Cyber risks I expect to matter more in 2026

Robert Broxup

In previous years I have focused on what other people think will be the top cyber risks for next year. This year I decided to come up with my own list based on professional work in this space, attending seminars, and watching webinars. Much of the future speculation appears to have a marketing angle, but that doesn’t change the actual risk or make anyone wrong to talk about the issues; it just gives professionals a greater interest in specific subject matter. Based on similar experiences, my focus here is deliberately narrow, concentrating on two areas I expect to matter more in 2026.

Shadow AI will become a much higher and growing risk

The rapid adoption of AI tools inside businesses will continue to expand a new class of unmanaged risk. Employees are using public and semi-public AI systems to draft documents, analyse data, and make decisions without visibility, guidance, or approval. In many cases, sensitive information, internal context, or intellectual property is being shared with external systems by default. Although the use of Shadow AI is rarely malicious, I expect it to become more widespread while remaining largely invisible to security teams. I also expect the cumulative risk from unsanctioned AI use to exceed that of many Shadow IT problems because of the scale, speed, and lack of transparency.

  • AI tools are already embedded in everyday work – use of AI to draft, summarise, analyse, or make decisions is normal behaviour, not experimentation. This continues to push usage outside of formal approval processes.
  • Security teams cannot keep pace with adoption – AI tools appear faster than policies, reviews, or risk assessments can be written or enforced.
  • Consumer AI tools outperform approved enterprise tools – staff will default to what works best and fastest, regardless of policy or guidance. 
  • Data sharing is implicit, not explicit – AI tools retain prompts, context, or outputs by default and users rarely understand where the data is stored and how it could be used.
  • AI usage is more difficult to detect – Shadow AI does not behave like traditional Shadow IT and it can leave minimal network or endpoint footprint. 
  • Business pressure rewards speed over control – productivity gains from AI will be expected and staff will often bypass any controls that slow down its usage.

Data exfiltration will become more prevalent than ransomware

I expect to see a shift from system-locking ransomware to pure data exfiltration. Encrypting entire environments is inefficient, noisy, and increasingly well-defended against. It is far simpler for attackers to breach a network, quietly extract valuable data, and apply pressure through the threat of public release. This approach will bypass many ransomware controls and directly target reputational damage, regulatory exposure, loss of customer trust, and financial impact. 

  • Network-wide encryption is noisy and slow – it triggers alerts, response plans, backups, and law enforcement involvement. 
  • Backup and recovery capabilities have improved – ransomware encryption alone doesn’t guarantee payment.
  • Exfiltration is harder to detect than encryption – data theft can be gradual, selective, and disguised as normal traffic.
  • Stolen data creates multiple monetisation options – attackers can extort, sell, reuse, or leak data in stages.
  • Reputational damage is harder to recover from than downtime – public exposure of sensitive data causes lasting harm beyond technical recovery.
  • Regulatory penalties amplify attacker leverage – breach notification laws and fines make data exposure more costly than service disruption.
  • Attackers can pressure businesses without destroying systems – this reduces operational risk for criminals, lowers barriers to entry, and opens up a subscription model for cybercrime.
  • Cloud and Software as a Service (SaaS) architectures centralise valuable data – stealing data is easier than encrypting distributed environments.

Concluding thoughts

These two reflect the same underlying shift:

  • Data is the primary asset
  • Speed and invisibility beat disruption
  • Human behaviour matters more than technical exploits

Many other cyber risks will continue to evolve through 2026 and none of these should be ignored. These two risks represent a significant shift where risk accumulates the fastest and with the least visibility. Focusing on these areas should not involve ignoring or sidelining other risks, but recognising AI governance, privacy, and human behaviour could matter the most.

Protect Your Home with Land Registry Property Alerts

Robert Broxup

Imagine discovering that someone has taken out a mortgage on your home, or even sold it, without your knowledge. Property fraud is rare but financially devastating. Criminals target properties that are unmortgaged, rented out, or standing empty, especially when the owner lives elsewhere. The UK Land Registry property alert service offers a simple early-warning to identify potential problems. It can’t stop fraud by itself, but it gives you the crucial time to act before a transaction is completed.

How the alert system works

When you sign up for Property Alerts, the Land Registry emails you whenever it records activity on a monitored title deed, such as a change of ownership, a new mortgage, or a change to the registered owner’s details.

You can monitor up to ten properties per account, even if you don’t live at them. The service is free, quick to set up, and you can unsubscribe at any time.

Alerts don’t block applications. They simply let you know that something has been submitted, prompting you to check whether it’s legitimate. If you weren’t expecting any activity, you can intervene before money or ownership changes hands.

Who should register

Almost everyone can benefit, but it’s particularly valuable for:

  • Mortgage-free properties that criminals could attempt to mortgage or sell.
  • Rental or vacant properties where post might go unnoticed.
  • Elderly or vulnerable owners who may not spot irregularities quickly.
  • Second homes or overseas owners who spend long periods away.

If you fall into any of these categories, registering for alerts is one of the easiest and most effective precautions you can take. When a property is mortgaged, the lender’s financial interest provides a layer of protection. The mortgage company, as the primary creditor, won’t permit changes to ownership or certain new charges, such as additional loans, without their consent while the mortgage is still outstanding. However, secondary charges, like secured loans, can still be placed on the property, even if the mortgage is still in place. Once the mortgage is fully repaid, the primary creditor’s protections no longer apply, and the property is free from these restrictions.

How to strengthen your defences

Property alerts are only one layer of protection. Here are some additional options:

  • Consider monitoring properties belonging to family and friends, and have them monitor your property.
  • Ask a solicitor or conveyancer to add an anti-fraud restriction requiring identity certification before any sale or mortgage.
  • Stay alert to emails from the HM Land Registry Property Alert service and use inbox rules to flag them if your incoming email volume is exceptionally high. If an unexpected alert arrives, contact HM Land Registry straight away using the official number on their website
  • If identity theft is suspected, call your bank, report to Action Fraud, and consider a Credit Industry Fraud Avoidance System (CIFAS) protective registration.

Once a fraudulent action is registered, unravelling it can be lengthy and costly, though not impossible. Although HM Land Registry indemnifies victims if they lose property through no fault of their own, the process of proving your claim and restoring the title deed can be long and distressing. Prevention remains far easier than correction. Identifying problems and responding quickly is vital, and doesn’t require complex tools or expensive subscriptions.

You can register for free at https://propertyalert.landregistry.gov.uk/

Companies House: Protecting People with Identity Verification

Robert Broxup

Imagine discovering that you are listed as a director of a company you have never heard of, or worse, you are the director of a business used for criminal activity. From 18th November 2025, Companies House will implement one of the most consequential reforms in recent years. Under the Economic Crime and Corporate Transparency Act 2023, every company director and every Person with Significant Control (PSC) must verify their identity before acting in that capacity.

While most commentary so far has focused on who needs to verify and how, the deeper story is about protection, protecting people from identity theft, misuse, and reputational harm, while strengthening the integrity of UK businesses.

Practical changes

The process for directors and PSCs will change fundamentally. New appointments must be verified before registration, and existing directors and PSCs will be required to complete verification by the date of their company’s next confirmation statement, within a 12-month transition period. Verification can be completed either through GOV.UK One Login or through an authorised corporate service provider, such as an accountant or solicitor.

Once verified, each individual will have a unique verified identity that serves as their secure identifier for all future filings. It will be an offence for an individual to act as a director, or for a company to permit an unverified individual to act, without verification once the new rules are in force. Together, these measures mark a shift from a passive registry to an active verification system, one that checks who people are, not just what they type.

How the reform protects individuals

For years, people have found themselves listed as directors of companies they had never heard of. Fraudsters could simply type in a name and file it. The new system stops identity theft before it starts by ensuring that every appointment is tied to a verified identity, confirmed through secure government channels. It prevents criminals from registering fake companies under someone else’s name or using an address to lend legitimacy to fraud.

The reforms also build trust in public records. The Companies House register shapes perceptions among banks, clients, and regulators. With verified identities, the names listed will correspond to real, consenting individuals, making each professional record more credible and resistant to impersonation or error.

Verification also puts individuals in control of their corporate identity. A director’s verified identity becomes the key to their official record, ensuring that no one can appoint them to a company or amend their details without consent. This change gives individuals confidence that their name cannot be used behind the scenes without their knowledge.

Another important aspect is protection from unwanted liability. Under the old system, it was possible for people to be framed as company officers, attracting tax demands, debt notices, or legal correspondence they did not deserve. The verification process closes that loophole, meaning individuals can no longer be held accountable for companies they never agreed to join.

How the reform protects personal information

These reforms don’t just verify who people are; they also reduce how much of their personal information is exposed. Verification relies on secure digital checks using documents such as a passport or driving licence, but those documents are not stored or made public. Companies House will retain only the minimum information needed to maintain an accurate register, ensuring that identification data never appears online or remains in long-term storage.

Only verified individuals and authorised agents will be allowed to file or amend details, which means a person’s name cannot be added, edited, or reused without their verified code. This creates a built-in safeguard against unauthorised or malicious submissions.

Another major improvement is that one verification replaces repeated exposure.

Previously, directors had to send ID documents multiple times for different incorporations or filings. Now, verification will typically happen once, using GOV.UK One Login or an authorised provider, after which the secure status can be reused. This reduces the number of data copies in circulation and lowers the risk of breaches or leaks.

Each submission to Companies House will now link to a verified individual or regulated service provider, creating a robust digital audit trail. If someone misuses another person’s information, it can be traced, making transparency itself a deterrent and ensuring that misuse becomes both detectable and punishable.

Companies House will also have stronger powers to remove false or outdated information and to suppress entries that pose a risk. Errors and outdated data can therefore be corrected more quickly, reducing long-term exposure. This aligns the new model with key data-protection principles, data minimisation, purpose limitation, and confidentiality, ensuring that corporate transparency finally coexists with personal privacy, something the UK register has long lacked.

Transparency, trust, and accountability

Every verified record will still be public, but every identity will be real, consent-based, and better protected. In a time when trust is fragile and information spreads instantly, this is not a minor upgrade. A verified register strengthens the system as a whole. It raises the bar for everyone, making it harder to create shell companies, curbing money-laundering, delivering better transparency, reinforcing accountability, and restoring trust. The reforms will help create a cleaner and more trustworthy business environment for all.

Shadow Data: Identifying hidden risks

Robert Broxup

In most organisations today, data is one of the most valuable assets, yet it is also one of the most difficult to control. Even with well-managed official systems, a parallel world of untracked, unmanaged, and unmonitored data often exists, also known as shadow data. Previous articles of mine cover Shadow IT and Shadow AI. In contrast, shadow data is sensitive or business-critical data that has slipped outside approved processes and governance controls.

Shadow data exists outside sanctioned systems, controls, and oversight. It typically arises because people prioritise convenience, speed, or workarounds over policy. The problem is not that the data exists, but that it is often invisible to those responsible for protecting it.

Forms of shadow data

  • Unapproved copies of sensitive data. An analyst downloads customer records into a spreadsheet. The official database is secure, but the spreadsheet is not.
  • Data in unsanctioned apps, such as the use of personal cloud storage or messaging tools to share files instead of company-approved platforms.
  • Orphaned backups or snapshots. Forgotten database snapshots or cloud storage remain open long after they are no longer needed, often with excessive access rights.
  • Forgotten test and development data. Developers copy production data into test environments. These environments often lack the same protections as live systems, yet they still contain sensitive details.

Why shadow data matters

  • Shadow data is often outside encryption, access controls, or monitoring. Attackers will look for weak links, such as laptops, shared drives, or forgotten cloud storage.
  • Regulations such as GDPR require organisations to know where personal data resides. Shadow data undermines these compliance efforts and may lead to fines or sanctions.
  • Duplicate datasets lead to inconsistent reporting, poor decision-making, and unnecessary storage costs.
  • In the event of a breach, businesses may underestimate the scope because they are unaware of hidden datasets.

Working examples

A hospital stores patient records in a secure, encrypted database, but:

  • A doctor, needing to work quickly, exports patient details into a spreadsheet
  • Copies of data not under hospital control
  • Sensitive health data across multiple insecure locations
  • Introduction of compliance, legal, and reputational risk

A law firm manages client files in a secure document management system, but for convenience, solicitors, partners, trainees, or other staff:

  • Save case files to USB or laptop drives
  • Email document bundles through public email systems
  • Collaborate through personal Dropbox or OneDrive accounts

Shadow copies of data may contain privileged client data. If a laptop is lost or if a client requests data deletion, the firm cannot ensure removal of these unofficial copies. What began as minor workarounds now represents serious compliance and reputational risk.

While shadow data often arises from legitimate needs, it introduces risks that can outweigh the convenience. For businesses bound by regulation, trust, and professional duty, shadow data can quietly erode compliance and expose sensitive information. One quick copy can multiply into a long-lasting vulnerability. Bringing shadow data into the light is no longer optional.