Leon Poggioli, Regional Vice President, ANZ at Claroty

1. Organisations will prioritise having an accurate asset inventory

“You can’t protect what you can’t see” is a phrase that gets frequently thrown around in cybersecurity discussions. It sounds obvious, but “seeing” is no easy task when you’re trying to protect a complex cyber-physical network containing thousands of OT, IoT, IIoT and BMS devices, making it a daunting task to create a comprehensive inventory. Every connected device, from a smart temperature sensor to an automated pump, is a potential entry point for a cyberattack – and it only takes one weak link to bring a chain down.

With the pace of digital transformation hitting lightning speed in recent years, it’s been impossible for many organisations to keep up with all the new devices being connected to their networks, and cyber criminals are increasingly exploiting this vulnerability. Therefore, in 2026, we will see organisations place a greater focus on having an accurate asset inventory, so they can drive a more effective cybersecurity program overall.

2. Organisations will focus on supply chain cyber risk

In 2026, organisations will place greater focus on reducing their supply chain risk. It is no longer good enough for organisations to simply secure their own systems; they’ll need to ensure their suppliers, vendors and technology partners meet the exact same security standards. In many cases, organisations wouldn’t even know how many different third-party connections are in place, which creates a massive security blind spot. In fact, 46% of organisations said they’ve been breached in the past 12 months because of an issue with third-party access.  Next year, we will see organisations place a collective focus on reducing supply chain risk, which will help eliminate vulnerabilities across the board.

3. Organisations will take back ownership of secure remote access capabilities

For too long, critical infrastructure operators have granted a growing number of third-party vendors access to their networks without the proper visibility or security over this process. Traditionally, this remote access was gained via insecure VPNs, jump boxes and remote desktops, which unintentionally exposed organisations to a raft of vulnerabilities.

Attackers have caught on to this growing risk and are increasingly targeting these insecure vendor-owned tools as a way to bypass an organisation's defences.

In 2026, we will see critical infrastructure operators clamp down on these blind spots and take back ownership over their secure remote access capabilities. Rather than allowing third-party vendors to connect using their own proprietary remote access methods, organisations will increasingly opt for “self-custody” over this process. This approach will mitigate third-party risk as organisations’ operations become more digitised and interconnected, and threat actors become more brazen.