The major cyber hurdles that could deeply impact businesses in 2026

2025 has been a year that has brought cyber chaos to high-profile organisations. The major financial losses from downtime and removal of key sales channels, have resulted in a threat actor's payday. But while many organisations have sympathised with the situation of the likes of M&S and Jaguar Land Rover, the simple fact is that they could be next. 

The National Cyber Security Centre was clear in its latest annual report – it is time to act. This was reinforced by the UK Government who recently wrote to FTSE 250 CEOs calling on the vital need for them to make cyber security a board level priority alongside plans for new laws to protect hospitals, energy and water supplies and transport networks from the threat of cyber-attacks under the Cyber Security and Resilience Bill. 

Inaction is simply not an option. However, while organisations should be continually looking over their shoulder, they must also look internally at the risk that lies within. 
With experts forecasting even more attacks in 2026, Barry Daniels, CEO of Droplet shares his predictions for the coming year:

Organisations are one budget away from disaster

Ignoring obsolete IT will become a major liability for businesses in 2026. With Windows Server 2016 reaching end-of-support in January 2027 - organisations are now just one budget cycle away from having an infrastructure which is unprotected and can no longer rely on legacy environments that have merely performed adequately. IT inertia is a major risk that includes heightened vulnerability to cyber attacks and data breaches not to mention operational inefficiencies due to incompatibility with new systems; this puts organisations in a danger zone that could become devastating. As the bell tolls in 2026, companies must urgently take stock of their current software and hardware budget lifecycles and address looming technical expiry dates before disaster strikes.

Identity will remain under threat

As we saw earlier in the summer; AI tools are being "weaponised" to commit large-scale cyber attacks. Such synthetic cyber attacks are likely to continue ensuring that identity remains under threat in 2026. Organisations which have relied on Zero Trust security strategies will be the first to realise the risks of such an approach and must recognise the failings that lie in Identity Access Management (IAM) and Multi-Factor Authentication (MFA). Organisations now stand at a juncture; adapt or risk failing when it comes to security measures because so far, no one can give organisations a 100% guarantee that nothing is able to get in

To create a robust technical ecosystem, it is time that organisations regain ownership of their end-to-end stack - from the server to network estates - which will allow them to move beyond identity-based protection. By proactively securing all entry points through the isolation of any critical infrastructure within secure boundaries that treat every access attempt as suspicious, only then will organisations have the defences in place to avoid becoming a cyber statistic.

Comply or die: IT compliance idleness will cause organisations to fail

With cyber threats on the rise, legislative compliance is essential, but the real challenge for many organisations in 2026 will lie in whether their tech is up to scratch to meet them. With recent data from StatCounter and Lansweeper suggesting that more than 50% of all desktops and servers globally run on outdated, unsupported operating systems, many organisations are at considerable risk. 

January 2026 will mark one year since the Digital Operations Resilience Act (DORA) became enforceable and as of October 2025, all Further Education institutions are required to have Cyber Essentials Plus, as mandated by the Department of Education. Those who find themselves kicking off a new year without meeting the technical mandate necessary to meet these regulations may find themselves in a "comply or die" situation – which, set against the cyber landscape could be devastating for UK plc.