Cyber-attacks are the biggest risk facing professional firms in 2026, according to a survey by insurer Everywhen. The poll found that 65% of respondents ranked cyber-attacks as their main concern.

Cyber threats were well ahead of economic pressures, which came second on 18%. Professional negligence claims followed on 9%, while regulatory changes were cited by 8% of respondents.

The findings suggest a marked shift in priorities among firms in sectors such as legal, financial and consultancy services. These businesses hold large volumes of sensitive client information and rely heavily on digital systems for day-to-day operations, making them more vulnerable to data breaches, ransomware and related disruption.

The gap between cyber risk and other concerns suggests digital security has moved ahead of more established threats in boardroom discussions. Economic uncertainty, compliance demands and negligence claims remain part of the risk landscape, but the survey indicates most respondents no longer see them as the most immediate threat.

Risk shift

The results come as professional firms also contend with rising costs and changing client expectations. Those pressures have created a more challenging operating environment, even before the impact of a cyber incident is considered.

For firms that provide advice or handle confidential material, the effects of an attack can extend beyond the immediate technical damage. A breach can lead to business interruption, regulatory scrutiny and claims from affected clients, increasing both direct and indirect costs.

An Everywhen spokesperson said the findings reflect the growing weight of cyber exposure in professional services.

“What this data shows very clearly is that cyber threats represent a fundamental and growing business risk. Professional firms are custodians of highly sensitive client data, and that makes them a prime target.

From an insurance perspective, cyber incidents rarely sit in isolation. They can lead to business interruption, regulatory investigations and even professional indemnity claims if clients are affected. That is why it is critical for firms to understand how their cover responds and where potential gaps may exist.

There is still a tendency to view cyber insurance as optional, but the reality is that it is becoming a core component of a firm’s risk management strategy.”

Boardroom concern

The survey suggests professional firms increasingly see cyber risk as a business issue rather than a narrow technology problem. A successful attack can affect client service, reputation and regulatory standing at the same time, helping explain why it now outranks more traditional concerns.

Legal practices, accountancy firms, consultants and other advisory businesses often hold commercially sensitive and personal information. That makes them attractive targets for cyber criminals seeking direct financial gain or leverage through extortion.

At the same time, the results indicate that regulatory change and professional negligence, while still significant, are being overshadowed by the speed and frequency of cyber incidents. The ranking also suggests firms may be reassessing how different risks interact, particularly where a cyber event could trigger wider legal or professional consequences.

Insurers have seen demand for cyber-related cover rise as businesses look to manage the financial effects of attacks. The Everywhen findings add to wider evidence that many companies now view digital threats as a central operational and governance issue rather than a peripheral one.

The spread between first and second place in the survey was particularly stark. Cyber-attacks drew more than three times the share of responses recorded for economic pressures, underlining how far concern about digital threats has moved ahead of other business risks.

ThreatAware has warned organisations to close cybersecurity visibility gaps ahead of changes to the UK’s Cyber Essentials scheme. The updated version introduces stricter checks for certification.

The revised standard adds two automatic failure conditions and raises the bar for proving that key controls are in place across full IT environments. The five technical controls at the heart of Cyber Essentials remain unchanged, but the assessment process will place greater weight on whether those controls are consistently enforced in practice.

Under the changes, any cloud service that supports multi-factor authentication must have it enabled. A single account without MFA would trigger an automatic failure.

Another change shortens the window for fixing critical and high-risk vulnerabilities. Organisations will need to remediate those issues within 14 days across endpoints, applications and network infrastructure.

Scrutiny during assessments is also set to increase. If sample testing identifies failures, organisations will need to fix the same issues across the whole environment before they can be reassessed.

Stricter checks

IASME has published the update, which is backed by the National Cyber Security Centre. For many UK organisations, Cyber Essentials certification remains a basic requirement for working with government departments and parts of the wider supply chain, and it is often linked to cyber insurance conditions.

That makes the practical effect of the revised rules significant for companies that rely on certification to win or retain contracts. The changes shift the focus from written policy to proof that controls are active across all users, devices and systems.

Common weak points include misconfigured conditional access policies, unmanaged or guest accounts, devices outside patching windows, and unsanctioned software-as-a-service use. Under the updated framework, any one of those gaps could be enough to prevent certification.

Jon Tamplin, Head of Cybersecurity at ThreatAware, said: “These updates reinforce a fundamental cornerstone of cybersecurity: when organisations get the basics right, they prevent the vast majority of attacks. And it starts with one essential principle – visibility.

“Visibility isn’t a nice-to-have; it’s the foundation of effective security. Think about this from the attacker’s perspective: they’re looking for the easiest path. A high-risk account where MFA isn’t enforced can quickly lead to a compromised device.”

Proof required

The emphasis on evidence reflects a broader trend in cyber compliance, with auditors and certification bodies increasingly wanting to see operational controls rather than policy statements. In practice, that means security teams must be able to account for every relevant device and user account, including those outside standard management processes.

For larger organisations, that can be difficult when estates include a mix of on-premises systems, cloud applications, third-party tools and temporary accounts. Guest users, shadow IT and assets outside central management often create the blind spots that compliance frameworks are now trying to eliminate.

Tamplin said: “If security leaders can’t identify where these gaps are, they’re effectively working with one hand tied behind their back. Teams are doing their best, but it only takes one device without the right security controls to expose an entire network.

“If you can’t see every device and every account, you can’t prove the controls are working. Under v3.3, proof is exactly what’s required, and it only takes one device outside the patch window or one account without MFA enforced to fail an assessment.

“The message behind the Cyber Essentials updates is simple: get the fundamentals right. Those fundamentals haven’t changed, but expectations have. Organisations should not only have core controls in place, from patching to EDR and MFA, but also be able to prove they are applying them across every account and every device, all the time, to meet the ‘Five Controls’.”

The revised requirements apply immediately to new certification accounts created under the updated scheme, while organisations with existing accounts have a six-month transition period to certify under the previous standard. That phased approach gives some businesses extra time, but it also creates a near-term decision for organisations that need certification for procurement, supplier assurance or insurance purposes.

ThreatAware, founded in 2018, works with more than 100 organisations across the UK, US and Canada.

Uswitch has warned London Marathon runners and spectators to expect mobile signal disruption at key points along the route, particularly in crowded areas such as Tower Bridge, Canary Wharf and The Mall.

When large numbers of people try to get online at once, pressure on local mobile infrastructure can lead to delayed live-tracking updates, patchy calls and slow data speeds. The issue is more likely to be network capacity than a lack of coverage.

More than 59,000 runners are expected at the start line, with large spectator crowds gathering across central and east London. Areas expected to be especially busy include Tower Bridge, Canary Wharf, Embankment, Westminster and the finish area on The Mall.

Archie Burkinshaw, Mobiles Expert at Uswitch, said the problem often arises even when phones appear to have a strong connection. “On marathon day, some of London’s busiest spots can put mobile networks under pressure as thousands of runners and spectators try to get online at once.”

“It’s often not a coverage problem but a capacity issue, as local masts can become overloaded by the number of devices trying to connect at the same time. This can create digital gridlock, leading to slower data, delayed live-tracking updates, patchy calls, and difficulty uploading photos or messages.”

“In some cases, people may still see full signal bars, but performance can lag because the network is congested.

“If you’re worried about losing connection, one option is to have a backup eSIM ready on another network. Most newer phones let you keep your usual number active while using the second network for data, although busy areas can affect multiple networks.

“A few quick checks before you leave can make all the difference: download maps, save tickets or travel information, agree on a meeting point, and pack a portable charger.”

Practical steps

Suggested measures include downloading offline maps and transport information before travelling, taking screenshots of QR codes and tracking links, and agreeing meeting points away from the finish line. The advice also includes carrying a portable charger and using low-power settings to reduce battery drain.

In especially crowded areas, switching from 5G to 4G may help, as 4G can sometimes provide a more stable connection when networks are under strain. Users are also advised to send SMS or other low-data messages rather than trying to upload video from the busiest sections of the course.

Another option is to install a secondary eSIM on a different network before race day. Some one-month eSIM plans are available from £2.50 for 100GB, according to the guidance, although service problems can still affect more than one operator in the same location.

Route pressure

The warning reflects the dense spectator crowds that build at marathon viewing hotspots, where sudden demand can put nearby mobile masts under strain. Moving 100 to 200 metres away from the busiest part of a crowd may improve service.

Runners are advised to prepare for periods of limited connectivity by downloading playlists and maps in advance and avoiding live uploads during the race. Participants using GPS sports watches may also want to put their phones into aeroplane mode to preserve battery life until the finish.

Guest Wi-Fi in pubs, cafés and restaurants along the route may provide an alternative if mobile data becomes unreliable. Users can also try manually selecting a network before returning to automatic settings if their phones remain attached to a weak connection.

The London Marathon is one of the UK’s largest mass-participation sporting events and draws substantial crowds across multiple boroughs, making it a recurring test for mobile networks in the capital. With tens of thousands of runners and spectators relying on live updates, messages and navigation throughout the day, the key advice is to prepare for congestion before leaving home.