Dom Norton, Sales Director at Spitfire Network Services, shares his perspective on the evolving threat landscape and what businesses and the channel partners that support them can do to stay ahead.

The scale, sophistication and speed of cyberattacks in 2026 have made robust network security an operational priority for every business - not just the largest enterprises. In this piece, we share our perspective across ten key areas: from the threat landscape and emerging technologies to investment priorities, customer expectations and what the channel needs to do to stay ahead. Whether you work with an IT partner or manage your own infrastructure, the issues covered here apply to you.

The threat landscape in 2026: faster, smarter, and closer than you think

The threat landscape in 2026 is accelerating in both scale and sophistication - and no business, regardless of size or sector, is immune. Last year, over half of UK businesses experienced a cyberattack, including household names such as Marks & Spencer, Harrods, Co-op and Jaguar. These are not small or poorly resourced organisations and serve as a stark reminder that determined attackers will find a way through conventional defences.

AI has materially changed the nature of attacks. Phishing and social engineering campaigns now incorporate voice cloning and deepfakes, capable of producing highly personalised and convincing attacks at scale. Approximately 70% of UK businesses reported phishing attempts last year. AI is also being used to automate vulnerability scanning and exploitation, reducing the window between an attacker gaining access and launching a successful attack.

Supply chain attacks are growing significantly. Once a vendor or partner is compromised, attackers can gain potential access to hundreds of downstream customers simultaneously - making the economics of supply chain attacks increasingly attractive to sophisticated threat actors.

The growth of IoT is also expanding the attack surface at a rate many businesses have not fully reckoned with. With 40 to 43 billion connected devices forecast by the end of the decade and many deployments still secured using legacy methods never designed for this scale, the exposure is substantial.

To illustrate just how rapidly attacks materialise, we ran a honeypot experiment ‘One Hour Under Attack): we exposed a public IP address to the internet for sixty minutes and recorded 2,266 cyberattacks from 120 separate sources - brute force attempts, port scans and exploitation of outdated firmware, all within the first hour. That experiment now runs live on our website (www.spitfire.co.uk/one-hour-under-attack)

How technology is fighting back: AI, automation and network-native defence

The most significant advancement has been the adoption of AI and machine learning (ML) on both sides of the cybersecurity divide. Attackers are using these technologies to improve the scale, speed and sophistication of their operations. But defenders are using AI and ML to fight back more effectively than was previously possible.

In our own Firewall as a Service (FWaaS) solution, built on Fortinet - a recognised leader in Gartner's Magic Quadrant for network firewalls - we have deployed Unified Threat Protection incorporating heuristic AI and machine learning detection, alongside an Intrusion Prevention System capable of virtual patching and protocol anomaly detection. The ability to identify and contain threats before they can propagate, automatically, without manual intervention, represents a meaningful step forward from traditional signature-based approaches.

FWaaS also provides geo-blocking as standard at the network edge, with inbound traffic from known high-risk regions, including those associated with state-sponsored threat actors, dropped by default before any other security measure is applied. This baseline layer of protection is provided automatically to all FWaaS customers, without any additional configuration required.

The industry is shifting toward cyber resilience, businesses are increasingly accepting that a successful attack is a real possibility when operating over the public internet, and are investing in rapid detection, threat containment and recovery alongside prevention. That shift in mindset is understandable, but it raises an important question: what if you didn't have to accept that exposure in the first place?

For Spitfire's One Network customers, operating within a fully isolated private network that is completely invisible to internet-based attackers, the conversation moves from 'how do we limit the damage when one gets through' to 'how do we ensure there is nothing to get through to.' That is a fundamentally different and more powerful security proposition.

Are businesses truly aware of their exposure? The gap between perception and reality

In our conversations with partners and their customers, we are consistently seeing cybersecurity move from the IT department to the boardroom. The financial and reputational consequences of a successful attack have never been greater: business interruption, data theft, regulatory penalties and loss of customer trust can each individually be catastrophic.

However, we still encounter businesses that believe a firewall and an antivirus subscription constitutes adequate protection. The reality is that the threat landscape has outpaced that thinking considerably. Every layer of the organisation needs to understand both the risks and their individual role in managing them.

Smaller businesses in supply chains remain significantly vulnerable, and often underestimate their attractiveness as targets, precisely because they provide a potential route into and from larger organisations.

Where should businesses be investing? Moving from reactive to preventive security

The investment priorities we are seeing most consistently are staff awareness and training - multi-factor authentication, zero-trust architecture, endpoint and device security, and backup and recovery capabilities. However, a shift is underway in how the most forward-thinking organisations are approaching the problem.

Many businesses still prioritise attack detection and response over prevention - investing heavily in tools that identify breaches after, or as, they occur. While these capabilities are important, a purely reactive posture leaves organisations permanently on the back foot. There is a growing recognition that the more powerful strategy is to reduce or eliminate the attack surface altogether, rather than relying on detecting threats once they are already inside the network.

Cloud misconfiguration also remains one of the most underappreciated vulnerabilities. As businesses accelerate their migration to cloud environments, the attack surface associated with poorly configured infrastructure grows significantly - an area where specialist channel support and targeted staff training are critical.

Businesses should therefore prioritise using suppliers that can connect all users, devices and endpoints into a fully private and secure network - whether that be by using a fixed line fibre circuit, a mobile SIM or a direct cloud connection. The aim should be to remove the attack surface entirely wherever possible.

The managed service provider opportunity: starting the right security conversation with customers

The most effective starting point for any managed service provider (MSP) working with a customer on cybersecurity is an honest assessment of their network exposure, not just their devices and applications, but the underlying network architecture itself.

IoT devices are frequently treated as an afterthought in security assessments, yet any device is only as secure as the network it is connected to. Best practice guidance including strong credentials, multi-factor authentication (MFA), access control lists, network segmentation, patched firmware and secure backup is valuable, but it has a fundamental limitation: even when followed diligently, these measures still leave devices reachable from the public internet. The attack surface still exists; it is merely made more difficult to exploit.

The most effective way to eliminate that exposure is to remove devices from the public internet altogether. This is the principle behind Spitfire's One Network solution: end-to-end connectivity across fixed line, mobile and cloud within a fully isolated private network, carried across our MPLS core. Every connected device, from a large office with Dedicated Fibre Ethernet to remote IoT sensors using our MVNO SIMs is completely invisible and unreachable to internet-based attackers. Not harder to reach. Invisible.

MSPs working with customers to assess their security posture should ask a simple question: does your current architecture require your devices to be exposed to the public internet at all? In many cases, the answer is no and that opens the conversation to a fundamentally more secure approach.

One practical example that resonates strongly with IoT resellers is out-of-band remote access. Many field-deployed IoT devices are currently accessed remotely via the customer's WiFi or LAN - a practice that creates a bidirectional security risk. A compromised device becomes a bridge into the customer's network; equally, a compromised customer network can be used to attack the device. By using a Spitfire SIM for out-of-band connectivity instead, the device operates entirely within One Network, independent of and invisible to the customer's local infrastructure. It eliminates both risks simultaneously, at very low cost.

MSPs and resellers who supply IoT solutions should also consider the liability that comes with how they deploy them. If a device connected to a customer’s network is compromised and used as a bridge to attack the customer’s wider infrastructure, the reputational and potentially legal consequences may fall on the reseller as much as the customer. Asking the question, ‘does my device create an entry point into my customer’s network, and could their network be used to attack my device?’ is increasingly part of responsible channel practice, and one that Spitfire’s private network approach directly and cost-effectively resolves.

What businesses actually want from their cybersecurity: proactive, simple and scalable

Businesses expect their cybersecurity services to be proactive, protecting against threats before damage is done, and to operate continuously.

However, many end users still underestimate their own likelihood of being targeted, often assuming cyberattacks are unlikely to affect them specifically. This creates a meaningful disconnect between the actual level of threat and what customers expect from their protection. MSPs have a genuine opportunity to close that gap through education and demonstration - our honeypot experiment has proven particularly effective in making the abstract threat very concrete for prospective customers.

They also expect simplicity without compromise. Resellers tell us consistently that their customers want solutions that do not require in-house security expertise to operate effectively. This is one of the drivers behind the shift toward security-as-a-service models and away from complex on-premises deployments that demand ongoing internal resource to manage.

On pricing, businesses want transparency and demonstrable return on investment, with solutions that scale as they grow - across new sites, remote workers and IoT deployments. Data protection sits at the heart of most customer priorities: protecting sensitive information, ensuring encryption and access controls, and maintaining compliance standards such as Cyber Essentials.

Our approach through One Network and FWaaS is to build security into the network architecture itself, rather than layering it on top of an existing, internet-exposed infrastructure. Partners find that this network-native security approach resonates strongly with customers who have previously invested in bolt-on solutions and found them insufficient.

The solutions gaining real traction: why private network isolation is changing the conversation

The most significant shift in how network security can be approached is private network isolation - and it is where we are seeing the strongest commercial traction. Creating a fully closed network, where devices are completely invisible and unreachable from the public internet, eliminates an enormous proportion of the attack surface that traditional security measures can only attempt to harden.

Spitfire's One Network delivers exactly this: end-to-end connectivity between fixed line, mobile and cloud within a fully isolated private MPLS network. IoT devices using our MVNO SIMs route traffic directly into the private network without touching the public internet. The architecture is particularly compelling for businesses managing distributed IoT deployments, remote offices and cloud infrastructure simultaneously, as One Network brings all of these under a consistent, centrally managed security policy.

For devices, users or third-party networks that sit outside One Network, Spitfire Unified Network (SUN) provides a single, controlled entry point into the private network via FWaaS. Rather than managing multiple VPN tunnels, SUN consolidates all external access through one secure gateway, simplifying management while maintaining the same enterprise-grade security standards that govern One Network itself. This makes it straightforward for partners to migrate customers onto One Network progressively, without disrupting existing third-party access circuits in the interim.

For internet connectivity from One Network, FWaaS delivers enterprise-grade protection including Unified Threat Protection with AI and machine learning-based threat detection. The as-a-service model removes the CapEx burden and complexity of equivalent on-prem deployments, and centralised management is particularly valued by partners with multi-site customer estates.

Cloud Connect is also finding increasing traction as businesses seek to secure and optimise their cloud connectivity. It provides private, dedicated connectivity between users, IoT devices and customer sites and cloud platforms including AWS and Azure bypassing the public internet entirely. The security benefits are clear, but so are the economics: in a typical comparison, switching from an Azure VPN over the public internet to Cloud Connect delivered over 50% cost savings on data transfer. For data-intensive businesses, the commercial and security arguments are equally compelling.

It is also worth addressing a common misconception: these solutions are not exclusively for large enterprises. One Network and FWaaS are both designed to scale to the requirements and budgets of the SME market, which is precisely why they are gaining traction with channel partners whose customers span a wide range of sizes and sectors.

A more crowded market, but more opportunity: how the competitive landscape is evolving

The competitive landscape in channel cybersecurity is expanding rapidly, driven by growing demand as more businesses outsource their security management to specialists rather than attempting to manage it in-house. This creates a more crowded market, but also more opportunity, particularly for partners who position themselves as trusted advisors rather than product resellers.

Competition broadly drives better outcomes. Vendors need to innovate continuously and keep pace with an evolving threat landscape to remain credible. For the channel, this means a wider choice of high-quality solutions to bring to customers.

Where Spitfire occupies a distinct position is in offering security that is built into the network architecture itself, rather than applied on top of an existing, internet-connected infrastructure. Many cybersecurity vendors start from the assumption that exposure to the internet is inevitable and design their products accordingly. We start from a different premise: build the network so that threats cannot reach your devices in the first place. Managed security services such as FWaaS then enhance that secure-by-design foundation, rather than compensating for the vulnerabilities of an exposed one. Partners find this a genuinely differentiated conversation, particularly in sectors with high IoT density or complex multi-site connectivity requirements.

Partners who can offer comprehensive managed security within a single commercial relationship - connectivity, network isolation, firewall and cloud access are well-placed to deliver genuine risk reduction without adding unnecessary cost and complexity

Building the right skills: what channel partners need to know to advise customers effectively

A zero-trust mindset needs to be embedded across the channel, not just in how partners advise customers, but in how their own businesses operate. Strong security policies, MFA, identity verification and micro segmentation should be standard practice for any channel company positioning itself as a cybersecurity advisor.

On the customer side, educating all staff, not just IT teams, remains one of the highest-impact activities a channel partner can support. The human element continues to be the primary entry point for attackers: phishing, weak or reused passwords and stolen credentials all rely on exploiting individual behaviour. Partners that deliver structured, ongoing cybersecurity awareness training as part of their proposition add significant and tangible value.

Compliance and regulatory knowledge are increasingly important. Customers want confidence that their security posture aligns with recognised standards including Cyber Essentials and ISO 27001. Channel partners who can speak authoritatively to these requirements and help customers evidence compliance are far better positioned.

One area that often receives insufficient attention in channel training is connectivity-layer security: understanding how the network itself can be designed to reduce exposure, not merely how to protect devices once they are connected. As IoT deployments proliferate, this knowledge becomes increasingly essential and is an area where Spitfire actively supports its partner community.

Looking ahead: what the next 18 months holds for cybersecurity and the channel

IoT security will become one of the defining channel conversations of the next 18 months. Those forecast billions of connected IoT devices and other deployments secured using legacy methods that were never designed for this scale, the exposure is growing faster than most businesses have yet registered. We expect a significant increase in IoT-targeted attacks, and corresponding growth in demand for network-native security approaches that protect devices at the connectivity layer.

AI will continue to accelerate the threat environment on both sides. The time between an attacker penetrating a network and launching a successful attack will keep shrinking as AI automates vulnerability exploitation at scale. Simultaneously, AI-powered detection and response capabilities will become essential rather than optional for any credible managed security service.

The human element will remain a primary target. Phishing, weak credentials and social engineering attacks will continue to evolve in sophistication, particularly as AI makes voice cloning and deepfake-based attacks more accessible and convincing. Ongoing staff training and zero-trust access policies will remain the most effective countermeasures.

Supply chain attacks will continue to grow in frequency. Once a vendor or partner is compromised, an attacker gains potential access to hundreds of downstream customers simultaneously, making this vector increasingly attractive to sophisticated criminal and state-sponsored actors alike.

The channel's opportunity in all of this is clear: businesses need specialist guidance, managed services, and partners who understand both the technical and commercial dimensions of the cybersecurity challenge. Those who invest in that expertise now, and who are already deploying private network solutions that remove their customer’s devices from the public internet entirely, will be exceptionally well placed as demand continues to accelerate. One thing is certain: businesses that rely purely on reactive security measures will find themselves in a race against AI - and they will most likely lose.