Strengthening Cyber Readiness in 2026

2026 is likely to be another busy year for those of us protecting businesses from cyber attacks.

Current trends indicate that the usual threat actors will continue to operate in order to achieve their motivated intents and that advancement and reliance on new and emerging technologies will continue to play its part.

2025 saw some major Cybersecurity incidents hit the headlines and, although we cannot undo the impact these attacks have had, we can learn from these incidents and inform the cybersecurity community on what actions we should all be taking to prevent and protect ourselves and our businesses. The key to success starts with preparation.

It is true to say that when we consider the risk of a cyber incident on our networks, it is a matter of when rather than if it will happen, so planning for the eventuality will be a key consideration for organisations both now and in the near future.

Planning starts with understanding the risks and what constitutes a cyber risk. Understanding the threat actors at play and the vulnerabilities they seek out is important – but the risk assessment should begin with identifying assets. Once this inventory is completed, it is essential to prioritise them and assess the impact on the business should one or more be taken offline or compromised. This is your Business Impact Assessment (BIA).

Planning leads to policy writing. At a bare minimum, organisations should ensure that they have the following policies and procedures to hand:

➤ Cybersecurity Policy

What are the risks? What assets need to be protected and why? What laws, regulations, or standards do you need to comply with?

➤ Business Continuity and Disaster Recovery (BCDR) Policy

A plan that identifies the assets that need to be protected and the controls that are in place to provide resilience and redundancy to systems. This also includes the people—the team—back-up plans and procedures, and any failover systems that you may have in place to counter the impact of an attack.

➤ Incident Response Policy

This plan may dovetail with the BCDR, as they are closely aligned. This will include the staff members who would need to be involved in an incident, a communications policy, and a legal/HR/PR plan of action. You will also need to understand what your obligations are for reporting.

➤ Acceptable Usage Policy (AUP)

Users must know what they can and can’t do with company equipment and software – and be informed of the reasons why. This is important for both fixed and mobile assets.

➤ User Training and Awareness Policy

Regardless of the size of your business, get training advice and guidance on how to identify and report cyber incidents and how to keep abreast of new threats and areas of responsibility. Implement an awareness campaign!

New and emerging technologies will continue to impact your cybersecurity posture both from a defensive perspective and as a new threat area.

The security of AI and Machine Learning processes will impact areas such as Data Protection, Governance, and Ethical Regulation. Threat actors are already leveraging AI and cloud technologies in their tactics, techniques, and procedures, which has been apparent in some of the major attacks we saw last year.

The key to success in all cybersecurity operations is good planning and management. This is closely followed by the acquisition of the technical knowledge and skills required to keep up with changes in technology and, in particular, AI and Cloud. Having said that, one of the most important aspects in maintaining a good cybersecurity posture is user awareness and training at all levels.

Most commercial vendors have updated their cybersecurity courses to reflect these concepts. Examples include the refreshed CISSP® content from ISC2, AI audit and management courses from ISACA, and the layering of AI technologies into EC-Council, CompTIA, and BCS courses.

World events and threat indicators already suggest that we will face fresh cybersecurity challenges throughout 2026. The good news is that, from executive-leader level, through responsible management, technical, and non-technical training, you can invest in both your people and the security of your organisation.