Cyber security is evolving fast. As organisations race to adopt new tools, attackers move just as quickly to exploit gaps. What will 2026 look like for businesses trying to protect their people and data? From sophisticated autonomous attacks to the enduring power of human error, the challenges ahead are complex. Yet with the right awareness and training, companies can prepare to face them head-on. This blog plots out some of the most persistent and emerging threats for 2026, and explores what organisations should be to stay one step ahead.
1. Insider threats
Could your employees be your weakest link? One of the most significant emerging threats is a deeply human one: attacks from a motivated insider. It’s a growing vulnerability, perhaps due to societal degradation of the employer-employee relationship. As employees feel less loyal, are rewarded less, and face increasing financial hardship, they become prime targets for recruitment by cybercriminals. This creates the perfect opening for an attacker to offer a large sum of money in exchange for something as simple as login credentials. This happened recently when Joe Tidy, a Cyber correspondent at the BBC, was offered 15% of any ransom payment for access to his PC. We see this as a major threat for the near future because it bypasses technical security controls entirely. Addressing it requires an approach that goes deeper than usual, combining security awareness training with genuine care and support for employees to tackle the problem at its source.
2. Legacy technology
A long-term and persistent threat is the presence of legacy technologies in otherwise modern environments. It’s a particular risk for specialist industries that rely on older equipment that is part of the IoT but not keeping pace with security developments, or has in some cases been abandoned by the manufacturer. Printers, for example, are a constant struggle in an office, but are also often the access point for an attacker on a network. There’s a desire to keep an old familiar one, ‘better the devil you know’, but this is what creates the risk – if Microsoft is willing to cease updates for Windows 10, then how can we expect support to persist from the small manufacturer? We see this risk increasing as businesses struggle to keep pace with price and progress.
3. Advanced Phishing
Think you can determine whats real and what’s a scam? With the help of widely available LLMs, the content of phishing messages is more sophisticated than ever, and we can see models capable of performing OSINT (Open Source Intelligence – the act of gathering and analysing publicly available data) work nearly autonomously, researching companies and people to produce focused and dangerous messaging. We anticipate an increase in automated spear phishing at a scale that we are only just starting to appreciate. This threat escalates dramatically with deepfake audio, or ‘vishing’ (or even video – with the rate of progress we may see cheaper and quicker tools in the new year). You can easily imagine an IT worker receiving a call from a voice clone of a superior demanding an urgent password reset. Defending against them requires continuous awareness, alertness, and training, while enforcing mandatory technical controls like multifactor authentication (MFA) to act as the hard stop against advanced social engineering.
4. Vibe coding
We’re seeing a rising tide of ‘vibe coded’ apps generated by entrepreneurs with little to no coding knowledge. Is this innovation, or a security nightmare? It doesn’t take an expert software developer to spot the risk here, and these applications will continue to come. We don’t see this risk to be the same for major organisations, but small-scale startups and businesses will increasingly turn to vibe coded applications simply due to cost and ease. For those larger organisations, we anticipate the misconfiguration of preferences and a misunderstanding of the terms and agreements with these coding agents to be the big issue, very similar to how a misunderstanding of security obligations led to vulnerabilities back when everyone first switched to cloud providers.
5. AI as a threat generator
It will likely come as a surprise to no one to hear that some of the greatest threats for the coming year are probably going to be AI generated. We’re considering both sophisticated threat actors or state sponsored zero-day analysis and exploitation models, to the small-time criminal and their generated scripts. But are we prepared for them? The red team side of the AI arms race is massively advantaged by speed and scale. A security team must contend with chaotic, adaptive, sometimes autonomous attack campaigns that will only become more complex as the AI frontier is pushed.
6. Passwordless infrastructure
Perhaps not a threat per se, but a change in the way things are done. We anticipate a decline of the traditional password in favour of passwordless security infrastructure. It is possible to anticipate the rise of SSO as being a double edged sword, with a single access point being a single strong point of entry, but also a key to every lock on your system. ‘Something you know’ will continue to be replaced as the primary line of defence by methods based on ‘something you have,’ (phone, security key) and, more critically for us data protection professionals, ‘something you are.’ While biometric technologies (fingerprints or scans) can stop someone at your password over your shoulder, the widespread collection and processing of biometric data (critically, information that cannot be changed if compromised) is a risk unto itself. Navigating that balance will be a key consideration as the technology progresses.
7. Runaway models
We consider this threat twofold, on one side, untrained, unaware employees using commercial LLMs to boost productivity without clear oversight, something we see more and more. This risks leaks of sensitive data or even exposure to unforeseen attack opportunities as a wider attack surface, especially new technologies, simply increases risk, or gives opportunity for new methods of attack as demonstrated by the prompt injection and data exfiltration copilot attacks earlier this year. On the other hand we see risks coming from technical staff running local models on company infrastructure without proper governance. This is of course smaller scale, but potentially major in impact. Imagine a developer leaves a project abandoned: a forgotten RAG model left running silently, harvesting sensitive internal data and creating a treasure trove vulnerability that the organisation isn’t even aware of.
Why is training your smartest investment?
You can spend millions on firewalls, monitoring tools, and the latest software, but if your people click a malicious link, it’s game over. Training isn’t just a “nice to have”. It’s a critical investment that builds the foundation of cyber resilience.
When staff are confident in spotting threats, knowing what to do if something feels off, and understanding why cyber security matters, the whole organisation is safer. And unlike tech solutions that need constant updates – knowledge sticks, giving you ongoing value.
Do you want your organisation to be ready for 2026’s cyber challenges? The smartest move you can make today is to invest in your people, because your staff can be your strongest defence.
How can we help?
At Data Privacy Advisory Service, we specialise in creating custom data protection, cyber security and AI training programs that are perfectly tailored to your organisation’s risk profile, specific needs, industry, and the roles of your employees. Our goal is to embed a culture of protection and accountability, empowering your staff with the practical knowledge and skills they need to handle personal data with confidence and care.
We design every session to be engaging, relevant, and actionable, ensuring your team understands not just the “what” but the “why” of data protection law. Over the past 10 years we’ve worked with SMEs, FTSE 100s and hundreds of organisations in between. Creating bespoke training programmes for their employees, ensuring that their staff know how to confidently handle data and manage cyber risk.
Book a meeting today to discuss the options available.