Barry Daniels, CEO of Droplet, warns that with important software program end-of-support deadlines looming and AI-enabled id assaults accelerating, ‘ok’ cybersecurity might rapidly develop into a catastrophic enterprise legal responsibility.
2025 has been a 12 months that has introduced high-profile organisations to their knees following excessive scale, excessive affect cyber incidents. The most important monetary losses from downtime and removing of key gross sales channels, have resulted in a risk actor’s payday. However whereas many organisations have sympathised with the state of affairs of the likes of M&S and Jaguar Land Rover, the easy reality is that they might be subsequent.
In its newest annual report, the Nationwide Cyber Safety Centre was clear – it’s time to act. This was strengthened by the UK Authorities who not too long ago wrote to FTSE 250 CEOs calling on the important want for them to make cyber safety a board stage precedence alongside plans for brand spanking new legal guidelines to guard hospitals, vitality and water provides and transport networks from the specter of cyber-attacks underneath the Cyber Safety and Resilience Invoice which is anticipated to achieve Royal Assent throughout 2026.
Inaction is just not an possibility for companies as they transfer into a brand new 12 months. Nonetheless, whereas organisations must be regularly wanting over their shoulder, they need to additionally look internally on the danger that lies inside.
This comes as specialists forecast doubtlessly much more cyber chaos, regardless of main warnings. There are three key areas I predict will affect companies in 2026.
Organisations are one price range away from catastrophe
Ignoring out of date IT will develop into a significant legal responsibility for companies in 2026. With Home windows Server 2016 reaching end-of-support in simply 12 months (in January 2027) – organisations at the moment are only one price range cycle away from having an infrastructure which is unprotected and might now not depend on legacy environments which have merely carried out adequately.
Nor can they proceed to function with IT inertia as this can depart them extra susceptible to cyber assaults and knowledge breaches to not point out operational inefficiencies on account of incompatibility with new programs. Ignorance will place organisations in a hazard zone that would develop into devastating. Subsequently, because the bell tolls in 2026, firms should urgently take inventory of their present software program and {hardware} price range lifecycles and deal with looming technical expiry dates earlier than catastrophe strikes.
Id will stay underneath risk
As we noticed earlier in the summertime; AI instruments are being weaponised to commit large-scale cyber assaults. Such artificial cyber assaults are prone to proceed guaranteeing that id stays underneath risk in 2026. Organisations which have relied on Zero Belief safety methods would be the first to understand the dangers of such an strategy and should recognise the failings that lie in Id Entry Administration (IAM) and Multi-Issue Authentication (MFA). Organisations now stand at a juncture; adapt or danger failing in relation to safety measures as a result of to this point, nobody can provide organisations a 100% assure that nothing is ready to get in
To create a strong technical ecosystem, it’s time that organisations regain possession of their end-to-end stack – from the server to community estates – which is able to permit them to maneuver past identity-based safety. By proactively securing all entry factors by means of the isolation of any important infrastructure inside a safe vaulted structure, each single risk try shall be thought of suspicious. Solely by deploying an structure that trusts nothing will organisations have the defences in place to keep away from changing into a cyber statistic.
Comply or die: IT compliance idleness will trigger organisations to fail
With cyber threats on the rise, legislative compliance is crucial, however the true problem for a lot of organisations in 2026 will lie in whether or not their tech is as much as scratch to fulfill them. With latest knowledge from StatCounter and Lansweeper suggesting that greater than 50% of all desktops and servers globally run on outdated, unsupported working programs, many organisations are at appreciable danger.
January 2026 will mark one 12 months because the Digital Operations Resilience Act (DORA) turned enforceable and as of October 2025, all Additional Schooling establishments had been required to have Cyber Necessities Plus, as mandated by the Division of Schooling. Those that discover themselves kicking off a brand new 12 months with out assembly the technical mandate obligatory to fulfill these laws might discover themselves in a ‘comply or die’ state of affairs – which, set in opposition to the cyber panorama might be devastating for UK plc.
The risk panorama in 2026 is now not a matter of if, however when. With important software program expiry dates looming and id underneath fixed risk, reliance on ‘ok’ safety and outdated programs is now a catastrophic enterprise danger.
Those that do nothing, will fail. Those that proactively spend money on resilient vaulted architectures that assume no belief, will lastly transfer past fragile identity-based defences to make sure they aren’t the following headline.
This text is a part of our DCR Predicts 2026 collection. Come again each week in January for extra.
