As 2025 comes to an end, there have been some valuable cybersecurity lessons for businesses. These involve vendor oversight, internal coordination, and incident response plans. Businesses should vow to address them in 2026 if they have not done so already.
Cybersecurity vendor gets hacked
One of the more alarming recent developments was the announcement in October of a breach at F5, Inc. – a cybersecurity company. Because of the nature of the business, the breach could affect not only F5 but also its client companies, which F5’s website reportedly says is four out of five Fortune 500 companies. Some federal networks are also potentially affected, according to the news report linked above.
The lesson for businesses is clear: even when you believe you have strong internal controls, you still risk exposure through trusted vendors or software suppliers. Attackers are becoming increasingly sophisticated, using existing tools and credentials to gain access and carry out malicious activities.
To minimize your risk, be sure to consider security, and risk to your supply chain, before you enter into a contract with a vendor. This should be reviewed with IT, procurement, legal, and the executive team. Ensure that your vendor contracts require the vendors to provide incident notification, verification of patching practices, and access monitoring. Ask these questions, among others: How quickly does the vendor notify you of a vulnerability or breach? When did the vendor last conduct a formal penetration test or external audit? Is the vendor’s software build process segregated and monitored?
You may think you’re secure, but does your security team agree?
Many executives believe that their companies are well prepared for a cyber breach, but their security teams may disagree. According to one report, 45 percent of C-level executives reported being “very confident” in managing cyber risk. Yet only 19 percent of their mid-level managers agreed.
If cyber risk is viewed solely as an IT issue, organizations risk missing the broader picture. Corporate boards today are not just asking, “Did we patch recent vulnerabilities?” Their questions increasingly extend to workforce training, Human Resources policies relating to remote access and multifactor authentication, vendor contracts, and how reputation will be managed in the wake of an incident.
Organizations should prepare executive-friendly summaries that highlight vendor risks, incident-response readiness, workforce training gaps, and tabletop exercise outcomes. Staff should be trained not only to follow policies but also to recognize when they are the company’s first line of defense. Security awareness training for employees should include recognizing fraudulent emails, and not clicking on links. Before you have an incident, ensure that your company’s IT, HR, legal, and executive-administrative teams are working together, and that you know how information will flow between these groups when an incident occurs.
A prompt response is essential
If your organization is not going to become the next victim, quick identification and patching of vulnerabilities is essential.
A prominent example is the Security Alert addressing an emergency patch for CVE-2025-61882 that Oracle E-Business Suite issued this month. The Oracle E-Business Suite zero-day vulnerability had been actively exploited by ransomware actors. After Oracle’s investigation into the exploits, it announced that this was a top priority fix that needed to be immediately implemented to prevent compromise.
The Oracle example demonstrates the importance of ensuring that your organization is identifying patches that are needed to keep your network secure. If your organization uses a managed service provider, make sure the provider follows patch management, as well as vulnerability management, policies. Ask the provider how it implements best practices, and the policies that the provider has in place.
Looking forward to 2026
When an incident does occur, the ability to respond promptly is critical. Key questions should include the following: Do we have a tested incident response plan? Do we know who will act, who will communicate, and how we will engage legal, public relations, and forensic support? Is our cybersecurity insurance carrier notified and ready to assist?
Companies should ensure that their incident-response plans are current, accessible, and tested regularly. Plans should identify key contacts, roles, and escalation steps. The plans should also include templates for communication about the incident to employees, clients, and regulators. In addition, companies should conduct periodic training to identify gaps, strengthen coordination, meet with their managed service providers, and ensure that leaders understand their responsibilities in the event of a breach.
It is also recommended that companies confer in advance with external partners, including forensic investigators, public relations specialists, and breach-response counsel.
Finally, accurate records are essential for legal, regulatory, and insurance review, so be sure to document at each step of the way.
