Rashmi Tallapragada , OT Risk Analyst, Chevron January 24, 2026 4 Min Read Source: Gabe Palmer via Alamy Stock Photo COMMENTARY As 2026 begins, I keep coming back to one uncomfortable realization about 2025: We did not misunderstand attackers. We misunderstood failure. Most of last year's damage did not come from sophisticated techniques or unexpected adversaries. It came from ordinary systems breaking in ways that quietly altered how people made decisions. Systems stayed online. Dashboards stayed green. But confidence eroded, judgment shifted, and humans were forced to act without reliable truth. That is where the real harm happened. Looking back, 2025 was the year cyber-risk stopped looking like a technical problem and revealed itself as a decision problem. Healthcare: Change Healthcare, Ascension The ransomware attack on Change Healthcare disrupted claims processing across the US healthcare system. While systems were eventually restored, hospitals and providers spent weeks operating with incomplete data, delayed reimbursements, and manual workarounds. Similarly, the incident at Ascension did not simply take systems offline. It forced hospitals back to paper workflows, limited access to clinical data, and introduced uncertainty into everyday care decisions. The organizations experienced several failures during these attacks. Identity systems were not resilient under emergency access conditions. Audit trails were weakened by the shift to manual processes and overrides. Organizations also focused their recovery efforts on restoring services rather than restoring trust in data accuracy. Clinicians could not clearly distinguish between unavailable systems and unreliable ones. While the organizations were able to provide care during the attacks, the quality of decisions being made was impacted. There were delays in treatment, and clinicians were hesitant to act under pressure. The probability of making an error also was higher in time-sensitive scenarios. In light of these failures, organizations need to put in place: Emergency identity controls: Time-bound privileged access with automatic expiration. Mandatory post-incident reconciliation of all emergency access. Data confidence indicators: Systems must visibly flag degraded integrity states. Partial or stale data must never appear normal. Recovery sequencing changes: Restore traceability and provenance before restoring speed. If data trust is unclear, slow operations intentionally. Global Outage: CrowdStrike The global outage that affected airlines, hospitals, banks, and enterprises was not the result of an attack but of an erroneous update to CrowdStrike's platform. What stood out with this outage was how quickly operational confidence collapsed. Organizations struggled to verify system state, recovery guidance varied by environment, and leaders were forced to make high-impact decisions without reliable confirmation. Several processes failed during this outage. Recovery instructions were inconsistent, and decision-makers did not have real-time confidence in the remediation steps provided. The update pipelines lacked effective blast radius containment, which made the problem worse, and defenders' ability to independently verify system state was limited. In terms of impact, flights were grounded, medical services were delayed, and business operations around the world ground to a stop. Defenders executed emergency changes to their environments without adequate validation to get back up and running. In light of these failures, organizations need to do the following: Update isolation by design: Mandatory staged deployment across trust tiers. Automated kill switches for faulty updates. Designate independent system truth sources: Out-of-band verification mechanisms. Read-only recovery consoles not dependent on the failed agent. Create human-centered recovery playbooks: Clear safe to act versus do not act indicators. Explicit guidance for nontechnical leaders. Identity and Access Failures Across Multiple Enterprises There were multiple incidents where identity and access management failed in 2026, with a consistent pattern across them, such as shared administrator credentials, emergency access credentials that didn't expire, and service accounts that bypassed controls. In several cases, access reviews were deferred indefinitely. The process failures were the result of treating identity governance as secondary to availability. Recovery actions were not auditable end-to-end, and there was no structured cleanup effort after a crisis. In terms of impact, the risks of insider threat and attackers moving laterally through the network increased. The organization's attribution capabilities weakened, and confidence in the organization's incident response capabilities also declined. In light of these failures, organizations need to put in place: Crisis-mode identity policies: Predefined emergency roles with enforced logging. Automatic rollback checkpoints. Post-incident access revalidation: Mandatory recertification after any major incident. Incident closure blocked until identity cleanup is complete. Identity as a safety control: Treat access boundaries as operational risk barriers, not compliance tasks. What We Learned, What Must Change The defining cyber failures of 2025 were not about sophistication. They were about scale, dependence, and uncertainty. Across healthcare breaches, global outages, and enterprise incidents, we kept seeing the same problem: Systems remained operational, but humans lost confidence in them. Cybersecurity programs were built to stop attackers, restore uptime, and close vulnerabilities. They were not built to preserve decision quality under uncertainty, signal when information should not be trusted, or protect accountability during crisis response. Cybersecurity must evolve from protecting systems to protecting human decisions made through systems. Organizations need to shift to a mindset that focuses on identity-first resilience and recovery with accountability. Decision integrity needs to become part of the organization's security objectives, and they need to explicitly design for degraded system states. Metrics need to reflect human impact, as well. If we design for that reality, many of last year's harms become preventable — not by stopping every incident, but by ensuring systems fail in ways people can safely understand. About the Author Rashmi Tallapragada OT Risk Analyst, Chevron Rashmi Tallapragada is an OT Risk Analyst at Chevron, where she focuses on aligning cybersecurity controls with the realities of industrial environments. Her work spans compliance strategy, risk ratings, and audit remediation and often translating framework expectations into guidance that actually works for engineers on the ground. She writes to surface the gaps between policy and practice, and to challenge how we think about risk in operational technology. She was named 2025 Cybersecurity Woman of the Year for her contributions to risk transparency and mentorship. See more from Rashmi Tallapragada