Barry Daniels, CEO of Droplet, warns that with critical software end-of-support deadlines looming and AI-enabled identity attacks accelerating, ‘good enough’ cybersecurity could quickly become a catastrophic business liability.
2025 has been a year that has brought high-profile organisations to their knees following high scale, high impact cyber incidents. The major financial losses from downtime and removal of key sales channels, have resulted in a threat actor’s payday. But while many organisations have sympathised with the situation of the likes of M&S and Jaguar Land Rover, the simple fact is that they could be next.
In its latest annual report, the National Cyber Security Centre was clear – it is time to act. This was reinforced by the UK Government who recently wrote to FTSE 250 CEOs calling on the vital need for them to make cyber security a board level priority alongside plans for new laws to protect hospitals, energy and water supplies and transport networks from the threat of cyber-attacks under the Cyber Security and Resilience Bill which is expected to gain Royal Assent during 2026.
Inaction is simply not an option for businesses as they move into a new year. However, while organisations should be continually looking over their shoulder, they must also look internally at the risk that lies within.
This comes as experts forecast potentially even more cyber chaos, despite major warnings. There are three key areas I predict will impact businesses in 2026.
Organisations are one budget away from disaster
Ignoring obsolete IT will become a major liability for businesses in 2026. With Windows Server 2016 reaching end-of-support in just 12 months (in January 2027) – organisations are now just one budget cycle away from having an infrastructure which is unprotected and can no longer rely on legacy environments that have merely performed adequately.
Nor can they continue to operate with IT inertia as this will leave them more vulnerable to cyber attacks and data breaches not to mention operational inefficiencies due to incompatibility with new systems. Ignorance will place organisations in a danger zone that could become devastating. Therefore, as the bell tolls in 2026, companies must urgently take stock of their current software and hardware budget lifecycles and address looming technical expiry dates before disaster strikes.
Identity will remain under threat
As we saw earlier in the summer; AI tools are being weaponised to commit large-scale cyber attacks. Such synthetic cyber attacks are likely to continue ensuring that identity remains under threat in 2026. Organisations which have relied on Zero Trust security strategies will be the first to realise the risks of such an approach and must recognise the failings that lie in Identity Access Management (IAM) and Multi-Factor Authentication (MFA). Organisations now stand at a juncture; adapt or risk failing when it comes to security measures because so far, no one can give organisations a 100% guarantee that nothing is able to get in
To create a robust technical ecosystem, it is time that organisations regain ownership of their end-to-end stack – from the server to network estates – which will allow them to move beyond identity-based protection. By proactively securing all entry points through the isolation of any critical infrastructure within a secure vaulted architecture, every single threat attempt will be considered suspicious. Only by deploying an architecture that trusts nothing will organisations have the defences in place to avoid becoming a cyber statistic.
Comply or die: IT compliance idleness will cause organisations to fail
With cyber threats on the rise, legislative compliance is essential, but the real challenge for many organisations in 2026 will lie in whether their tech is up to scratch to meet them. With recent data from StatCounter and Lansweeper suggesting that more than 50% of all desktops and servers globally run on outdated, unsupported operating systems, many organisations are at considerable risk.
January 2026 will mark one year since the Digital Operations Resilience Act (DORA) became enforceable and as of October 2025, all Further Education institutions were required to have Cyber Essentials Plus, as mandated by the Department of Education. Those who find themselves kicking off a new year without meeting the technical mandate necessary to meet these regulations may find themselves in a ‘comply or die’ situation – which, set against the cyber landscape could be devastating for UK plc.
The threat landscape in 2026 is no longer a matter of if, but when. With critical software expiry dates looming and identity under constant threat, reliance on ‘good enough’ security and outdated systems is now a catastrophic business risk.
Those who do nothing, will fail. Those who proactively invest in resilient vaulted architectures that assume no trust, will finally move beyond fragile identity-based defences to ensure they aren’t the next headline.
This article is part of our DCR Predicts 2026 series. Come back every week in January for more.
