Mike Gillespie of the security consultancy Advent IM, pictured, writes that 2025 was the year that cyber threats broke into the mainstream. He describes it as a wake-up call for national resilience. What then of 2026?!
Last year, we spoke about the ‘pressure cooker’ facing UK organisations: rising regulation, constrained budgets, and a growing reliance on outsourced expertise to fill capability gaps. If 2024 confirmed that trajectory, 2025 has accelerated it and 2026 looks set to raise the stakes even further. Many of the trends we anticipated last year materialised. Quishing and AI-powered phishing moved from niche concerns to prime-time TV topics, appearing in programmes like Scam Interceptors and becoming part of the everyday language of cyber risk. Despite increased public awareness, financial losses have continued to increase, building on the £11.5 billion lost by UK consumers in scams last year. Fraudulent delivery messages, investment scams, romance scams and newer threats like freight fraud are all on the rise. If 2025 saw freight fraud emerge, 2026 is likely to see it become a major revenue stream for organised criminal groups.
Cloud debate
The major cloud outages in late 2025 impacting c and everything built upon them, from financial systems to social platforms – exposed an uncomfortable reality: a national over-dependence on US hyperscale providers. The disruption has triggered a fresh UK Government conversation about digital sovereignty. In 2026, expect that debate to intensify. The push for UK-first cloud capabilities, genuine data sovereignty (not just residency), and increased scrutiny of foreign-owned infrastructure will grow. Especially as AI adoption surges across healthcare and other critical sectors. Standards such as ISO 42001 will play an increasing role in shaping AI governance, risk, and assurance. Some fundamentals improved in 2025, with wider adoption of multi-factor authentication and better public awareness of phishing techniques. But many organisations still fall behind:
– Education remains generic, when it should be role-specific and behaviour-changing;
– Policy enforcement is inconsistent, with too many policies written to ‘tick a box’;
– Password practices remain outdated, despite clear NCSC guidance; and
– Patching hygiene is uneven, even as major vendors issued waves of critical and zero-day vulnerabilities this year.
This is exactly where outsourced expertise continues to matter – echoing last year’s argument that organisations need access to skilled support, not permanent headcount they can’t afford.
AI: mature threats
AI-powered phishing has already begun to reshape the threat landscape, delivering highly personalised and convincing attacks at scale. Paired with unpatched vulnerabilities, these techniques will remain a core attack vector in 2026. At the same time, organisations are struggling with their own use of AI. Many still claim they ‘don’t use AI’ while their employees use generative tools daily. In 2026, expect a shift toward organisational maturity in AI adoption: clearer controls, better governance, and more realistic policies.
Geopolitics and states
In defence, AI is driving rapid advancements in unmanned systems, ushering in a new era of military capability. Meanwhile, the cyber activities of hostile nation-states remain relentless, mature, and highly motivated. 2026 will demand stronger collaboration, better threat intelligence, and more agile security partnerships. UK-based managed security service providers will play an increasingly important role, offering the scalability and expertise organisations can’t always cultivate in-house.
Regulation gets teeth
The upcoming Cybersecurity and Resilience Bill will significantly expand which organisations fall under ‘critical infrastructure’. For the first time, supply chain assurance becomes a legal obligation, not a best-practice recommendation. This won’t just affect large providers; small and medium-sized suppliers will also be brought into scope. Many will find themselves unprepared unless they rapidly uplift their capabilities.
Post-quantum
Last year marked major advances in quantum computing and with them, the start of the post-quantum race. NCSC’s five-year roadmap for post-quantum readiness is clear: organisations need to start preparing now. In 2026, we expect to see real investment in cryptographic agility and migration planning. Five years will disappear quickly.
Conclusion
The challenges facing UK organisations – budget pressure, skills shortages, increasing regulation – are the same ones we highlighted last year, but the environment has become more complex. AI is accelerating both threats and opportunities. Dependence on foreign cloud infrastructure has become a national issue and cybercrime continues to scale faster than our defences. Resilience in 2026 won’t come from owning all the skills in-house, nor from relying on outdated security practices. It will come from flexible access to trusted expertise, sharper governance over emerging technologies, and a renewed focus on the fundamentals. The pressure cooker hasn’t gone away. But with the right partnerships, controls, and strategic foresight, organisations can stay ahead of what 2026 has in store.
