Hard2bit
← Back to the cybersecurity blog

Cyber threats in 2026: the attack no longer comes through the firewall — it comes through identity and your supply chain

By Adrián González · CEO · Published: 08 July 2026 · Updated: 08 July 2026
Cyber threats in 2026: the attack no longer comes through the firewall — it comes through identity and your supply

For years the mental model of an attack was a perimeter being breached. In 2026 that picture is outdated. The majority of incidents now begin with a stolen credential and the abuse of legitimate access, then move through third parties and cloud services that were never inside "the firewall" to begin with. The ENISA Threat Landscape 2025 reflects the same shift: identity and supply chain, not the network edge, are where organisations are compromised.

At a glance

  • The way in: credentials and legitimate access, not a breached perimeter.
  • The path: through suppliers, cloud and identity providers you do not fully control.
  • The response: prioritise identity, third-party risk and resilience — and align it with NIS2 and DORA.

Three trends shaping today's incidents

Identity is the new perimeter. Phishing and credential theft give attackers a legitimate way in, so MFA that resists phishing and tight control of privileged access matter more than another perimeter box. This extends to machine identities: service accounts, tokens and API keys — the non-human identities that rarely have an owner and almost never rotate.

The supply chain is part of your attack surface. A compromised provider — software, hosting, a managed service — becomes your incident. Managing third-party risk is no longer optional hygiene; it is front-line defence.

Resilience decides the outcome. When prevention fails, the difference between a bad day and a crisis is how fast you detect, contain and recover. That is a function of monitoring, tested backups and incident response, not of any single tool.

Where to start, without an endless project

The temptation is to launch a multi-year programme. The more useful move is to fix the highest-leverage gaps first: enforce phishing-resistant MFA and review privileged access; inventory who and what can authenticate, including machine identities; map your critical suppliers and what would happen if one failed; and confirm you can actually detect and recover from an identity-driven intrusion. None of that requires a two-year roadmap — it requires deciding what matters most and doing it. A managed SOC and vulnerability management close much of the gap quickly.

How this connects to NIS2 and DORA

NIS2 requires risk-based measures across access control, supply-chain security and incident handling, with board accountability. DORA makes operational resilience and third-party (ICT) risk explicit obligations for financial entities. Both, read plainly, describe exactly the three trends above: identity, supply chain and resilience. Aligning your priorities with them is not extra work — it is the same work, evidenced.

The bottom line

The attacker of 2026 logs in rather than breaks in, and reaches you through people and providers you already trust. Defence follows suit: identity first, suppliers second, resilience throughout. If you want help turning that into a prioritised plan for your organisation, get in touch.

Frequently asked questions

Why is identity considered the new perimeter?

Because most incidents now begin with stolen credentials and the abuse of legitimate access rather than a breached network edge. Phishing-resistant MFA and tight control of privileged and machine identities do more to reduce risk than another perimeter appliance.

How does the supply chain become part of my attack surface?

A compromised provider — software, hosting or a managed service — becomes your incident, because their access and their code reach your environment. Managing third-party risk is therefore front-line defence, not optional hygiene.

What are non-human identities and why do they matter?

They are machine identities: service accounts, tokens and API keys used by systems rather than people. They rarely have a clear owner and almost never rotate, which makes them a favoured, low-visibility path for attackers once inside.

How should a company prioritise without launching an endless project?

Fix the highest-leverage gaps first: enforce phishing-resistant MFA and review privileged access, inventory who and what can authenticate, map critical suppliers, and confirm you can detect and recover from an identity-driven intrusion. That does not need a multi-year roadmap.

How do these threats relate to NIS2 and DORA?

NIS2 requires risk-based measures across access control, supply-chain security and incident handling with board accountability; DORA makes operational resilience and third-party ICT risk explicit for financial entities. Both describe the same identity, supply-chain and resilience priorities.

What reduces identity and supply-chain risk fastest?

Phishing-resistant MFA and privileged-access control, an inventory of human and machine identities, third-party risk management, and the ability to detect and recover quickly — typically through a managed SOC and continuous vulnerability management.