Cybersecurity Predictions for 2026

Gary Perkins, Chief Information Security Officer

While we don’t have a crystal ball that will tell us exactly what 2026 will bring in the world of digital security, one thing remains clear: we will continue to see more of the same threats we saw in 2025. How we react and protect ourselves, however, can evolve. Here are a few of my thoughts about what I think will happen in cyber next year.

AI Continues to Be Ever Present

In 2026, cybersecurity will continue to evolve rapidly, with both threats and defenses becoming more complex. One of the biggest shifts will come from Artificial Intelligence (AI), which will expand the landscape on both sides. Threat actors will use AI to scale operations, automate social engineering, impersonate executives with realistic accuracy, and perform reconnaissance faster than human teams can react. Agentic attacks will move from novelty to norm, with autonomous or semi-autonomous adversary systems able to plan, adapt, and execute multi-stage intrusions with minimal human oversight. These agents will probe environments continuously, chain exploits across cloud, identity, and endpoints, and dynamically adjust tactics in ways that challenge static controls and human-paced detection and response.

At the same time, organizations adopting AI for efficiency will face new risks if they fail to secure the data, models, and machine identities behind these systems. Shadow AI will continue to grow, with many businesses discovering employees are using third-party AI tools without oversight, policies, or protections. The strongest organizations will not just adopt AI, they will govern it.

Despite this, unrealistic expectations around AI will persist. Marketing teams will capitalize on the hype, and security products and threat reports will often attribute “AI-driven” capabilities to attacks that are still conventional. In many cases, threat actors will not even need AI because the same old techniques remain effective.

Ransomware Isn’t Going Anywhere

Ransomware-as-a-service will continue to intensify, especially against smaller, under-resourced targets. Sectors like healthcare, legal services, insurance, accounting, and regional government will remain attractive to attackers. Modern ransomware is no longer just about encrypting data. Exfiltration and publishing stolen information remain core pressure tactics. Early data already shows dramatic increases, with U.S. organizations hit throughout 2025 and average recovery costs reaching into the millions, even when no ransom is paid. The economics are too profitable for attackers to abandon. Even if one country makes paying ransoms illegal, organizations there will still be affected because attackers do not discriminate.

Protect Your Cloud!

Cloud compromise will accelerate as organizations centralize data. Many assume cloud services inherently protect them, but visibility, access control, and configuration remain the customer’s responsibility. Shadow cloud environments and unmanaged accounts continue to create blind spots. While technologies like CASB and CSPM help, they cannot deliver on their promise without proper implementation and continuous oversight. Cloud breaches will increase not because the cloud itself is insecure, but because maturity among cloud customers varies widely. Supply chain attacks against cloud platforms and SaaS ecosystems will continue to rise, with adversaries exploiting trusted integrations, third-party apps, and compromised vendors rather than attacking targets directly. Incidents like the Drift-Salesforce breach highlight how a single weak link in a connected cloud supply chain can provide scaled access to sensitive data across many organizations at once.

Cyber Insurance is Only Going to Grow

Cyber insurance will also change. Underwriting will increasingly resemble credit scoring, with pricing and eligibility tied to measurable security practices. Organizations implementing strong fundamentals such as MFA, least privilege, logging, patch hygiene, incident response playbooks, and third-party validation will receive better rates. Denied claims will continue to surface when companies lack basic controls. Insurers will demand greater accountability, transparency, and visibility into risk reduction efforts.

As geopolitical tensions rise, insurers will expand carve-outs and exclusions, particularly around acts of war, nation-state activity, and systemic cyber events, leaving organizations exposed. Policy language will matter as much as the policy itself, and many companies will discover gaps only after an incident occurs.

Organizations looking for protection, but can’t meet the threshold to gain a cyber policy, should look to warrantied endpoint protection products like CHECKLIGHT^® for an alternative solution.

Compliance Requirements

Regulation will expand, making compliance operational rather than optional. Privacy, industry controls, and supply chain security will drive global standards. Organizations will need to demonstrate security not only internally but also across vendors and partners. Contract language, security certifications, and the ability to assess third-party controls will become business prerequisites.

Compliance requirements will become more explicit and less forgiving, with frameworks like CMMC in the U.S. and the EU’s Cyber Resilience Act (CRA) and NIS2 Directive moving from high-level guidance to prescriptive, auditable obligations. For organizations doing business in the EU, aligning security, product development, supply chain risk, and reporting requirements across these regimes will be a significant operational lift, not just a paperwork exercise.

Other Considerations

Human behavior will remain the most targeted attack surface. Credential theft, phishing, and user manipulation continue to work because attackers exploit predictable behaviors. MFA adoption will rise, but attackers are finding ways to bypass it through fatigue attacks, session hijacking, deep-faked social engineering, and token theft. Organizations that combine MFA with targeted, recurring awareness training will significantly outperform those that treat user security as a checkbox.

If economic pressure continues, insider risk will increase, with financially stressed employees more susceptible to coercion or direct payment by threat actors seeking access, credentials, or internal footholds.

Zero Trust may finally move from concept to reality. Identity-driven access, continuous verification, micro-segmentation, and tightly defined privilege models will become embedded in real architectures. This shift responds to attackers exploiting lateral movement, unmanaged devices, and sprawling application environments where implicit trust still exists.

Operational technology will see continued growth in attacks, particularly in manufacturing, logistics, utilities, and energy. Disruptions carry both financial and regulatory consequences, and attacks against OT systems can result in human harm. Many OT systems were designed long before the modern internet and should not be connected to untrusted networks. Treating OT the same as IT can create the risks you are trying to prevent. Organizations need to identify OT systems, evaluate protections, and ensure risk mitigation aligns with their appetite. Ignoring OT is no longer an option, it is a silent but deadly threat.

Finally, quantum computing will emerge as a strategic risk. While not yet an immediate operational threat, global investment is increasing, especially among nation-states. Organizations handling long-term sensitive data need to already be planning or addressing post-quantum encryption.

In Conclusion

Ultimately, my prediction for cybersecurity in 2026 is that we will continue to see more of the same, just a lot faster. Threat actors will keep using the methods that work because there is no incentive to change what already delivers results. Phishing, social engineering, ransomware, exploiting unpatched systems, and targeting basic security misconfigurations will remain dominant because they continue to be effective against organizations that haven’t raised the bar. Until defenders significantly improve the fundamentals at scale, attackers won’t need new tactics, just continued execution of the ones that already work.