In 2026, cyber threats are not only more numerous: they are faster, more autonomous, more intelligent and more difficult to detect. Attackers exploit legitimate identities, supply chain dependencies, ever-changing cloud and SaaS configurations, as well as common human factors such as urgency, automatic trust and operational pressure.
In this scenario, defence can no longer be limited to a set of tools. A living, coordinated and measurable system is needed, capable of continuing to function even during an attack. The eight priorities identified by the Cyberoo Observatory are not just current trends: they represent the minimum basis for building real resilience and reducing costs, downtime and reputational damage.
When we intervene to support organisations affected by a cyber incident, certain recurring characteristics regularly emerge: lack of structured governance, high level of obsolescence of systems and networks, and insufficient investment in security processes. These elements constitute a systemic risk that affects not only the technological infrastructure, but above all the organisational culture and decision-making capacity of management. In many cases, the Board tends to underestimate cyber security, considering it an “invisible” problem until it produces tangible effects. When an incident occurs, the organisation is forced to concentrate activities and processes that would have taken years of orderly implementation into a few weeks, with significant impacts on costs, business continuity and reputation.
Another critical element concerns the human dimension of cybersecurity. Behavioural dynamics have a decisive influence on the outcome of many incidents: impulsiveness, uncontrolled trust, emotional pressure and perception of urgency are variables that attackers systematically exploit to circumvent technical controls. These mechanisms affect not only the end user, but also the executive and decision-making levels of the company, where hasty choices or distorted perceptions of risk can amplify existing vulnerabilities.
For this reason, one of the strategic priorities of cybersecurity in 2026 is the adoption of robust governance based on formalised processes, consistent investment and targeted training programmes. It is not enough to provide courses or distribute certifications: it is necessary to intervene on people's mental models, behaviours and decision-making skills, aligning skills, awareness and responsibility.
When corporate culture evolves and individuals become an active part of the protection system, the attack surface is significantly reduced. Effective governance builds an organisational wall which, if free of cracks, represents the first and most important barrier against cybercriminals.
Another belief that needs to be definitively overcome in 2026 is that cybersecurity is purely a technological issue, where all you need to do is purchase various tools to circumvent any threat. We discussed this in detail in our report "The Future of Cybersecurity" but we would like to take this opportunity to revisit the topic given the importance of this paradigm. Today, attackers' tactics, techniques and procedures are no longer what they used to be: speed, invisibility and automation reign supreme. Thinking that simply adding technologies is enough to feel safe no longer works.
Culture and awareness must be combined with the orchestration of technologies, processes and human skills. It is no longer a question of choosing technologies but services capable of correlating signals in near-real-time, at any time of the day or night, recognising anomalous patterns and reacting immediately in the very first seconds, especially when the offices are empty and the lights are off. Not only from internal threats but also from external ones concerning Cyber Threat Intelligence. This makes the difference between a contained incident and an operational disaster. The goal is not simply to reduce Mean Time to Detect or Mean Time to Respond: it is to rewrite the defence timescale, moving from slow, sequential processes to dynamic playbooks, intelligent automation and human teams focused on critical decisions.
It means building a system that does not just defend, but allows the company to continue operating even while the attack is underway. This is where true resilience begins.
The question to start with is no longer “how protected are we?”, but “can we work under attack?”. This requires defining the Minimum Viable Business: the essential set of people, processes, applications and data that must remain operational to enable the business to function at a minimum level even during a cyber incident.
Today, attacks no longer start by “breaking down the door”: they enter using valid access. We are talking about compromised accounts, authorisations already granted or sessions still open. This is why putting identity at the centre is not a technical choice, but a matter of survival. The first step is to use multi-factor authentication that cannot be fooled by fake messages, such as FIDO2, and to eliminate old systems that still allow simple attacks such as repeated password attempts. Attackers are increasingly exploiting “normal” access procedures, such as the use of codes displayed on a device or techniques that insert themselves between the user and the service, to obtain valid authorisations without stealing passwords.
Then there is the management of application authorisations, which must be clear and controlled: no free registrations, monitored applications, verified permissions and constant monitoring. Immediate session revocation, automatic access key changes and protections against device code-based deception are needed to block invisible access. Finally, there is identity threat control: the only way to understand when a legitimate account is behaving abnormally or when an authorised application is malicious. This is what allows hidden movements and abuses that are difficult to see to be intercepted.
Not all vulnerabilities are the same: some are exploited immediately, while others will probably never be used. 2025 clearly demonstrated this: the most serious problems affected exposed systems very quickly. That is why it is no longer enough to simply follow a technical score. Patches must be applied with an eye to the real risk: if a vulnerability is already known and exploited in attacks, has a high probability of being exploited, or affects an exposed system, it must be addressed immediately. Everything else can wait.
The most organised companies work on two levels:
a fast track for critical issues on exposed systems, with updates applied within hours;
a standard path for internal or less urgent issues.
After the update, real effectiveness is achieved by completing the remediation with actions of fundamental importance: closing active sessions, changing credentials, updating keys, strengthening configurations and checking for suspicious activity prior to the update. Without these steps, the patch risks giving only a false sense of security.
In 2026, updating does not just mean installing a patch, but stopping the attack, removing hidden access points and returning systems to a secure and controlled state. It is an ongoing task, not a simple repetitive activity.
Today, data no longer lives “at home”: it is in the cloud, in SaaS, in external flows. Thinking about governing it once and then forgetting about it no longer works. You need a continuous programme, something that lives every day within your security processes. Truly governing the cloud and SaaS means always knowing who has access to what: applications with elevated privileges, external consents, public links, tokens and APIs that last too long, hidden roles such as shadow admins. It is in this context that SSPM (SaaS Security Posture Management) and CSPM (Cloud Security Posture Management) become indispensable: they give you constant visibility and help you keep the situation under control.
The rule is simple: fewer privileges, more segmentation. The more you reduce what each application or identity can do, the less room you give to a potential attacker. To protect data, you also need to control what is transmitted externally: Data Loss Prevention (DLP) solutions and egress control systems are essential to prevent specific information from ending up in external services, AI plugins or SaaS applications used without adequate governance.
This is not just technical common sense: it is what regulations now require. NIS2 and DORA demand structured processes, supplier control and continuous monitoring of critical dependencies. The goal is not to tidy things up once, but to notice immediately when something deviates from the expected level of security.
When ransomware strikes, it's not the encryption that's most frightening: it's coming to a standstill. The only thing that determines whether a company gets back on its feet or remains on its knees is an inseparable pair: solid backups + a ready-made incident response plan. A backup is not an archive: it's what allows you to get back up and running even when everything else fails. It works if it follows the 3 2 1 1 0 logic:
3 copies of data,
2 different media,
1 off-site copy,
1 immutable or isolated copy,
0 errors in recovery tests.
Alongside backups, you need a pre-written, tested and internalised incident response plan: who does what, in what order, with what tools, how to communicate, how to isolate, how to restore. The difference between a company that is down for weeks and one that is back up and running in a few hours often comes down to this. To complete the picture, you need an MDR (Managed Detection and Response) service that sees what is happening on hypervisors and unified telemetry that connects identities, endpoints, networks and the cloud to recognise the attack chain as it happens.
Today, artificial intelligence is a powerful accelerator: it strengthens defences, but at the same time greatly increases the capabilities of attackers. And that is precisely the point: if it is not governed, it ends up governing itself. It is not enough to “use” it: it must be kept under control. Techniques such as command deception, data or model poisoning, and internal instruction leakage clearly show that a system without rules is a real risk. Clear limits are needed: controlling what comes in and what goes out, continuously monitoring what automatic systems are doing, and defining precise procedures for authorising external actions and connections.
The situation becomes even more delicate with artificial intelligence acting autonomously with Agentic AI. These systems are no longer simple tools: they become an active part of business processes. They perform actions, make decisions and automate tasks, often faster than humans. When a non-human agent operates with autonomous decision-making, it is necessary to maintain continuous control and supervision mechanisms. This is why it is essential to establish boundaries, objectives and responsibilities, treating these systems as real components of the IT environment. Reference models such as AEGIS and standards such as ISO/IEC 42001 (the first international standard specifically for artificial intelligence management systems) help to define these rules, reducing new risks such as memory alteration and maintaining trust in intelligent systems.
Today's supply chain is so complex that trust is no longer enough. Too many suppliers, too much software, too many dependencies: without continuous monitoring, you are proceeding blindly. That is why it is essential to know what is really inside what you use. The list of software components, called SBOM (Software Bill of Materials), is like an X-ray: it shows obsolete libraries, critical dependencies and known security issues, and is now also required in supplier management processes. On the technology partner front, the rules set out in DORA come into play: maintaining a list of IT suppliers, having the right to verify them, assessing how dependent you are on a few entities, and regularly checking whether there are any viable alternatives.
This is not bureaucracy: it helps you understand how dependent you really are on your service providers. Then there is the issue of data. If it is in the cloud or in critical online services, you need to be able to control it even if it is not physically yours. Customer-managed encryption keys serve precisely this purpose: to avoid forced dependencies, reduce unnecessary risks and increase the robustness of the entire supply chain. A secure supply chain is not based on promises, but on transparency, control and constant verification. This is how you prevent an external problem from becoming your next incident.
In 2026, cybersecurity is no longer a technical challenge but an organisational, cultural and strategic one. Threats are growing in autonomy and speed, but companies that build solid governance, protected identities, resilient processes and continuous visibility across the cloud, data and supply chain drastically reduce impact, costs and recovery times.
The difference is not made by the number of solutions adopted, but by the ability to make them work together, with trained people, clear rules and an operating model that does not stop at the first unexpected event. There is no technology that solves everything, but there are specific priorities that transform security into a competitive advantage.
2026 will reward those who anticipate incidents rather than react to them, those who measure real risk and those who invest in defences that continue to function even when everything else seems to be failing. This is the real goal: to ensure that the company continues to move, produce and make decisions, even under attack. In a word, to remain resilient.