Cybersecurity priorities for Boards in 2025–2026

Boards and executives play a defining role in setting culture, governance, and accountability for their organisations and part of that is digital resilience. Cybersecurity has always been a matter of operational resilience, investor confidence, and customer trust, but it’s only in the last few years that this has really been brought into sharp focus.

As media coverage continues to highlight the rise in sophistication and frequency of cyber threats. The National Cyber Security Centre (NCSC) has warned that attacks by state actors, cybercriminals, and hacktivists are increasingly targeting UK businesses of all sizes, with particular pressure on critical infrastructure and supply chains.

The question isn’t if your organisation will face a cyber incident, but how ready you’ll be when it happens. A strong cyber culture starts at the top. When leaders engage, ask questions, and make informed decisions, the entire organisation follows suit.

Looking toward 2026

As many organisations will be planning for 2026, here are six priorities for leaders to focus on, along with the questions you should be asking your teams:

1: Understand your most critical assets

Resilient organisations start from an ‘assume breach’ mindset where they plan for the day something goes wrong. The key is knowing what’s most important: your ‘crown jewels’. These are the systems, data, and operations that keep your business running and your customers served.

Every organisation will have limited resources, which means you can’t defend everything equally. Focus your investment and attention on the assets that truly matter to your business continuity and reputation.

What that looks like in the real world: In 2024, a key NHS lab provider, Synnovis was hit by ransomware, disrupting diagnostic services and delaying non‑urgent procedures.

Leaders should be asking:

• Do we know what our most critical assets are? Whether that’s data or infrastructure.
• How often do we review that list as the business evolves or grows?
• How are our critical assets actually protected?

2: Strengthen your supply chain security

Every partner you work with—from software vendors to outsourced service providers—introduces cyber risk. Supply chain compromise remains one of the biggest threat vectors for UK businesses today.

Your procurement and legal teams should work hand in hand with cybersecurity to assess supplier risk, include clear security clauses in contracts, and regularly review compliance. Continuous oversight is key because supplier risk doesn’t end once a contract is signed.

What that looks like in the real world: The Jaguar Land Rover cyber-attack in August/September 2025 resulted in a production halt and supply-chain disruption that affected thousands of suppliers. 

Leaders should be asking:

• Do we have a cyber supply chain risk management policy?
• Have we assigned ownership for cyber supply chain risk across procurement, legal and cyber security teams?
• Do we know which suppliers have access to our systems and data? And have we categorised suppliers by criticality and risk exposure?
• How do we assess suppliers’ cyber security posture?

3: Anticipate and plan for disruption

No organisation is immune from cyber incidents — but the impact can be significantly reduced with planning and practice. Effective incident preparedness means understanding roles, responsibilities, and escalation paths before an event occurs.

Boards should ensure there’s a clear, tested incident response plan that includes communications, legal, and operational decision-making. Regular simulations — particularly those involving senior leaders — build confidence and speed when it matters most.

What not planning looks like in the real world: 

In the aftermath of a major cyberattack in April 2025, M&S’ online ordering was suspended, store operations disrupted, and the impact on profits and share price was significant.

Leaders should be asking:

• Do we have recently reviewed Business Continuity Plan and Cyber Incident Response Plan?
• When was our last incident response exercise?
• How do we communicate with customers, regulators, and staff during an incident?
• Do we have external support in place to assist with investigations and recovery?

4: Gain visibility through event logging and threat detection

You can’t stop what you can’t see, and visibility is the first step towards control. Event logging and threat detection (i.e., monitoring activity across your systems) is one of the most effective ways to identify suspicious behaviour early. All too often, these controls are inconsistent or incomplete. 

What lack of visibility looks like in the real world:

In 2022, Interserve was fined £4.4 million by the Information Commissioner’s Office after a cyber‑attack allowed hackers to steal personal and financial data of up to 113,000 employees. The ICO found that the company’s antivirus alert was not properly investigated and that privileged accounts and obsolete protocols (SMB v1) were in use.

Leaders should be asking: 

• Do we have full visibility of what’s happening across our network?
• Who is responsible for monitoring alerts?
• Are alerts acted on quickly?
• Do we regularly test these processes?

5: Close the gaps left by outdated technology

Outdated technology is one of the most persistent cyber risks for UK organisations. Legacy systems often can’t be patched or integrated with modern defences, creating blind spots that attackers can exploit.

Boards should insist on an inventory of legacy systems, assign ownership, and ensure a clear roadmap for replacement or isolation. Doing nothing may feel cheaper in the short term, but it’s rarely the cheaper option after a breach. Where these system must stay, there should be a clear risk mitigation and recovery plan.

How outdated technology can impact organisations in the real world:

When the British Library suffered a major ransomware attack in 2023, recovery was hampered by reliance on unsupported and legacy infrastructure, which made it difficult to determine the full scope of the intrusion and extended the recovery timeframe.

Leaders should be asking:

• Has all legacy IT in use been identified and documented?
• Does each piece of legacy IT have a risk owner? And have we assessed each for vulnerabilities, operational dependencies and business criticality?
• Do we have a legacy IT risk management strategy?

6: Prepare for the post-quantum era

Quantum computing may sound like a distant problem to solve, but its implications for encryption are very real. Once quantum machines reach sufficient capability, today’s encryption standards will no longer be secure. Data stolen now could be decrypted years later. And there is already suggestion that this “Future Data Decryption” is being stockpiled, ready for that time.

Forward-looking organisations are already mapping where encryption is used and talking to vendors about post-quantum readiness. Transitioning to quantum-resistant cryptography will take time, and those that start early will protect their data—and their reputation—in the long run. 

Encryption has to be strong enough for today – and for the duration which you wish the data to remain confidential. For many business applications this may not be a problem – however, understanding where the issues are so they can be addressed is key.

This isn’t about fear; it’s about foresight. The cyber landscape is evolving, and the most resilient organisations are planning for what’s next.

The bottom line

In 2026, cyber governance is about foresight, accountability, and trust. The organisations that thrive will be those that see cybersecurity not as a technical function, but as a foundation for sustainable growth.

Now is the time for leaders to act:

• Review how your board and executive team engage with cyber risk.
• Identify and protect your most critical assets.
• Strengthen visibility, supplier assurance, and future readiness.

Cyber threats are inevitable, but chaos doesn’t need to be. Leadership makes the difference.

Ready to strengthen your organisation’s digital resilience?

If your board hasn’t reviewed its cyber resilience strategy in the last 12 months, now is the time. PGI's digital resilience and security experts can help, talk to us.