The year 2025 has brought cyber chaos to high-profile organisations. The major financial losses from downtime and removal of key sales channels, have resulted in a threat actor’s payday. But while many organisations have sympathised with the situation of the likes of M&S and Jaguar Land Rover, the simple fact is that they could be next, says Barry Daniels, CEO of software firm Droplet.
Organisations are one budget away from disaster
Ignoring obsolete IT will become a major liability for businesses in 2026. With Windows Server 2016 reaching end-of-support in January 2027 – organisations are now just one budget cycle away from having an infrastructure which is unprotected and can no longer rely on legacy environments that have merely performed adequately. IT inertia is a major risk that includes heightened vulnerability to cyber attacks and data breaches not to mention operational inefficiencies due to incompatibility with new systems; this puts organisations in a danger zone that could become devastating. As the bell tolls in 2026, companies must urgently take stock of their current software and hardware budget lifecycles and address looming technical expiry dates before disaster strikes.
Identity will remain under threat
As we saw earlier in the summer; AI tools are being “weaponised” to commit large-scale cyber attacks. Such synthetic cyber attacks are likely to continue ensuring that identity remains under threat in 2026. Organisations which have relied on Zero Trust security strategies will be the first to realise the risks of such an approach and must recognise the failings that lie in Identity Access Management (IAM) and Multi-Factor Authentication (MFA). Organisations now stand at a juncture; adapt or risk failing when it comes to security measures because so far, no one can give organisations a 100% guarantee that nothing is able to get in
To create a robust technical ecosystem, it is time that organisations regain ownership of their end-to-end stack – from the server to network estates – which will allow them to move beyond identity-based protection. By proactively securing all entry points through the isolation of any critical infrastructure within secure boundaries that treat every access attempt as suspicious, only then will organisations have the defences in place to avoid becoming a cyber statistic.
Comply or die: IT compliance idleness will cause organisations to fail
With cyber threats on the rise, legislative compliance is essential, but the real challenge for many organisations in 2026 will lie in whether their tech is up to scratch to meet them. With recent data from StatCounter and Lansweeper suggesting that more than 50 per cent of all desktops and servers globally run on outdated, unsupported operating systems, many organisations are at considerable risk.
January 2026 will mark one year since the Digital Operations Resilience Act (DORA) became enforceable and as of October 2025, all Further Education institutions are required to have Cyber Essentials Plus, as mandated by the Department of Education. Those who find themselves kicking off a new year without meeting the technical mandate necessary to meet these regulations may find themselves in a “comply or die” situation – which, set against the cyber landscape could be devastating for UK plc.
