If one thing defined 2025, it was the proliferation of cyber-attacks. Unbiased to sector or industry, these breaches varied in method, impact and motive, making them difficult to predict and causing havoc for those affected.
One recent government report suggests that almost half of British businesses (43 per cent) and three in 10 charities (30 per cent) claimed to have suffered a type of cybersecurity breach or attack in the past year, a huge uptick compared to previous years.
VP of Solutions Engineering and Enterprise CTO at Rubrik.
As recent attacks from groups like Scattered Spider show, financial gain is no longer the only motivator. Disruption and status are now as valuable to hackers as money, as seen with the controversial attack on nursery firm Kido, which saw data and imagery from young children published on the dark web with a hefty ransom.
Article continues belowFor many upcoming hackers, notoriety and social validation are becoming the new currency of cybercrime.
As we start the new year, it’s crucial that CISOs widen the net and factor in these less rational, status-driven motives when preparing for attacks.
Reputation and clout are driving behavior in cybercrime communities
A growing subset driven by risk-taking and creating chaos-for-chaos’ sake is reshaping the threat landscape.
Attacks are increasingly becoming performative, not just transactional, with the impact of the attack mattering just as much as the payout.
By targeting infrastructure that will rock the boat the most, like zoning in on high profile companies or causing operational chaos, hackers are seeking out ways to gain reputational returns in underground forums.
One reason for this need for notoriety is to accelerate a “hacking career”. Well known handlers use high profile attacks just like most people would a CV, with clout buying more opportunity for collaboration.
With encrypted channels like Discord and Telegram a hotbed for social validation, the escalation of an attack is encouraged in the community.
This ties into the need for brand recognition, something that applies to hackers too. Certain groups behave like media-savvy brands, cultivating recognizable names, logos, and narratives to spread awareness.
Everyone in the industry knows of Scattered Spider, the group that hijacked the much-loved British heritage retail giants causing mass disruption.
Perhaps most importantly, the more reputable a hack, the less the specific outcome of the breach itself tends to matter.
If the target is high profile but doesn’t result in financial gain, something that will become more common as companies are encouraged to not pay ransoms, the hack can still be considered a win in the community.
How organizations should approach threat modelling and resilience
When an adversary isn’t just after money, and the motives are based on causing as much trouble as possible, CISOs need to adapt their methods for pre-empting an attack.
Threat models that focus on why an attacker might target a company break down when the motivation is just about visibility. Organizations must model maximum plausible impact and consider what reputational triggers they might have to prepare for the worst.
This means building in an assumption of disruption-first attacks into resilience planning, ensuring even the most irrational behavior is considered.
The unpredictable nature of status driven attacks means threat models need to include scenarios where the attacker burns access, deletes data, or escalates a breach simply because they can.
It would be easy to assume that lesser known brands or firms are of less risk to these status driven attacks – think again. Hackers won’t discriminate by the balance sheet.
Smaller firms, public services, and operationally sensitive but low-revenue organizations are attractive precisely because disruption is easier and reputational fallout is public.
2025 was brutal, 2026 will be worse – putting cyber resilience into action
With it becoming even harder to predict the nature of a cyber attack, prevention alone is an insufficient means of protection. You cannot deter an adversary who isn’t rationally weighing risk against reward.
The cyber industry needs to move away from a defensive posture that focuses on keeping bad players out at all costs, and pivot towards a plan that expects an attack, ensuring a fast recovery once the breach has happened.
The real control is in the speed of recovery. If the goal for an attacker is notoriety, then they win by maximizing visible disruption time. Ensuring a rapid recovery, clean restores and operational resilience that allows business continuity directly undercuts the attacker’s status payoff.
When it comes to cyber security, the gloves are off. We must learn to expect the unexpected, plan for the unthinkable and aim to be one step ahead of the cyber criminals - it’s now a matter of when, not if, a firm faces a high profile breach.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.