Four forces reshaping cyber risk in 2026

The cyber threat landscape is becoming faster, more complex and harder to contain. Here, Steve Durbin of the Information Security Forum sets out the four forces reshaping cyber risk in 2026 and explains why resilience has become a core leadership discipline

The most dangerous assumption heading into 2026 is that threats won’t meaningfully evolve, that yesterday’s playbook will still be enough and that, with the right tools and enough vigilance, we can stop everything at the gate.

For 2026, that assumption is likely false. Threats are becoming more persistent, intelligent and automated. This shift makes “defend everything” an unrealistic strategy.

The answer is resilience.

Resilience starts with a simple fact: you cannot prevent every attack. The goal is to absorb impact, contain the damage and get critical services up and running as soon as possible.

And that only happens when resilience is treated as a leadership priority rather than a technical afterthought.

Resilience works when accountability is explicit, and response is rehearsed until it becomes muscle memory. When a crisis hits, actionable guidelines ensure that teams make clear-headed decisions under high pressure.

To strengthen resilience, protect critical services and prepare organisations for a more volatile threat environment, leaders need to understand the forces now reshaping cyber risk. Four in particular stand out in 2026: the growing use of AI in attacks, the expanding exposure created by third-party ecosystems, the longer-term challenge posed by quantum computing and the added instability created by geopolitical tension.

1. AI-driven threats

AI is now automating parts of an attack that used to take a lot of time, research and skill. Cybercriminals can scale faster and reduce the cost of launching attacks. The immediate impact is a surge in AI-generated spear phishing, more convincing voice and video deepfakes and a rise in synthetic identity attacks that can slip through defensive layers.

The best foot forward is to avoid legacy tools and transition to AI-based detection that focuses on behavioural anomalies, surfacing what signature-based tools miss. Pair detection with a comprehensive incident response that is practised and repeatable.

2. Third-party ecosystems

Cloud services, SaaS providers, outsourcers and tightly connected vendor ecosystems are a complex web that creates shared exposure. This environment is under the radar of attackers who continuously probe for weaknesses, trying to embed backdoors to enable successful intrusions.

A successful intrusion can infect your systems, even if the original entry point is a third-party vendor. The priority should be rigorous vendor cyber risk management. Bring high-risk suppliers under the ambit of continuous control monitoring and provide them with only the least privileged access.

3. Post quantum scenario

Quantum is a time bomb with a long fuse. The blast won’t be immediate, but the countdown has already started and it threatens today’s public-key cryptography and any sensitive data that must remain confidential for years.

Adversaries can steal encrypted data now and wait for future capability to unlock it, which makes ‘when’ less important than ‘how long’ your secrets need to stay secret. The practical response in the modern sense is moving to post-quantum cryptography (PQC), and in select, high-assurance environments, pairing it with approaches such as Quantum Key Distribution (QKD). In Europe, the post-quantum transition is no longer abstract with current guidance making critical infrastructure quantum-safe by 2030.

4. Geopolitics multiplies risk

Geopolitical instability can be an active driver of digital risk. When tensions rise, regulations harden, data movement gets restricted, and access to critical infrastructure, cloud regions, or strategic suppliers can change overnight. Your resilience footprint will be defined by policy shifts, sanctions, and cross-border disruption, not just malware and general vulnerabilities.

Plan for geopolitical situations that can force cyber, legal, communications, and business operations to make decisions collaboratively.

Measure the readiness of your recovery plan against challenges such as a region being cut off due to war or a key vendor being blacklisted. The goal is to widen the threat perception and look beyond traditional threats to geopolitical bottlenecks.

Beyond these four forces, resilience also depends on what organisations do next. The real test lies in turning awareness into action – that is, embedding cyber resilience at leadership level, measuring what matters, rehearsing difficult scenarios and building controls that still hold under real-world pressure. The core objective should be to move from talk to action.

• Deal in tangibles. Track time to detect, time to contain and time to recover for your most critical services. Make sure you can restore critical business services within a predefined time frame and integrate with isolation, backups, and a clear recovery path.

• Focus on tabletop exercises aligned with key drivers, including an AI-enabled fraud attempt, a key vendor malware attack, and a cross-border constraint. Decide on ransomware payment, communication strategy, and what “minimum service” means in a crisis.

• Maintain razor-sharp focus on access privileges. Leverage phishing-resistant MFA, time-bound privileged access, and separate vendor identities from core directories.

• Implement awareness and training programmes where story-driven education drives a culture of identifying threats early.

You reduce exposure by choosing controls that hold up in real world scenarios. With AI, this means stricter data handling rules, clear classification, and a habit of verifying outputs before they drive decisions. Put AI under finance-grade governance and keep testing the guardrails so they do not fail under pressure.

For quantum, map where cryptography is used across systems, then prioritise the highest-value assets and long-lived data that must stay confidential for years. Third-party exposure needs stricter access boundaries, continuous monitoring of critical vendors, and the ability to cut connectivity while keeping the business running if a partner becomes the problem. In geopolitics, policy shifts and conflict can break dependencies overnight, so rehearse recovery for scenarios where regions, routes, or suppliers become unavailable or legally off-limits.

In 2026, a winning posture is not perfect prevention. It is resilience that holds fast despite overwhelming odds. AI will amplify speed and scale, third parties will increase exposure, quantum will loom on the horizon, threatening to decrypt data, and geopolitics will disrupt dependencies without warning. Your organisation will only come through if it builds a robust resilience framework.

Steve Durbin is Chief Executive of the Information Security Forum (ISF), an independent association that addresses major challenges in information security and risk management for organisations across the Fortune 500 and Forbes 2000. He is a frequent speaker on the Board’s role in cybersecurity and technology.

Further information
Produced with support from the Information Security Forum. To find out more about the ISF’s cybersecurity insight, risk guidance and leadership resources, visit www.securityforum.org

READ MORE: ‘Orbitae – AI by SDG Group launches Gena Suite to scale enterprise AI‘. Artificial intelligence is spreading rapidly through modern organisations, yet many initiatives stall at the pilot stage. John E. Kaye explores how SDG Group’s new Gena Suite is designed to help companies turn AI ambition into operational capability.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.