By Jeff Liford, Associate Director, Fenix24
If the impact and complexity of cyberattacks taught us anything in 2025, it’s that security failures are no longer about missing tools. They’re about broken fundamentals under real threat actor pressure.
In fact, most attacks happen without exotic exploits. Identity, misconfigurations, tokens, and trusted access are compromised faster than organizations can patch or detect.
Considering what we as security practitioners learned during 2025 (myself included), I will offer my 2026 New Years top resolutions and predictions.
Resolution #1: I will fix my backups.
Off-domain. Immutable. Tested and validated. Backups only matter if they survive the attack and restore when needed.
Resolution #2: I will enforce authentication hygiene.
No more “123456.” MFA is not optional in 2026. Accounts that can’t have MFA (service accounts) will be extremely limited in scope/permissions/access. No more Domain Admin Service Accounts will be allowed.
Resolution #3: I will document my assets.
Asset visibility is not optional in 2026. If I can’t quickly identify what exists, who owns it, and how it connects, I don’t control my environment. I’m guessing.
Resolution #4: I will design for failure.
I will assume compromise and design the environment to resist it in layers, with assured recovery. Enforced segmentation and access control are critical to security posture. Resilience is built before the incident, not during it.
Resolution #5: I will stop trusting inherited risk.
“How we’ve always done it” is not a security strategy. I will reassess legacy decisions and ensure vendors and partners are aligned with my security posture.
My Top-5 Predictions for 2026: Self-Improvement is Hard
Prediction #1: Immutability struggles persist.
The industry is learning the power that immutability has to change outcomes in ransomware attacks. True immutability significantly improves the chances an organization can reasonably consider resisting a ransom. As a result, regulators and insurers will begin to demand: “Show me your immutable backups.”
But even as that demand rises, execution will lag. Pressure does not equal results or competence. This does not — by itself — result in backup technology being implemented quickly, correctly, or being properly tested. We’ll also continue to see vendors jump on the immutability wagon with their own interpretations of immutable tech. Organizations should demand immutability without conditions or compromises. If anyone can delete the data, it is not immutable.
Prediction #2: Zero trust is secretly a compliance exercise.
The importance of zero trust methodologies will continue to rise as more organizations and institutions attempt to enshrine this as a required standard and not a best practice.
Continuous authentication and micro-segmentation would certainly solve a lot of hurts in modern cyber breaches, but most organizations lack the willpower to make the cultural shift required to implement zero trust frameworks.
Zero trust depends on well-known security behaviors that organizations already struggle with. What seems much more likely is organizations will invest in technologies labeled as zero trust, configure them with effective “any any” rules, and celebrate the compliance win.
Prediction #3: Continuous monitoring tells us what we already know.
There’s a lot of attention on continuous threat exposure and continuous monitoring, particularly in the age of AI. We can anticipate moves away from static, point-in-time assessment methodologies in favor of AI-enabled, real time big data platforms.
This shift does not improve outcomes alone, because visibility is not the true problem. SIEM/SOAR technology is not new. You can ignore continuous monitoring platforms just as effectively as you can ignore your SIEM or a pen test. This is about doing the hard work of executing security fundamentals well (vulnerability management, patching, asset control, least privilege, least access). Do you really need an AI to point out these issues in your enterprise?
Prediction #4: Deepfakes and social engineering proliferate.
Human-centric attacks continue to be wildly effective. AI, deepfake technology, and emotionally-charged social engineering will continue to drive identity fraud and business email compromise. People remain a key vulnerability point.
Depressingly, some of the most catastrophic breaches of the year will also trace their roots back to social engineering. The industry will continue to tell itself that users are the problem and conveniently forget that their administrators are also users.
Security controls should assume users will click on the phishing link. The blast radius should be constrained by architecture and design. Perhaps worst of all, the truly catastrophic failures will surface in privileged workflows (helpdesks, admins, MSPs) where speed is more important than verification. Environments architected for administrative convenience are also architected for threat actor convenience.
Prediction #5: Vendor and supply chain security remains dubious.
Vendor supply chains will come under increased pressure around their security controls, transparency, and regulatory requirements as more vendors are pushed to validate their security postures. Several high-profile breaches of 2025 were initiated through third party vendors, including software providers, firewall vendors, and MSPs.
Despite this pressure, security will remain challenged. Organizations outsource critical trust boundaries, underwrite mountains of assumed risk, fail to verify alignment, and then act surprised when something goes wrong.
No one is prepared to fire their vendors and take everything in-house, and I’m not saying they should. Organizations need to start asking tough questions of their third-party vendors, and they need to plan for how their environment will react to security compromises in those vendors. You can outsource labor, but you should not outsource responsibility for security outcomes.
2026 Bonus rounds
1) A major AI vendor will leak all the data you put into it.
2) A major RMM breach will cascade to thousands of downstream customers ransomed.
About the author
Jeff Liford is an IT leader, educator, and cybersecurity resilience expert with more than 15 years of experience across the military, federal, and private sectors. As Associate Director at Fenix24, he leads high-impact cyber incident recovery efforts and strategic process improvement initiatives.
A former U.S. Army Senior Intelligence Analyst and long-time Adjunct Professor at the University of Alaska Anchorage, Jeff blends hands-on technical expertise with a passion for teaching. His work focuses on building resilient systems, mentoring future engineers, and empowering teams to grow through disruption.
