Axia Computer Systems Ltd

Cyber Security

FortiGuard Labs 2026 global threat landscape: what it means for UK SMEs

FortiGuard Labs' latest global threat report is dense with statistics about ransomware, exploit activity and OT attacks. Stripped down to what actually matters to a UK SME without a SOC: the four patterns we are seeing on customer estates, and the small, cheap controls that blunt each one.

Cyber SecurityBy Axia Computer Systems Ltd
FortinetThreat IntelligenceRansomware
FortiGuard Labs 2026 global threat landscape: what it means for UK SMEs

Every quarter, FortiGuard Labs publishes threat intelligence drawn from telemetry across millions of sensors worldwide. The full report runs to dozens of pages of statistics and is worth reading, but most SME IT teams do not have the hours. This article is our distillation for clients: what is genuinely new, what is just louder coverage of old techniques, and which cheap, boring controls are still doing the heavy lifting against the latest activity.

Ransomware has not gone away — it has just changed shape

The big shift in the last two years is away from noisy, mass-distributed ransomware and towards quieter, more targeted operations. Attackers spend longer inside the network before they encrypt anything, often weeks. They map backups first. They exfiltrate data, then threaten to leak it as a second lever even if the encryption is paid off. The classic "we got hit, the servers are encrypted, we pay the ransom" story has been almost entirely replaced by a longer, more patient process that ends in double extortion. For SMEs the practical implication is the same: detect early, isolate fast, and assume the leak is part of the attack whether you pay or not.

Exploits are increasingly targeting edge devices

FortiGuard again flags firewalls, VPN concentrators, remote-access appliances and other internet-facing devices as the highest-volume target class. These devices are often managed by a third party, run firmware that is months out of date, and sit in the DMZ as the trusted edge of the network. The reason is simple: a working exploit against a perimeter appliance gives the attacker network-level access to everything behind it, often without triggering endpoint detection. The mitigation is equally simple and almost universally neglected: enable automatic firmware updates on every managed appliance; have a documented quarterly review for those that cannot auto-update; and remove from production any device that has been end-of-life for more than 90 days.

OT and ICS activity keeps climbing

Activity against operational technology — the kit that runs factories, building management systems, smart-building climate controls, even commercial kitchen and refrigeration equipment — is now a regular finding in the threat data, not a one-off. Most SMEs do not think of their OT estate as part of the cybersecurity conversation because it is run by facilities or operations, not IT. That gap is the attack. The minimum sensible response is a network-segmentation review: physically or logically separate the OT network from the IT network, restrict inbound and outbound traffic to an explicit allow list, and make sure someone in the business is accountable for patching the OT kit on the manufacturer’s schedule.

Credential abuse is still the easiest path in

Phishing, password reuse and credential leaks remain the single largest attack vector in the data, ahead of every zero-day combined. For SMEs that means the boring stuff is still the most valuable: enforced multi-factor authentication on every account (including service accounts where technically possible), conditional access policies that challenge sign-ins from unusual locations or unmanaged devices, dark-web exposure monitoring for corporate credentials, and an annual review of who actually has admin rights. None of this is glamorous. All of it materially reduces the chance of being the next incident.

What we change for our clients as a result

  • Tighten edge-device firmware management — automatic updates where possible, scheduled manual updates for the rest, with a written register of what is in production.
  • Add a quarterly review of OT/ICS segmentation into the standard managed-service cadence.
  • Expand phishing simulation and security-awareness training throughout the year, not as a single annual exercise.
  • Review credential exposure monthly for the executive team and any user with admin or finance authority.
  • Validate backup immutability and an actual restore against ransomware-grade scenarios, at least once a year, on every managed tenant.

If you would like to see how this maps to your own environment, talk to us. We help SMEs across Hertfordshire, Bedfordshire and London translate global threat intelligence into a practical, prioritised to-do list — usually under a day’s work and without the need for a dedicated SOC.

More from Cyber Security

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

Authorised trading partners