Cyber security in 2026: What your business should be thinking about

Businesses are adopting technology faster than ever before. Cyber security considerations need to be at the heart of this.

You need only look at recent headlines for proof. High-profile ransomware attacks, where hackers encrypt vital systems until a ransom is paid, severely limited day-to-day operations of the Coop and Marks and Spencer. An attack recently put a venerable haulage firm out of business.

A cyber security incident can take time and money to put right. But reputational damage can have longer-lasting impacts. Your customers, partners and suppliers need to trust you.

In this article we take an up-to-date look at the basics of cyber security for businesses today and in the coming years. This is by no means a comprehensive list, and it’s no substitute for advice from a specialist. But it should be enough to inspire discussion and positive action.

Here’s what we cover:

Hacking the human in the cyber secure workplace

While this article looks at some technological measures, it’s important to identify that humans are the first line of defence for a business.

Cyber security isn’t someone else’s job. It’s the job of every single person in the organization. They must act with accountability and understanding every moment of every day.

It’s not just that, as operators of the IT equipment, they need to be vigilant. It’s that they themselves are the target for hackers.

Some of the most common human factors leading to a cyber security breach are as follows:

• Falling for a phishing attack. This is by far the most significant form of cyber attack against businesses today.
• Not deploying two-factor authentication (2FA; see below). This is a key method of protecting systems, apps and data, and is difficult (although not impossible) for cybercriminals to circumvent.
• Ignoring notifications to restart the computer to apply system or app updates, because they’re just too busy. Updates patch security vulnerabilities, meaning this is like leaving a window to a house wide open for burglars.
• Clicking a questionable link or opening an unknown file attachment, perhaps out of genuine ignorance, or because they assume that the computer’s anti-malware protection is somehow bulletproof (it isn’t).
• Reusing passwords across multiple apps and services, for ease of memorisation. This means that once a single account is hacked, all accounts for that user are effectively wide open, too.
• Sharing app or service passwords by individuals, or only using a single login/password amongst an entire team. This is a rapid way to lose control of security and accountability. It also increases the risk of malicious actions by ex-employees, bearing in mind shared passwords are rarely changed because of the disruption it would cause reeducating the team.
• Not locking the screen when in a public location, or leaving computer equipment unattended in a public location. If nothing else, this can lead to physical theft of the hardware – and the data stored on it.
• Delaying reporting an incident, or simply ignoring it. Any incident, even if there’s only a suspicion of one, should be reported to a manager immediately. In the case of data breaches relating to the UK GDPR, delay can increase the size of any eventual financial penalty.

The above will unravel even the most compliant organisation’s entire security posture.

Businesses thriving tiday don’t just deploy tools. They educate teams, build trust, and act fast when employee actions mean things have gone wrong.

In short, businesses need to make security an ongoing conversation, before it becomes a crisis.

AI: The new frontier for cyber security

Businesses today are increasingly making use of AI, whether that’s chatbots like ChatGPT, or via additional features added to existing and popular apps and services. Many of these AI tools have become indispensable.

But what about cyber security?

Because these services are mostly in the cloud, the same security requirements apply: you should ensure two-factor authentication is used, for example (see below).

However, employees may unknowingly upload sensitive information into AI tools. If these tools use the data for training future AI models without proper security controls, such as anonymisation, confidential information could be exposed to other users or external parties.

If the data relates to individuals then this might put your business in breach of UK GDPR.

It might surprise you that the default setting with OpenAI’s ChatGPT and Anthropic’s Claude AI is that all data entered by users is used to train future AI models (although this can be deactivated manually).

Look for transparency in the way data or information you share is used with AI tools, and ensure any organisation to whom you entrust your data has an ethical AI policy in place.

Sage upholds the highest standards in AI, as demonstrated by our eight AI and data ethics principles, and our commitment to building AI responsibly.

Sage adopts the National Institute of Standards and Technology (NIST) AI Risk Management Framework, for example, to assess and address risks in the design, development, use, and evaluation of our AI products.

In the video below, Arron Harris, Sage’s Chief Technology Officer (CTO), explains Sage’s AI commitments.

,

2FA: Protecting apps and services

A key cyber security protection method for businesses is two-factor authentication (2FA). This is one of the simplest yet highest impact controls a business or individual can deploy.

It sounds complicated but it really isn’t.

All it means is that, when you login to an app or service, you provide not only your username and password. You also input a code when prompted, of usually six digits. This code is either texted/emailed to you, or generated in an app on your phone.

This is why it’s called two-factor. You provide your password and also a second factor that only you know. It means that, even if hackers somehow get your login details, they still cannot gain access.

2FA is a popular form of security, and rightly so. You’ll find it protecting email services and cloud software, like accounting. In fact, if you sign up for an app or service that stores any of your data then it should be pause for thought if 2FA is not offered.

Furthermore, try to avoid 2FA where a code is texted to your mobile. It’s surprisingly easy for a fraudster to steal your mobile phone number, and thereby receive your text messages, without you even being aware.

The gold standard form of 2FA is to use a dedicated app on your phone. These are known as authenticator apps. Google offers one, as does Microsoft, but there are many. All work in the same way using the same fundamental technology, so can be used across all apps and services.

You might find that some companies, such as Microsoft and Google, require you use their own apps to access their services, and send login confirmation requests straight to the app. This adds even more security.

Cyber-securing your business today

Here’s some suggestions where to start if you want to try and make your business ready to face cyber security threats right now.

Training and awareness

You may need to bring in an outside agency for this, but it can also be achieved by mandatory online training courses for individuals, forming part of their training record.

For very small organisations, it can even be achieved by meetings in which relevant YouTube videos are watched, with a discussion after.

Fundamental to this is to simply start a conversation with your team about cyber security. No jargon, just real talk: “These are the threats we face, and this is how we’re going to defend against them.”

Conduct a simple cyber risk check

Again, focus mostly on the human, via a series of fundamental questions.

1. Who has access to which apps, services and systems? Do they need that access, or could limiting it create a narrower profile for cyber criminals to attack?
2. Is 2FA deployed for every account and user? Does it use authenticator apps or is it relying on the less secure text/email auth codes?
3. Are virtual private networks (VPNs) or personal hotspots used when individuals are out of the office using public/free Wi-Fi?
4. How are passwords managed both on an organisational level and individually for employees? When’s the last time employees changed key passwords? A password manager can be utilised across teams, and a basic version is built in to many operating systems.
5. Do employees know what to do if they see (or initiate) a cyber security breach? Given the risk of GDPR fines (if your business handles the data of individuals as well as businesses), this really should be written-up in the form of procedures. Indeed, any indemnity insurance your business has that covers cyber crime losses may insist this is the case.
6. Are any colleagues equipped with outdated hardware, like laptops or phones that no longer receive updates? For example, Microsoft Windows 10 will no longer receive updates after 14 October 2025, yet PCs/laptops/tablets purchased in the past few years may still run it.
7. Are any colleagues using their own devices for work tasks, which may compromise security?

Final thoughts

Cyber security has never been as important within businesses of all sizes, but smaller organisations in particular are often targeted by criminals because of their limited resources.

Therefore, it becomes vital to focus on the human: ensure colleagues are educated, confident and aware at all times of the threats the business faces. Start those conversations now.

Frequently asked questions