Elisa’s annual Cyber Security Outlook provides a comprehensive view of the cyber security landscape. It highlights key trends, emerging threats, and priorities that organisations should focus on to strengthen resilience. The insights are based on Elisa’s own observations, dozens of technology reports, and research studies.

Cyber threats are evolving faster than most organisations can adapt. In just minutes, attackers can breach an organisation. At the same time, growing reliance on artificial intelligence, digital ecosystems, and third parties are weakening the boundaries that once made risks easier to manage.

Geopolitical tensions, the industrialised cybercrime, and rising board expectations are turning cybersecurity into a strategic issue of business continuity. Cyber security is no longer a story about isolated technical incidents, but about how organisations ensure continuity in an environment where disruptions are faster, broader, and harder to control.

AI is shortening the response time

The speed of cyberattacks is fundamentally changing. According to CrowdStrike, once an attacker gains initial access, it takes on average 29 minutes to move laterally within the target organisation. The fastest observed breakout time was just 27 seconds.1

For defenders, this means response time is shrinking dramatically, while stopping attacks remains slow: IBM reports that the average time to identify and contain a breach is still 276 days.2

The gap between attacker speed and organisational response capability is one of the most critical cybersecurity. What once unfolded over days or weeks can now happen in minutes, while many organisations still need months to fully recover control.

Defence must scale through automation and AI

The coming years will be challenging for defending organisations. AI initially gives attackers an advantage, but the balance will shift as organisations adopt new technologies. Attacks are becoming cheaper, require less expertise and vulnerabilities can be exploited faster than organisations can patch them. This is why resilience must be built on prevention, detection, and response before attackers can move laterally across networks.

Since not everything can be fixed at once, risk-based prioritisation becomes essential. Limited resources must be focused on risks with the highest impact on business operations and continuity.

Defence can no longer rely solely on manual human processes when attackers operate at machine speed. Operating models based purely on human prioritisation and reactive actions are no longer sufficient. The emerging direction is not the removal of human judgment, but the expansion of autonomous and AI agentic capabilities in detection, investigation, and response.

AI is both a tool and a target

The adoption of AI introduces an entirely new threat, while most organisations are still underprepared to mitigate AI related security risks effectively.

AI provides attackers with more effective tools for malicious activity. They exploit AI systems directly through prompt injection, compromised plugins, and abused APIs. At the same time, organisations are rapidly adopting AI, often without sufficient AI governance or controls.

IBM found that 97% of organisations that suffered an AI-related breach lacked proper AI access controls, and breaches involving shadow AI cost an average of USD 670,000 more than those in environments with little or no shadow AI.3

AI related risks are likely to intensify. Gartner predicts that by 2028, 25% of enterprise breaches will be traced back to AI agent abuse,4 and KELA has warned that an agentic AI deployment will cause a public breach in 20265. In practice, this means AI governance, identity controls, and secure deployment models are no longer optional, they are becoming central to enterprise cyber security strategy.

Attackers also use AI to enhance social engineering. AI-augmented social engineering is eroding many of the warning signs people have traditionally relied on. Traditional red flag, such as poor language, formatting issues, and generic messaging, are being replaced by highly convincing, personalised, and multi-channel deception. This shift is reflected in attack data: Verizon reports that 62% of breaches still involve a human element,6 while Hoxhunt observed a 14-fold surge in AI-generated phishing attacks at the end of 20257.

At the same time, social engineering is evolving beyond email into coordinated, multi-step campaigns that increasingly extend to voice channels.8 AI-generated calls are becoming difficult to distinguish from genuine interactions, with scam scripts adapting rapidly. In 2025 alone, 68 billion spam and fraud calls were identified globally.9 Together, these developments show how voice cloning and impersonation are increasing the burden of verification, making trust itself harder to establish.

Post-quantum readiness has moved from theory to planning

The quantum threat continues to evolve, but preparations for the potential breaking of current security methods have already begun. Gartner warns that advances in quantum computing capabilities are likely to lead to the breaking of public-key cryptographic algorithms by 2029.10 The transition to post-quantum cryptography is no longer just a theoretical threat, it already requires concrete actions from organisations.

Geopolitical competition adds further urgency. For organisations that handle sensitive data, the threat is not just a distant future scenario. Attackers can already collect encrypted data today and decrypt it later once quantum computers can do so. For this reason, the transition to quantum-safe encryption must begin well in advance. Mapping and prioritising systems, testing interoperability, assessing vendor readiness, and developing cryptographic expertise all take time, so preparations must start now.

Cybercrime has become industrialised

Cybercrime is becoming increasingly industrialized: more actors, faster exploitation of vulnerabilities, more specialised services, and a lower barrier to entry for attacks. For organisations, the message is clear: basic cyber security hygiene, risk-based security updates, identity protection, and recovery capabilities are now more critical than ever as the threat landscape becomes technologically more advanced.

Cybercrime is no longer opportunistic but is increasingly an efficient, scalable, and service-based business. The broader economic impact reflects this shift. According to Statista, the global cost of cybercrime reached USD 10.29 trillion in 2025 and is expected to rise to nearly USD 16 trillion by 2029.11 If cybercrime were a country, it would rank as the world’s third-largest economy after the United States and China.12

Europol identified more than 120 active ransomware actors in 2025.13 The Ransomware-as-a-Service model, along with ready-made codebases and AI tools, enables the rapid emergence and equally rapid disappearance of new groups. A structural shift is underway: ransomware operations are moving toward a decentralised, service-based model. This observation further highlights how specialised and adaptive the ransomware ecosystem has become.

In 2025, Google Threat Intelligence Group tracked a total of 90 actively exploited zero-day vulnerabilities, compared to 78 in 2024. Of the zero-days exploited in 2025, 48% targeted enterprise technologies,14 making vulnerability management increasingly critical for organisational resilience and business continuity.

Collapsed trust boundaries are redefining cyber risk

The traditional trust model is breaking down. The boundary between internal and external networks is losing relevance as organisations operate more on SaaS platforms, third-party services, cloud integrations, and increasingly complex supply chains.

The network perimeter has effectively disappeared. When attackers compromise identities, they log in rather than break in. Identity defines access, permissions, and trust, making it a prime target.

Approximately one-third of attackers still rely on simple methods to gain initial access to organisations, most often through trusted supply chains or online services.15 Microsoft reports analysing 38 million identity risk detections every day, highlighting the scale of identity-based attacks.16

KELA Group’s cybercrime analysis underscores the importance of protecting identities: in 2025, 2.86 billion credentials were compromised. Even macOS infostealer infections surged dramatically, rising from fewer than one thousand cases in 2024 to over 70,000 in 2025.17 Attackers use infostealer malware across multiple platforms to infiltrate organisations and steal sensitive information.

Organisations’ protection needs are no longer limited to human identities. The trust challenge increasingly extends to non-human identities, such as AI agents, service accounts, API keys, tokens, and software integrations. Many of these machine identities hold broad privileges but are rarely governed with the same rigor as employee accounts.

The threat related to supply chain compromise is growing. According to the World Economic Forum, 65% of large organisations see third-party and supply-chain vulnerabilities as the biggest challenge to becoming cyber resilient.18 However, visibility and control over partner ecosystems often remains shallow. The Information Security Forum (ISF) recommends mapping dependencies across key supply chain relationships to fourth- and fifth-level.19

The risk is even more concentrated in software supply chains. In 2025, Sonatype identified over 454,600 new malicious open-source packages, with over 99% of open-source malware targeting npm.20

The strategic implication is clear: organisations can no longer treat trust as implicit within their networks. Every identity, integration, and supplier relationship must be subject to continuous verification, monitoring, and where necessary restriction of privileges. If any part of the trust chain is compromised, the blast radius now reaches far beyond the enterprise itself.

Cyber risk as part of business strategy

Cyber risk has shifted from a technical and operational issue to a strategic concern shaped by geopolitical tensions, regulation, and national resilience. Cyber security incidents are increasingly manifesting as business continuity challenges, financial risks, and even matters of national resilience.

The Allianz Risk Barometer ranks cyber incidents as the most critical global business risk for the fifth consecutive year. AI-related risks have risen to second place in business criticality assessments.21 Cyber security risks are therefore now an integral part of executive decision-making.

Geopolitical tensions are increasingly reflected in targeted cyberattacks against governments and critical infrastructure operators. Operational technology (OT) and critical infrastructure have become prime targets in geopolitically motivated attacks. These attacks are often carried out through deniable proxy ecosystems that operate below the threshold of open conflict.

According to Akamai, cyberattacks targeting nationally critical business and institutions increased by 245% following the escalation of conflict in the Middle East in spring 2026. At the same time, automated reconnaissance traffic rose by 70%.22 This shift indicates a broader transition from chaotic disruption toward pre-positioning, as threat actors quietly map targets, establish persistence, and prepare for future attacks or disruption.

At the same time, increasing regulation, stakeholder requirements and rising expectations are pushing cyber security higher on boardrooms. The question is no longer whether organisations are protected, but whether they can demonstrate preparedness, maturity and recovery capabilities when disruption occurs. A single cyber incident can cause significant operational and financial impact, with potentially severe consequences for business continuity.

Infrastructure control is becoming a strategic priority. Gartner forecasts Europe’s sovereign cloud IaaS spending to rise from $6.868 billion in 2025 to $23.118 billion by 2027.23

Organisations and governments are investing in greater digital autonomy as trust, supply chains, and geography become more politically defined.

Resilience starts with people

Despite increasing focus on automation, AI, and machine-speed attacks, overall resilience still depends on people. Humans remain active actors and decision-makers, playing a critical role in maintaining and developing security.

AI can flag anomalies, accelerate analysis, and support triage. However, human judgment remains essential for determining what truly matters in the broader context and what response is required. It is therefore crucial that organisations retain human expertise and an understanding of their operating environment.

Resilience must be built on the ability to operate under pressure, not solely on preventing security incidents. In fast-moving, high-pressure situations, cognitive overload can itself become a vulnerability. According to Microsoft, nearly half of all alerts go uninvestigated in today’s fragmented SOC environments,24 while Vectra AI estimates that organisations receive an average of 2,992 security alerts per day.25

When teams are overwhelmed, the quality of decision-making degrades, alert fatigue grows, and real threats are more likely to be missed. Employee well-being is therefore an integral part of resilience. Success is no longer measured solely by the ability to prevent attacks, but by how quickly an attack is detected, how effectively its impact is contained, and how rapidly operations can be restored.

Rehearsed incident response, layered security controls, risk-based patching, business continuity planning, and up-to-date backup and recovery capabilities are essential, as incidents can never be prevented with 100% certainty. When a major incident inevitably occurs, organisations cannot assess it from a purely technical perspective. Successful recovery depends on coordinated collaboration, clear decision-making, and the ability to act effectively even under unpredictable conditions. In a crisis, the key challenge is managing chaos: requiring clear decision-making process, pre-planned and rehearsed response models, and the capability to make timely and consistent decisions under pressure.

From prevention to resilience

In the years ahead, resilience will be defined by the ability to withstand disruptions, maintain operational continuity, and recover in an environment where uncertainty and constant disruption have become the new normal. Leveraging AI and automation will become a critical factor for defenders in keeping pace with a rapidly evolving threat landscape. It is important to recognise that even the most advanced automation cannot replace fundamentals such as defence in depth.

In the age of AI, we believe cybersecurity development should focus on five priorities:

  1. strengthening security fundamentals
  2. securing identity through a Zero Trust model
  3. managing third-party dependency risks
  4. establishing clear, rehearsed incident, crisis, and recovery models that support human decision-making and wellbeing
  5. building AI and automation capabilities to support defence.

Together, these areas help organisations prevent major incidents, limit the impact of disruptions, and accelerate recovery. Security is no longer defined by the ability to prevent incidents, but by how quickly and effectively organisations can recover from them. That is resilience in the age of AI.

Article in Finnish: Elisa Cyber Security Outlook 2026: resilienssi tekoälyn aikana

Read also

Cyber Security Outlook 2025

Cyber Security Outlook 2024

Sources

1. CrowdStrike: Global Threat Report 2026
2. IBM: Cost of a Data Breach 2025
3. IBM: Cost of a Data Breach 2025
4. Gartner: Turbulence Report
5. KELA Group: The State of Cybercrime 2026
6. Verizon: Data Breach Investigation Report 2026
7. Hoxhunt: Phishing Trend Report 2026
8. Verizon: Data Breach Investigation Report 2026
9. Truecaller: 2025 Insight Report
10. Gartner: Emerging Tech: The Impact of AI and Deepfakes on Identity Verification
11. Statista: Cybercrime worldwide - statistics & facts
12. Cybersecurity Ventures: Cybercrime report 2025
13. Europol: IOCTA Report 2026
14. Google Threat Intelligence Group: 2025 Zero Days in Review
15. KELA Group: State of Cybercrime 2026
16. Microsoft: Digital Defence Report 2025
17. KELA Group: State of Cybercrime 2026
18. World Economic Forum: Global Cybersecurity Outlook 2026
19. ISF: Threat Horizon 2028 Report
20. Sonatype: State of the Software Supply Chain Report 2026
21. Allianz: Risk Barometer 2026
22. Akamai: Emerging Geopolitical Cyberthreats
23. Gartner: Sovereign Cloud IaaS Spending 2026
24. Microsoft Security Blog 17.2.2026
25. Vectra: AI 2026 report