For too long, cybersecurity was treated as a secondary concern. Something delegated to IT teams, technology leaders, or, at most, auditors. It only received real attention once damage had already occurred, when systems went down, data disappeared, or the organization’s name appeared in the news for the worst reasons. In 2026, that view has become unsustainable.
Cybersecurity is no longer a technical problem. It is an economic, strategic, and continuity issue. And that is precisely why it has become central to management.
We are living in an era of constant conflict. It does not always take the form of conventional warfare, but that does not make it any less real. There is economic warfare, information warfare, constant geopolitical pressure, and cyberwarfare. Cyberspace has become one of the main arenas of this confrontation because it is inexpensive, scalable, difficult to attribute, and particularly effective against societies and companies that are deeply dependent on technology. The UK’s National Cyber Security Centre warned in March 2026 of increased indirect risk for organizations with operations or supply chains in the Middle East, precisely because the geopolitical environment is increasingly translating into cyber activity.
But the most important aspect is not the increase in the number of attacks. It is the evolution of their nature. The risk is changing, and that requires companies to change the way they think about it.
The latest reports from ENISA describe an environment in which threat groups exploit vulnerabilities at increasing speed, reuse tools, collaborate with each other, and combine multiple techniques in a single operation. Ransomware remains one of the most impactful threats, but it is not alone. There is phishing, direct exploitation of vulnerabilities, supply chain compromise, data exfiltration, and denial-of-service campaigns. We are no longer dealing with an attacker who simply breaks in to encrypt files. We are dealing with actors who enter, observe, copy, escalate privileges, extract information, and only then decide whether to disrupt operations, extort, leak data, or sell access to third parties.
This transformation has obvious economic consequences. A company can continue operating for days without realizing it has already been compromised. It may believe it still has control when, in reality, it has already lost control over critical information, trade secrets, credentials, and essential parts of its operational capacity. At that point, the damage is no longer just technological. It becomes financial, reputational, and strategic.
There is another point that Portuguese companies, especially mid-sized ones, cannot ignore. Attack technology is becoming increasingly democratized. There is now a true market of criminal services, ready-to-use tools, and infrastructures that dramatically lower barriers to entry. Added to this is artificial intelligence, which has accelerated the creation of convincing campaigns, automated parts of social engineering, and increased the scale of attacks. This does not mean AI attacks on its own, but it does mean that attacking is becoming easier, cheaper, and faster.
From a technical standpoint, two trends deserve particular attention today. The first is the growth of so-called “living off the land” attacks, in which intruders use legitimate tools
already present in compromised systems. This makes detection much more difficult, as malicious behavior blends in with seemingly normal activity.
The second trend is the rise of “zero-click” attacks. In these cases, the user does not even need to click on anything suspicious. It is enough for the system to process certain content for a vulnerability to be exploited. Google’s Project Zero describes these attacks as exploits that require no user interaction, fundamentally changing the logic of defenses based solely on individual caution.
All of this leads to one conclusion: cybersecurity can no longer be managed as a support function. It must be treated as part of the company’s governance model. It is not enough to invest in tools. It is necessary to invest in resilience. It is not enough to have backups. It is necessary to know whether the business can continue operating under pressure. It is not enough to raise awareness. It is necessary to rethink access, dependencies, suppliers, critical processes, and response times.
For companies, the central question in 2026 is no longer “will we be attacked?” The question is different: “when we are under pressure, what fails first?” Does the operation fail? Does customer trust fail? Does the supply chain fail? Does decision-making fail? Does leadership fail?
This is where cybersecurity finally becomes a top management issue. Because what is at stake is not just the defense of systems. It is the defense of the ability to decide, to continue, and to compete in an environment where conflict is no longer outside the economy. It is inside it.
Paulo Cardoso do Amaral, Professor at CATÓLICA-LISBON