Cyber security threat predictions for 2026: what we’re seeing and why it matters
Cyber threats affecting the UK education and research sector continue to evolve, but the pace of change is increasing, driven by geopolitical instability, rapid adoption of artificial intelligence (AI), and the growing professionalisation of cyber crime.
Each year, we curate threat intelligence relevant to the education and research sectors, drawing on our central network visibility, analysis of incidents and intelligence partnerships, to understand how adversaries are adapting and where risk is shifting.
In 2025, our threat predictions were grounded in patterns already affecting the sector, with all of the themes we highlighted materialising over the course of the year. These included increased use of AI-enabled malicious activity, disruption within the ransomware ecosystem and sustained pressure on identity and remote access technologies. Together, these outcomes reflect how quickly threat actors adapt and why forward-looking, evidence-based insight matters when preparing for how risk is likely to evolve next.
Here are six predictions we believe leaders, security teams and researchers should have in view as they plan for the year ahead.
Researchers and academics will continue to be targeted beyond organisational networks
UK research remains a strategic national asset and an attractive target for foreign intelligence services. This is especially true in fields such as geopolitics, nuclear science, medicine and defence-related research.
As institutions continue to strengthen security within their core networks, we expect threat actors to increasingly shift focus towards researchers and academics, who are more likely to be targeted through personal devices and home networks, where security controls are weaker, and monitoring is limited.
Personal laptops, phones and tablets often store email accounts, credentials and authentication details that can be used to access institutional systems. Toward the end of 2025, Jisc cyber threat intelligence observed a marked increase in activity consistent with this approach. Given ongoing geopolitical volatility, this trend is likely to intensify throughout 2026.
For institutions, this reinforces the importance of supporting staff to manage cyber risk beyond the campus boundary, particularly for those working in sensitive research areas.
Law enforcement takedowns will continue with more visible consequences
Recent years have seen highly coordinated international law enforcement operations dismantle malware networks, ransomware groups and the infrastructure that supports them. These disruptions are changing how cyber criminals operate.
Threat actors are now much more conscious of being identified and tracked. In response, many are investing more heavily in operational security and becoming more selective about who they work with.
Given the global scope and coordination of these law enforcement campaigns, we expect further high‑profile takedowns in 2026, potentially leading to several significant arrests worldwide. Law enforcement agencies are also likely to be more public in communicating the outcomes of these operations. With increasing numbers of young individuals becoming involved in cyber crime, visible enforcement can play an important deterrent role by demonstrating the real‑world consequences of illegal online activity.
Insider threat will become harder to ignore
Insider threat is no longer limited to disgruntled employees or accidental data loss. It is increasingly deliberate, organised and financially motivated.
Threat actors are attempting to gain employment directly within organisations, or to bribe existing staff and contractors to sell access to systems and data. These activities can be difficult to detect using traditional security controls alone.
In 2026, organisations should expect insider threats to demand greater attention. This includes reviewing vetting, monitoring and off‑boarding processes, particularly for privileged users and remote workers. Proactive threat hunting for unusual behaviour, access patterns and consistent network anomalies will be critical to reducing risk.
Ransomware groups will look more like corporations
Ransomware groups are becoming more structured, professional and organised. Many now operate ransomware‑as‑a‑service models that closely resemble legitimate businesses, complete with support desks, documentation and internal rules.
Some groups already employ legal expertise to analyse stolen data and advise affiliates on how to maximise pressure on victims. This approach is proving effective, and we expect more groups to adopt similar “corporate” operating models during 2026.
At the same time, operating models will diversify. Some groups will abandon ransomware altogether in favour of data extortion only. Others will continue with double extortion, while the most capable groups may increasingly pursue triple extortion strategies. For defenders, this means resilience planning must consider multiple extortion scenarios, not just encryption-based attacks.
AI will present a double threat
AI is reshaping the cyber threat landscape in two ways. First, it lowers the barrier to entry for cyber crime. Large language models make it easier for less skilled attackers to generate convincing phishing messages, develop malware and conduct reconnaissance. Capabilities once limited to sophisticated groups are now far more accessible, increasing both attack volume and variability.
Second, AI systems themselves introduce new attack surfaces. Techniques such as prompt injection and data poisoning can be used to manipulate models, bypass safeguards or embed malicious behaviour.
Looking ahead, we anticipate a potential shift from AI being used as a tool to AI acting with greater autonomy. The prospect of systems capable of executing elements of the cyber kill chain at machine speed has serious implications for defenders.
Identity will be the primary battleground
Attacks on identity are increasing as organisations rely more heavily on digital authentication. Techniques that bypass token‑based protections, including sophisticated phishing and real‑time interception of credentials, are becoming more common.
Attackers are also targeting identity infrastructure itself, seeking ways to issue fraudulent tokens or reset credentials without user knowledge. Emerging techniques, such as deepfake audio and video impersonation, further undermine trust in traditional authentication methods.
In 2026, protecting identity will require organisations to think beyond compliance checklists and focus on layered controls, user awareness and behavioural insight.
Cyber threats will continue to evolve in 2026, but understanding how and why they are changing is the first step to managing risk. By focusing on people, identity and resilience, our sector can strengthen its collective defences and stay ahead of an increasingly complex threat landscape.
Join our 3,000+ member cyber security community group today for exclusive access to this year’s annual cyber threat report at launch.
Next steps
- Explore our cyber security products and services
- Find out more about our security operations centre (SOC)
About the author