms is complex and requires significant investment, so expect to hear more guidance about this subject in the year ahead.
Agentic AI Increases the Cyberattack Surface
Agentic AI has been developing rapidly over the last 18 months, and it is reaching a level of maturity that will directly impact all aspects of our lives. Bob Sternfels, the CEO of McKinsey & Company, recently reported that the company has 60,000 employees, of whom 25,000 are AI Agents. This AI-driven transformation has led to a 25% reduction in non-client-facing roles at the company, with an increase in productivity of 10%.
We can all jump to conclusions about how this trend will evolve over the coming years, but from a cyber threat point of view, the ability to host thousands of AI Agents on relatively inexpensive hardware means threat actors can now run 24*7*365 operations with thousands of virtual employees, researching individuals’ lifestyles and automatically creating content (email, voicemail, video content, etc.) that will be difficult to ignore. Spotting these deep fake messages and mitigating against them has the potential to drive change in who we trust and how we communicate and share information over the coming years.
Security Priorities for Organisations in 2026
Given these current and emerging threats, how can most organisations protect themselves? As always, focus on the basics: know where your critical data resides and be clear about how it is protected today, and how that protection may need to change over the next few years. Patch, patch, patch, and ensure vulnerabilities are either mitigated or contained effectively to reduce your risk. Really think about your supply chain, what access they have to your systems, and how dependencies can be reduced. Finally, if you haven’t done so already, implement Zero Trust principles throughout your organisation. Identity is the primary attack vector, but network, application, and data segmentation will all help reduce the attack surface.
Peter Jones is a Cyber Security Specialist at Conscia UK, with more than 20 years’ experience across networking and cyber security. He holds CISSP and CISM certifications and advises organisations on strengthening resilience and reducing cyber risk. Peter is an active contributor to Conscia’s thought leadership, writing on practical security improvement and the value of cybersecurity.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.