In 2026, collaboration, honesty and humility in cyber are key
As we prepare to close out 2025, the Computer Weekly Security Think Tank panel looks back at the past year, and ahead to 2026.
By
- Rik Ferguson, Forescout
Published: 03 Dec 2025
If 2024 was the year AI crashed into cyber security, 2025 was the year interdependence became impossible to ignore.
Looking back over the past 12 months, the most important lesson I’ve learned is an uncomfortable one for security people: you are not really “in control” of your risk, you are sharing it. You are sharing it with suppliers, with operators, with cloud and AI platforms, and with the people on your own teams whose resilience is being stretched.
In our research at Forescout we’ve watched attacks continue to climb sharply. Across multiple reports, we’ve seen total attack volumes more than double compared with last year, and incidents in critical infrastructure grow several-fold. In the first half of 2025 alone, we tracked thousands of ransomware events worldwide, with services, manufacturing, technology, retail and healthcare consistently among the most-targeted sectors. This is no longer an IT hygiene problem; it has become a continuity problem for the real economy.
Operational technology has moved from the footnotes to the main story. Our threat intelligence work on critical infrastructure and state-aligned hacktivism has documented repeated attempts to disrupt water utilities, healthcare providers, energy companies and manufacturers by going after the industrial systems that run them. In parallel, our Riskiest Connected Devices research shows routers and other network equipment overtaking traditional endpoints as the riskiest assets in many environments, and risk concentrated in sectors that blend IT, operational tech (OT), the Internet of Things (IoT) and sometimes medical devices. The systems that keep things moving, and the devices that quietly connect them, are now prime targets.
The same interdependence is obvious when you look at the devices and components everyone depends on. In that same Riskiest Connected Devices report, we saw average device risk rise by 15% year-on-year, with routers alone accounting for more than half of the devices carrying the most dangerous vulnerabilities, and risk clustered in retail, financial services, government, healthcare and manufacturing. At the same time, our router and OT/IoT vulnerability research has shown how a single family of widely deployed network or industrial devices with remotely exploitable flaws can simultaneously expose hospitals, factories, power generators and government offices. That is not a theoretical ecosystem risk; it is a design feature of how we now build technology and deliver services. When one link is weak, the consequences propagate.
Working with organisations through real incidents this year, one pattern keeps emerging: resilience has become an ecosystem property. You can have well-managed endpoints, a competent SOC and a decent incident-response playbook and still be taken down because a third-party supplier gets hit, a “non-critical” OT asset becomes a bridge into IT (or vice-versa), or the humans running your programme are simply exhausted. Burnout is increasingly recognised as a security risk, not just an HR issue.
So, what does that mean for 2026?
One trend I expect to crystallise is what I have called “reverse ransom”. Traditionally, extortion follows the organisation that has been breached. We think attackers will increasingly flip that logic: compromise a smaller upstream manufacturer, logistics firm or service provider where defences are weaker, then apply pressure to the larger downstream brands and operators who depend on them to keep the whole chain moving. The party that can pay will no longer always be the party that was breached. For defenders, that means treating supplier visibility, shared detection and joint exercising as a core competency, rather than paperwork for procurement.
The second shift is around AI and social engineering. The novelty of AI-written phishing and voice cloning will wear off; it will just be how social engineering is done. In our 2026 predictions, we talk about “social engineering-as-a-service”: turnkey infrastructure, scripts, cloned voices, convincing pretexts and even real human operators available to anyone with a bitcoin wallet. At the same time, I expect to see more serious, less hype-driven adoption of AI on the defensive side: correlating weak signals across IT, OT, cloud and identity, mapping and prioritising assets and exposures continuously, and reducing the cognitive load on analysts by automating triage. Done properly, that is not about replacing people; it is about giving them back the headspace to think and to delve into the more rewarding stuff.
The third trend is regulatory. Between NIS2 in Europe, evolving resilience requirements in the UK and similar moves elsewhere, boards are going to discover that ecosystem security is becoming a legal duty as much as an operational one. Regulators are increasingly interested in how you manage third-party risk, how you protect critical processes, and how you evidence that your controls actually work under stress.
If 2025 taught me that complete control is largely an illusion, my hope for 2026 is that we respond with humility and collaboration rather than fear. That means investing in continuous visibility across IT, OT, IoT and cloud, building genuine partnerships with suppliers and peers rather than throwing questionnaires over the fence, and better considering the wellbeing of the people we rely on to make good decisions under pressure.
We’re never going back to a simpler threat landscape. But we can build a more honest one that acknowledges interdependence, designs for it and shares the load more intelligently.
Rik Ferguson is vice president of security intelligence at Forescout, as well as a special advisor to Europol and co-founder of the Respect in Security initiative. A seasoned cyber pro and well-known industry commentator, this is Ferguson’s first contribution to the CW Security Think Tank.
