Cybersecurity lessons for 2026

With 2025 over and 2026 underway, it's a good time to look back and reflect on what we can learn from some of the most significant events in cyber security over the past 12 months. Any such list is inevitably going to be incomplete and somewhat biased — but here's one particular take based on my 20+ years of experience engineering, managing and testing cyber security.

Machine learning attacks

The days of human-speed hacking are gone; we are moving from an era of human-speed attacks to machine-speed attacks, where vulnerabilities can be weaponised and attacks launched within hours, thanks to the inevitable adoption of AI-powered toolchains. No, they are not perfect, and yes they still require human guidance, but our defensive practices and tools need to catch up to this reality, and fast. When the offensive tools are being increasingly automated the defensive tools and practices need to do likewise.

This in particular affects static signature-based threat detection, a stone-age relic as far as I am concerned. When even the simplest large language models (LLMs) can generate, compile and deploy custom code (think PromptLock), basing our defences on long lists of static hashes is mad. We need to base our decisions on what code does, not its hash.

Perimeter security is dead

We have been talking about the death of perimeter security for years, but it seems to refuse to die and go away. Too many organisations still place mistaken trust in their firewalls despite the simple fact that most attacks nowadays have no problem traversing most firewalls riding on a wave of port 443 TLS-secured traffic (for example, HTTPS), while neglecting foundational and non-negotiable imperatives of good software update management and secure access controls.

The end result is false security and compromised systems. The lesson we have to learn is the same that the attackers have learned years ago: act like there's no perimeter. Secure internal systems because they are not really that internal anymore.

Deepfakes

Just because you’re talking to someone in real-time on a video call doesn't mean they're really there. While realistic real-time deepfakes might not be stalking your every Teams or Zoom call, they are here and they work. They work very well: one deepfake made $25 million after an employee was deceived by a real-time, interactive deepfake video of their CFO.

Is this a high probability risk? No, but it is certainly a high impact one, so our assumption that ‘what you see is real’ must be revised. No one should be expected to action high value transactions or disclose sensitive information just because someone who looks like the CFO told you so. Secure, out-of-band, offline authentication methods should be employed instead.

Supply chain attacks

Ingram Micro, a massive IT distributor, suffered estimated revenue losses of $136 million per day and was forced to halt operations for thousands of downstream resellers all because of misplaced trust. 

We do have to extend a certain amount of trust to vendors and service providers, but very often organisations extend unlimited or uncontrolled trust to third parties who do not deserve it. This is about much more than a hole in your firewall for your printer maintenance people giving them access to the entire network (although that is bad enough); this is about using third-party libraries, frameworks, plugins, extensions and suchlike, without any third-party assurance. 

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

In September, the Shai-Hulud worm compromised 18 widely-used JavaScript (npm) packages with over 2.6 billion combined weekly downloads. By November, a 2.0 variant had spread to approximately 700 packages, affecting organisations like Zapier and Postman. The attack used phishing to steal GitHub and npm credentials, then used a script (likely generated by an LLM) to inject itself into every package those maintainers controlled.

It was able to spread like wildfire because users of these packages assumed something for which there was zero justification: that they can trust the latest commit to some third-party code. We need much wider and better use of things like software bills of materials (SBOMs) and continuous code monitoring to counter this threat, even if completely removing it doesn't appear to be a possibility.

Phishing is alive in 2026

It feels like yesterday when we were imploring businesses to implement two-factor authentication — any two-factor authentication. That didn't age well: with the explosion in various ways of stealing one-time codes or cajoling users into providing them through social engineering, implementing just any kind of two-factor authentication is no longer sufficient. Phishing-resistant authentication, such as FIDO2/WebAuthn passkeys or devices, is needed to combat the growing stream of attacks against legacy MFA. And that's without even talking about passwords, which continue to be the most widely used and the least secure form of authentication.

Ransomware

Ransomware continues to be a top cyber security risk, particularly for Windows environments. However, ransomware in 2025 was almost exclusively double extortion ransomware: attackers first exfiltrate data before then encrypting your copy of it. Even if you can restore from backups (and that’s a big if for many organisations), they can still blackmail you with data leaks and you still have the regulators, the customers and the public to deal with. While good backups are of course an absolute necessity, they are not sufficient. Prevention, as always, remains the best — and the cheapest — cure.

My concluding theme for these lessons is a synthesis of two well-known aphorisms: ‘The only constant is change’, attributed to Heraclitus, the ancient Greek philosopher, and ‘The more things change, the more they stay the same’, attributed to the French journalist Alphonse Karr. 

While it is unquestionably true that cyber security is a fast moving and evolving target, it is also true that the underlying concepts, principles and good practices, deep down, still remain applicable and indispensable, albeit requiring constant adaption and refinement. 

These and other lessons from 2025 demonstrate that while the adversaries and threats have evolved and continue to evolve to leverage AI and supply chain complexity in particular, the most effective defences remain rooted in rigorous engineering and good security practices such as strict access control, strong authentication, rapid vulnerability management, independent testing, security by design and limited trust. What good practices are you going to implement in 2026?

Edgar Ter Danielyan FBCS CITP is director and principal consultant at Danielyan Consulting Ltd, a London-based specialist consultancy providing security engineering, incident investigation, and penetration testing services since 2013.