In a follow-up to their previous insights for Open Access Government, the team at High Tide Consulting discusses the shifting cyber-threat landscape of 2026. From AI-driven “spear phishing” to the importance of “Zero Trust” architecture, they explore how UK businesses can remain resilient in an era where an attack is no longer a matter of “if,” but “when”
Current threats
Q. In your previous piece, you noted that cyber-attacks are now a matter of “when, not if.” As we enter 2026, which specific threats are you seeing dominate the landscape for UK businesses?
We are seeing a distinct split in how attackers approach different sectors. Ransomware is primarily targeted at larger corporations, think Jaguar Land Rover or Marks & Spencer, where there is significant capital to pay a ransom. However, these attacks aren’t just about the money; they are often designed to destabilise the British economy. This is why we are seeing the new Cyber Resilience Bill, as the government tries to strengthen our national infrastructure against these long-term financial impacts.
For smaller companies and charities, the focus is more on data theft. Attackers want confidential data they can use as leverage elsewhere. Whether the goal is financial gain or simply creating “carnage and destruction,” the sophistication is increasing. Larger organisations are now adopting Zero Trust and micro-segmentation to ensure that when a breach happens, it is limited to a small part of the environment rather than taking down the whole system.
Staff training
Q. In 2026, with AI-driven phishing becoming harder to spot, how has your advice on staff training evolved?
It is getting incredibly difficult because AI is becoming remarkably good at appearing human. We’ve moved into the era of advanced spear phishing, where attackers research your name, your department, and even the specific tone of language your colleagues use.
Because it’s so sophisticated, our advice has shifted: you must have controls in place so that when, not if, someone clicks a link, the threat cannot move beyond that single machine. We also advocate for a “no-blame” culture. We run simulations and tests, but we tell clients that staff should never be afraid to put their hand up and say, “I’ve clicked something, can you check it?” Being proactive and having that reassurance backup is critical.
Preventing data loss
Q. Data loss is often less about hackers and more about internal oversight. What are the most common ways businesses “leak” data today, and how can they stop it?
The days of leaving a DVD on a train are over. Today, it’s usually someone accidentally CC’ing the wrong person on an email. Most of the Microsoft suite has Data Loss Prevention (DLP) built-in, but many businesses don’t configure it because they don’t understand their own data patterns.
The solution we’re seeing now is Information Rights Management (IRM) wrapped inside DLP. When you create a document, you classify it, for example, as “Internal Only.” That document is then digitally stamped. Even if it is leaked outside the organisation, it cannot be opened. You can even set “Viewer Only” permissions so an external party can see a file but cannot print or modify it. The tech is there; it’s just a matter of reaching that level of cyber maturity.
Modern phishing
Q. Phishing remains the primary entry point for 75% of attacks. Are there specific new tactics or “red flags” businesses should be aware of?
Attackers are now using trusted third-party platforms to bypass scanning engines. For example, you might receive a legitimate-looking email from Dropbox or DocuSign. Because your company uses these daily, your filters allow them through.
The “nasty link” is then embedded deep inside the document within that platform. We recently saw a wave of attacks targeting charities where a DocuSign link led to a fake Microsoft authentication page. Users thought they were just signing a document, but they were actually giving a third party read/write access to their entire mailbox. Because the originating link was from a trusted source like DocuSign, traditional scanning didn’t pick it up.
Overlooked network security
Q. Why do many organisations secure their “front door” with firewalls but leave internal networks vulnerable?
Many businesses still have an old- school mindset of protecting the “perimeter.” They lock the front door but leave the safe and the deposit boxes wide open. Today, cloud services and wireless networks are the vulnerable points, attackers use the cloud as a stepping stone to get inside the perimeter.
This is where Zero Trust comes in: we don’t trust the perimeter; we secure each individual device. While this is easier for modern “cloud-native” companies, it’s much harder for manufacturing sites with legacy production lines. You can’t just “drop” Zero Trust onto a complex system that has grown over decades without ripping it apart to understand the interdependencies.
Ransomware resilience
Q. Beyond just having backups, what does true “resilience” look like during a live breach?
Backups aren’t a silver bullet. Modern ransomware might sit in your environment for 90 days before “nuking” it, meaning you’ve just been backing up encrypted or compromised data.
True resilience is about process. Do you have a printed copy of your emergency contacts? If your system is down, you can’t access your digital directory to call your IT provider. It’s also about data hygiene. We see staff saving documents to network drives because it’s “two clicks faster” than using a protected document management system. Resilience means training staff to understand that those “two extra clicks” are what keep the business alive.
Final thoughts: The cost of inaction
We still see businesses operating on Hotmail or Gmail to save on licensing costs. In this climate, that is a massive risk. A cyber-attack usually destroys a small business. We highly recommend CyberEssentials as a starting point. It forces an organisation to “grow up” regarding IT, and it’s increasingly becoming the baseline requirement for doing business with government bodies and large suppliers.
