The first snow hit Sunshine and Lake Louise last week. Down in Calgary it is still fall - patios mostly closed, Thanksgiving leftovers in the freezer, the ski-rack guys at MEC looking optimistic. This is also the time of year when the cybersecurity-vendor marketing for next year's threat landscape lands in operator inboxes, and the pattern is reliable enough to set a calendar by.
What actually got more dangerous this year, what stayed the same, and what the vendor marketing got wrong.
(The cybersecurity vendor market expands every October by approximately 40 new categories of tool, none of which are strictly necessary; this is the central conceit of the cybersecurity vendor market, and the most reliable thing in Calgary other than a Chinook in late January.)
Here is what changed in 2026 that operators should actually care about, and what didn't change despite the marketing budget that says it did.
What actually got worse
Vendor-mediated attacks. The pattern where attackers compromise a small software vendor that has access to many client environments has gotten more common and more sophisticated. If you have managed service relationships - and most mid-market operators do, often more than they realize - your security posture is partly their security posture. Worth knowing which of your vendors have privileged access into your environment, what they monitor, and what their incident response would look like for you if they got compromised. Most contracts don't say.
Identity-layer attacks. Phishing has gotten significantly better as language models lowered the cost of writing convincing emails in any tone, from any presumed sender. The defensive posture that worked when phishing was sloppy - "if the email looks off, flag it" - doesn't work when the email reads like it came from the person it claims to be from. Multi-factor authentication is now a minimum, not a differentiator. The control that actually matters is conditional access: what the system does when an authenticated user starts behaving outside their pattern.
What didn't actually change despite the marketing
The fundamentals haven't moved. The companies that get breached in 2026 are largely the same companies that would have gotten breached in 2020: weak patch hygiene, over-permissive accounts, no usable backup, no rehearsed response plan, security tooling installed but not tuned. The threat actors got more efficient at exploiting these. The exploits themselves didn't get more exotic.
This is good news, in a way. If you have the fundamentals right, you are in the small minority. Most of your competitors aren't. The marketing tells you that you need new categories of tooling to keep up with new categories of threat. What you usually need is to use the tooling you already have, properly.
What to do in the next ninety days
Three things, in this order. First, map your privileged vendor relationships - who has admin access into your environment, what for, and under what contractual terms. Second, run a tabletop exercise against an identity-layer attack scenario; you'll find your conditional access policies need tuning. Third, validate that backups are restorable, not just that they ran - the difference is everything when you need them.
None of this is a vendor pitch. The companies that handled 2026 well were doing these three things in 2024 and 2025 too. The fundamentals compound.
This issue of the Operator's Brief is operator pattern recognition from Vencer Group's work with mid-market businesses across industries and geographies. Not industry-specific advice. Read accordingly.
Notes & Methodology
About these figures: This Operator's Brief is a monthly Calgary-rooted, internationally delivered mid-market business observation from Vencer Group. Patterns and trends described reflect Vencer Group's operating experience across mid-market Canadian energy clients - service operators, E&P companies, midstream, and energy services in the 25-300 person range. Industry references (regulatory changes, market events, threat landscape shifts) are drawn from publicly reported sources cited inline where applicable. Specific cost ranges, percentages, and timeframes are Vencer Group estimates based on observations across recent client engagements, framed as estimates where used.
Pattern recognition from 19 years of running operator IT - not prescription for your specific situation. Anyone offering prescription from a blog post is selling something. (Possibly to you.) The 30-min Strategy Review is where the pattern becomes specific to your operation. Free, no proposal, no slide deck.
→ Book the 30-min review