The year 2026 could be a critical inflection point, when organisations are facing more cyber threats with fewer resources to defend against them. That’s according to Anthony Young, CEO at the cyber firm Bridewell.
According to Young, the cumulative effect of years of belt-tightening across cybersecurity teams and agencies is beginning to surface in major breaches and systemic failures. He said: “Many organisations have been forced to delay modernisation, freeze hiring and reduce investment in defensive capabilities. The result is fewer defenders, slower detection, and weakened resilience, just as adversaries become more aggressive and technologically advanced.”
The firm points to supply chain attacks of 2025, including a compromise of Oracle Cloud affecting over 140,000 tenants and the Salesloft/Drift breach, for showing how under-investment in cyber resilience can cascade across digital ecosystems. Meanwhile, Jaguar Land Rover’s factory shutdown after cyberattack disrupted production for weeks and exposed the fragility of global supply chains, the firm adds.
Young warns that these incidents are not isolated events, but symptoms of a deeper issue. “Unfortunately, it’s unlikely that 2025’s headline breaches are not the peak, they’re the warning signs. As we move into 2026, the legacy of these cuts will continue to degrade organisations’ defensive posture. We’ll likely see fewer, but far more impactful, attacks focused on shared platforms, third-party suppliers and critical infrastructure.”
He also acknowledged a societal aspect. Alongside highly coordinated campaigns by criminal and state-backed groups, Bridewell has observed a sharp rise in so-called ‘casual’ cyber aggression. Increasingly, attacks are being launched by loosely connected individuals, often teenagers, using freely available tools or AI-assisted exploit kits.
Young said: “This new wave of attackers doesn’t always fit the traditional profile. We’re seeing a generation that grew up online, with access to open-source data, leaked credentials and automated tools that make disruption easy. What’s changed is the lack of deterrence. In online communities, the reputational rewards of causing chaos often outweigh the perceived risk by these individuals of getting caught.”
The firm believes this blend of economic strain, social disaffection and accessible hacking technology is fuelling a dangerous convergence. With reduced resources for defenders and a surge in opportunistic threat actors, businesses face complex, targeted attacks on one hand and erratic, highly visible disruptions on the other.
Young said: “Cybersecurity is now facing the same kind of social and economic pressures that drive crime in the physical world. When times get tough and oversight weakens, the barrier to entry for malicious activity falls. If we continue underinvesting in resilience and accountability, we risk normalising cyber aggression as a form of expression or protest.”
Looking ahead to 2026
Bridewell predicts that cyber incidents will become less frequent but far more destructive, with greater operational, reputational and regulatory fallout for unprepared organisations. To mitigate, Young stressed that technical measures must be matched with broader efforts to rebuild digital accountability, shared defence mechanisms and societal norms around online harm.
Phishing’s top target
Keith McCammon, Co-Founder at the cyber firm Red Canary predicted browsers will overtake email as phishing’s top target next year as AI makes fake sites, deepfakes, and poisoned search results nearly indistinguishable from reality. He also expects ‘Zero Trust’ to shift from aspiration to necessity as businesses are forced to do more with less. He said: “In 2026, browsers will overtake email as phishing’s most exploited entry point. With generative AI lowering the cost and complexity of deception, adversaries will use deepfakes, poisoned search results, and fake CAPTCHA to trick users into executing code directly from the browser. These lures will be almost indistinguishable from legitimate sites, turning the browser into the easiest place to win trust and break it.
“Phishing will become a real-time, AI-driven numbers game. Adversaries will target thousands of users with adaptive, highly personalised lures, needing only a few victims to reap significant financial reward. Unlike Windows or macOS, browsers act as a joker in the pack. They sit outside the traditional security stack and therefore lack the mature controls and visibility that protect operating systems and endpoints. Recent warnings around ChatGPT’s AI-powered Atlas browser show how this blind spot could also widen as intelligence moves into the browser itself.
“To stay ahead next year, businesses must start treating browsers as critical infrastructure. That means tightening access and identity controls, improving endpoint and cloud-level monitoring, and training users to recognise the new generation of attacks. Awareness alone won’t be enough – defences rely on both user and system resilience working in concert.”
