Six months into 2026 and the shape of the year is clear. Incidents are up, the law is changing, the government is spending, and attackers have quietly switched tactics in a way that should change where small businesses put their effort.
Most mid-year reviews are written for security teams. This one is for the people who run businesses. Five developments from the first half of 2026, what each one actually means, and one thing to do about each.
1. Nationally significant incidents more than doubled
The National Cyber Security Centre handled 204 nationally significant incidents in the twelve months to May 2026, up from 89 the year before. Speaking at the RUSI Annual Security Lecture in June, its Chief Executive said around three quarters of the incidents affecting critical infrastructure were believed linked to state actors, and argued that cyber security should now be treated as an active contest rather than a risk to be filed on a register.
What it means for you: state actors are not targeting your business, but the environment they create is. Techniques trickle down, criminal groups multiply, and the national systems you depend on (payments, logistics, utilities, software suppliers) are under sustained pressure. Resilience planning is no longer paranoia.
Do this: test that your business can operate for a week if a key supplier or system goes down. Not a document. An actual conversation with the people who would have to do it.
2. Attackers changed their way in: unpatched software overtook stolen passwords
Verizon’s 2026 Data Breach Investigations Report, built on more than 31,000 incidents across 145 countries, recorded something that has not happened in nineteen years: exploiting software vulnerabilities became the most common way attackers get in, accounting for roughly a third of initial access, while the use of stolen credentials fell to around 13%.
What it means for you: the industry has spent a decade telling businesses that passwords and phishing are the whole game. They still matter enormously. But the data now says the single most likely way in is software you have not updated: the firewall running old firmware, the remote access box nobody owns, the server that is awkward to reboot.
Do this: find out, today, who in your business is responsible for applying security updates within 14 days of release, across every internet-facing system. If the answer is fuzzy, that is your biggest exposure. This is exactly what Cyber Essentials forces you to get right, and it is one of the five things that most commonly fail an assessment.
3. The law caught up with the supply chain
The Cyber Security and Resilience Bill cleared the House of Commons on 10 June and is now before the Lords, with Royal Assent expected later this year. It brings managed service providers under regulation for the first time, introduces 24-hour initial incident notification with a full report at 72 hours, and lets government designate critical suppliers. We covered what the Bill means for ordinary businesses in detail.
Alongside it, the government confirmed it will proceed with all three of its ransomware proposals: mandatory incident reporting for ransomware attacks, notification to government before any ransom payment, and a ban on payments by public sector bodies and critical infrastructure operators. None of this is law yet. All of it tells you the direction.
What it means for you: whether or not you are ever named in legislation, the security expectations placed on regulated companies flow downhill to their suppliers. That is you.
Do this: if you outsource IT, ask your provider in writing how they are preparing. If you supply larger organisations, expect harder security questionnaires and get your evidence in order before they arrive.
4. Boards say the right things; the numbers say otherwise
The 2025/26 Cyber Security Breaches Survey found 43% of UK businesses reported a breach or attack in the past year, and around seven in ten say cyber security is a senior management priority. Yet, as we wrote when the survey landed, just 31% of businesses have a board member with explicit responsibility for it. The gap between stated priority and assigned accountability is where most security failures live.
What it means for you: “we take it seriously” is not a control. A named owner, a budget line, and a standing agenda item are controls.
Do this: put a name against cyber security at board or owner level, in writing, this month. It costs nothing and it changes behaviour more than any product you can buy.
5. Government put £90 million behind small business defences
At CYBERUK in April, the government committed £90 million to strengthening the cyber defences of small and medium-sized businesses, called on AI companies to help build national cyber defence capabilities, and launched a voluntary Cyber Resilience Pledge committing signatories to concrete actions. The recognition behind the money is blunt: small businesses are the backbone of the economy and the softest part of its defences, at exactly the moment AI is making vulnerability discovery and exploitation faster and cheaper for attackers.
What it means for you: help is coming, but slowly and unevenly. The businesses that benefit from schemes like this are the ones already organised enough to engage with them.
Do this: do not wait for a grant to do the fundamentals. The five Cyber Essentials controls, an accountable owner, and a tested backup will do more for you this year than any funding announcement.
The half-time verdict
The first six months of 2026 all point the same way: from cyber security as an IT purchase towards cyber security as evidence, of patching discipline, of governance, of supply chain hygiene. The businesses that will find the second half of the decade easy are the ones building that evidence now, while it is still voluntary.
If you would rather know where you stand than guess, get in touch. One conversation, no obligation, and we will tell you plainly what we would fix first.
Sources: NCSC Chief Executive Dr Richard Horne, RUSI Annual Security Lecture, 17 June 2026; Verizon 2026 Data Breach Investigations Report; Cyber Security and Resilience (Network and Information Systems) Bill, parliamentary progress to 17 June 2026; UK Cyber Security Breaches Survey 2025/26, Department for Science, Innovation and Technology; UK government announcements at CYBERUK, April 2026.