2025 was a wild ride for cyber security. The landscape is shifting faster than ever, and several themes stand out when I think about the most important cyber security lessons from the year.
Nation-state risk remains constant. In June, US authorities urgently warned companies to prepare for Iranian cyber attacks. This is just one example of the environment we’re in. Security teams must be ready to defend at a moment’s notice. Threats will mix disinformation and low-level disruption with more sophisticated tradecraft, all of which combined can have destructive consequences.
Human vulnerability is a favourite target of attackers. We continue to see this point proved by the cyber criminal group Scattered Spider, who focused on the insurance sector last June, using classic social engineering techniques to prove that humans are oftentimes the weakest link. If you’re relying only on technology, you’re missing the mark: attackers will always find a way in through people.
AI’s rise pressures us to modernise, but introduces new gaps. Enterprise adoption of generative AI surged in 2025. Traffic to generative AI sites jumped by 50%, while 68% of employees used free-tier tools, and 57% admitted to pasting sensitive data into them. With this, it’s key to remember that AI-generated exploits and misinformation are already here. The security community needs to zero in on model manipulation techniques like prompt injection and proactively test these AI systems through the eyes of the attackers. Crowd-led testing remains one of our strongest defenses, even across new and evolving attack vectors. Diverse human researchers can catch what others miss.
Accountability is no longer optional. Governance is catching up. Take the Qantas incident as an example. After a breach exposed millions of customer records, the airline tied executive bonuses to cyber security outcomes. Docking CEO pay sends a clear message that the accountability for funding, prioritising, and evangelising security practices sits with the CEO and senior leadership team.
Critical infrastructure remains a soft target. Recent third-party attacks like the cyber disruption at European airports caused by a breach in check-in software last September remind us that the human impact of cyber risk can’t be abstract. Critical infrastructure is a soft target for cyber criminals. Disruptions to services leveraged by millions represent a growing threat. Zero trust and privileged access controls should be non-negotiable in all industries, but especially critical infrastructure, where their security stack is outdated or built on legacy systems.
In 2025, we found that the threats we face are more personal, more technical, more interconnected, and more tied to accountability. When I look forward and consider what 2026 has in store for all of us, I see six major trends emerging or continuing to grow.
- Attack sophistication and scale will continue to accelerate.
In 2026, the pace and sophistication of cyber attacks will reach levels that are increasingly difficult to anticipate. Organisations will be less focused on identifying whether attacks come from criminal groups or nation-state actors and more focused on how to respond effectively when an incident occurs.
- Critical infrastructure remains a prime target.
Attacks against critical infrastructure will remain a top concern. Hardware security, including IoT devices, pipelines, and water systems, will continue to be key risk areas, requiring organisations to prioritise protective measures across the evolving attack surface.
- Security controls must adapt to diversity of attacks.
The variety of attacks will keep expanding, and security teams will need to implement flexible, effective controls that balance access and protection. Ensuring that employees understand how to identify threats and escalate concerns will be critical to maintaining resilience in this complex landscape.
- AI confidence can mislead.
In 2026, AI-generated outputs will continue to present information confidently, even when incorrect. As organisations rely on AI for efficiency, reports on threats or incidents may be confidently wrong, creating noise that security teams must cut through to identify real risks.
- Human oversight remains critical.
The rise of AI-driven hallucinations, deepfakes, and lifelike synthetic media will make it harder for non-technical users to discern reality from AI-generated content. Organisations will need to foster a culture of human validation and critical thinking, ensuring that teams understand AI’s capabilities and limitations.
- Trust and verification will evolve.
With AI changing how information is created and shared, individuals and organisations will need new methods for verifying content. In 2026, security teams and broader stakeholders will face a culture and mindset shift: determining what to trust, what to validate, and how to respond responsibly to AI-driven outputs.
As defenders, we must embrace people-centric security, rigorously test with human insight, and demand leadership that treats cyber security as a business imperative.
Dave Gerry is CEO at crowdsourced cyber security platform Bugcrowd.
