From Risk to Resilience: Why Incident Response Now Starts Before the Incident

Cyber security leaders are facing a paradox: threats are evolving fast, yet many of the most damaging incidents still succeed through familiar gaps. In its annual Cyber Incident Insights Report 2026, S‑RM draws on data from 800+ incidents in 2025 to show why resilience is no longer an outcome of security programs, often focused on risk assessment. Resilience is a business capability that must be engineered, tested, and rehearsed.  

Eye opening takeaways from the report

Ransomware still dominates as the number 1 attack type and it’s getting less predictable. 

Ransomware accounted for 45% of incidents S‑RM responded to, but the bigger story is fragmentation: 67 distinct ransomware groups were involved across cases, up from 58 the year before. That splintering matters because it erodes predictability. Established RaaS operations still drive volume, but newer and less mature actors can cause disproportionate disruption — sometimes even damaging systems accidentally during exfiltration.  

The uncomfortable truth: many resilience failures are basic. 

Despite years of awareness campaigns, common entry vectors remain stubbornly consistent: exposed or poorly managed VPN infrastructure, misconfigured or unenforced MFA, and inconsistent endpoint protection. One of the most striking data points: only 22% of ransomware victims had fully deployed and actively monitored EDR across their estate. In other words, it’s not just about buying tools — it’s about operationalising them. 

Extortion has intensified, shifting from focus on decryption to managing fallout.

Backups are improving (69% of victims had “mostly viable” backups), but attackers have adapted: data exfiltration featured in 80% of ransomware incidents, enabling double and even triple extortion (decryption, data suppression, plus additional pressure tactics). Payment rates rose to 24%, yet many organisations engage not to pay, but to understand what was taken and buy time to recover. 

Communications is now more integrated in IR coordination. 

This is where resilience becomes broader than technology. Boards need a pre-agreed decision-making framework on paying ransoms, including named decision owners and rehearsals, because plans for the pay/don’t pay question can collapse under real-world pressure. Similarly, communications is now part of incident response. Threat actors increasingly brief journalists, comment on updates, and directly contact customers/employees for added disruption. Good comms discipline is becoming a resilience control. 

AI raises the stakes – mostly because of what organisations are deploying themselves.

While fully autonomous ransomware isn’t yet the norm, AI is accelerating the attack lifecycle and lowering the barrier to entry. The more immediate risk is internal by way of insecure enterprise adoption. AI agents and automated workflows introduce new non-human identities with broad privileges, expanding the attack surface and complicating forensics when something goes wrong.