What are cybersecurity’s biggest blind spots? – Intelligent CISO

https://www.intelligentciso.com/2026/06/17/what-are-cybersecuritys-biggest-blind-spots/

Publish Date: 2026-06-17 05:26:00

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

From compromised credentials and supply chain vulnerabilities to workforce fatigue, quantum threats and unsecured connected devices, organisations face an increasingly complex and unpredictable cybersecurity landscape. We asked five cybersecurity experts to share their views on the most overlooked cybersecurity risk facing organisations today. Their insights highlight a range of emerging and persistent threats that often receive less attention than they deserve, while underscoring why business leaders should be taking a closer look at these risks before they become major security incidents.

Quentyn Taylor, Senior Director of Information Security at Canon EMEA:

The answer to this question is simpler than most expect – it’s compromised credentials.

Whilst there is significant anxiety about AI being weaponised to generate new exploits, in reality, this is quite uncommon. Most of the time, hackers aren’t breaking down the door; they’re simply walking in with a set of keys in their hands. These keys are credentials gathered from previous breaches, tested across platforms to see where the same password has been reused.

A sophisticated software exploit might work 90% of the time, if it’s a good one. A password, on the other hand, works 100% of the time, especially if there is no multi-factor authentication (MFA) or anomalous login telemetry behind it. If you are using single-factor authentication and have reused that password on another website at any point in the past, you are running a significant risk.

Businesses should also know that not all MFA is equal. SMS-based codes can be intercepted through SIM-swapping, and users can be socially engineered into surrendering codes in real time. For anything of real value, hardware tokens and passkeys are still the most robust options.

This is a solvable problem.

Moving beyond outdated practices like forced password updates, which often result in weaker options, and implementing robust MFA, passkeys and hardware tokens instead give businesses of any size a clear and actionable path to reducing their exposure.

Daz Preuss, Chief Operating Officer (UK) at CybExer:

The most overlooked cybersecurity risk facing organisations today is human fatigue and psychological pressure within the workforce, particularly among security and IT teams.

While boardrooms fixate on threat intelligence, zero-days and compliance frameworks, they consistently underestimate the human layer. Security professionals operate under relentless pressure – alert overload, 24/7 incident response demands and fear of being the person who ‘missed something’. That cognitive and emotional burden doesn’t just affect wellbeing; it directly degrades security outcomes.

Fatigued analysts miss alerts. Pressured employees cut corners on access controls. Staff afraid of accountability delay reporting incidents – sometimes catastrophically so.

As technology advances, the attack surface widens, but the human nervous system doesn’t scale with it. Automation and AI tools help, but they also introduce new complexity that staff must interpret and manage – often with inadequate training or support.

Business leaders tend to treat cybersecurity as a technology investment problem. It isn’t. It’s equally a people resilience problem. Burnout, fear culture and lack of psychological safety in security teams are as dangerous as an unpatched vulnerability.

The fix isn’t just better tools – it’s better leadership, realistic workloads, blameless post-incident cultures and genuine investment in the humans defending the organisation.

Daryl Flack, Partner at Avella Security:

The most overlooked cybersecurity risk facing organisations today is the emerging Quantum Computing threat to cryptographic systems and long-term data security.

Across industries, awareness of quantum risk remains patchy. While some sectors, particularly critical national infrastructure, are beginning to engage, many organisations are still at a very early stage of understanding what quantum capability means for their environments.

For decades, cryptography has been the quiet constant of digital infrastructure. That stability has created a false sense of security, an assumption that encryption ‘just works’ or that it is a problem for the future.

The reality is more immediate. The greatest exposure lies in long-lived and confidential data: legal records, medical research, state secrets and sensitive corporate archives that must remain secure for decades. Adversaries are already pursuing ‘harvest now, decrypt later’ strategies, exfiltrating encrypted data today with the expectation it can be unlocked when quantum capabilities mature.

The transition to quantum-safe cryptography represents a once-in-a-generation shift, and one that is deeply complex. Cryptography is embedded across applications, networks, devices and operational systems, often with limited visibility.

The UK’s National Cyber Security Centre has set out a clear roadmap – discovery and planning by 2028, migration of priority systems by 2031 and full transition by 2035 – but waiting is not a viable strategy.

Cynthia Overby, Director of Strategic Security Solutions, zCOE at Rocket Software:

Supply chain cybersecurity is all too often being overlooked by organisations, as evidenced by a series of crippling cyberattacks in recent times. 2025 saw several high-profile retailers targeted by financially motivated ransomware groups, with a number of breaches happening in quick succession via the supply chain. This wave of attacks was able to hit so hard because it caught most businesses unprepared.

Indeed, a UK government survey on cybersecurity breaches from 2025 found that just over one in 10 businesses said they reviewed the risks posed by their immediate suppliers (14%) and fewer than one in 10 were looking at their wider supply chain (7%).

Assessing and protecting the supply chain is a new challenge for most organisations. IDC research revealed that only 61% of organisations classified as ‘IT modernisation experts’ are actively planning how to address any potential infrastructure supply chain disruptions.

In reality, protecting the supply chain should be a top priority for all enterprises, regardless of the maturity of their IT environment. Organisations need policies and procedures to identify, assess, onboard, monitor and offboard third-party suppliers in order to mitigate supply chain risk. Nothing should be allowed on the network, in an application or on a system, without it first being tested on a sandbox. Having these management processes in place enables CISOs to control their organisation’s environment and cover those vulnerabilities that otherwise creep in through the cracks.

Gianfranco Vinucci, COO at PCA Cyber Security:

One of the most overlooked cybersecurity risks organisations face is the growing reliance on embedded and connected technologies that fall outside the scope of traditional IT security programs. In the financial services sector, this includes payment terminals, ATMs, SoftPOS/MPoC solutions, authentication devices and the software supply chains that support them.

Many organisations assume these systems are secure because they have passed certification or compliance assessments. However, certification only represents a singular point in time, while cyberthreats evolve continuously. New vulnerabilities are discovered every day in operating systems, firmware, open-source components and third-party software. Without continuous visibility, organisations struggle to understand the potential impact of these vulnerabilities on their products and services

What makes this risk particularly significant is that embedded devices are often customer-facing. When a vulnerability is exploited, trust, brand reputation and potentially customer security are all on the line. Without continuous monitoring, underpinned by vulnerability intelligence and security testing, organisations can be the last to uncover security issues – and at risk of doing so too late.

The timing is particularly relevant as organisations prepare for the EU Cyber Resilience Act (CRA) coming into force. The regulation reflects a broader shift in cybersecurity expectations – from demonstrating compliance at static points in time to maintaining security throughout a product’s lifecycle. Organisations that invest early in vulnerability intelligence, continuous monitoring, software transparency and product security validation will be far better positioned to reckon with the overlooked risk of embedded and connected dependencies and prosper.