Cyber War Is Here: What It Means for Your Business

The Post-War Security Order Is Gone — and Cyber Filled the Void

The international stability that shaped Western economies after 1945 rested on a set of shared assumptions: that great powers would not directly attack each other, that technology would flow across borders, and that trade made conflict too costly to pursue. Those assumptions are now under sustained pressure. What has filled the gap is not conventional military escalation — it is cyber operations. State actors discovered something important: you can strike an adversary's financial system, energy grid, supply chain, or electoral process without a single soldier crossing a border. The cost of attribution is high. The cost of retaliation is uncertain. And the private sector — with its networked infrastructure, intellectual property, and customer data — sits squarely in the firing line. This is not a future threat. According to Microsoft's Digital Defense Report 2024, 40% of state-sponsored cyber attacks targeted critical infrastructure, up from 20% just two years prior. Nation-state actors are not waiting for war to start. They are already operating inside networks, positioning for disruption on demand.

Why Geopolitical Cyber Attacks Hit Businesses, Not Just Governments

A common misconception is that state-sponsored cyber activity targets governments and defence contractors, leaving commercial organisations largely untouched. The evidence does not support that view. Private sector organisations are targeted for three reasons. First, they hold intellectual property that states want to steal — pharmaceutical research, semiconductor design, defence supply chain data, and financial intelligence all have strategic value. Second, they operate infrastructure that governments depend on: power distribution, logistics networks, cloud platforms, and telecommunications. Third, they are softer targets. A mid-sized manufacturer or financial services firm cannot match the defensive capabilities of a national intelligence agency, but it connects to networks that do. The 2024 Volt Typhoon campaign, attributed to Chinese state actors by the FBI and CISA, demonstrated this precisely. The operation pre-positioned access inside US critical infrastructure — water, energy, communications — by moving through smaller commercial contractors first. The suppliers were the entry point. That pattern is well established and it is accelerating. For UK businesses, NCSC guidance issued in 2024 identified Russian, Chinese, Iranian, and North Korean actors as the primary state threats. For organisations operating in New Zealand and across the Australasia region, the Five Eyes intelligence community has issued parallel warnings about the same threat groups targeting regional infrastructure and technology companies.

Technology Itself Has Become a Weapon of Statecraft

Beyond direct cyber attacks, technology has become a geopolitical instrument in a broader sense. Export controls, chip restrictions, software bans, and forced platform divestments are no longer exceptional measures — they are standard tools of foreign policy. For businesses, this creates a new category of risk that sits between cybersecurity and regulatory compliance. The tools your organisation uses, the vendors in your supply chain, and the cloud infrastructure your data passes through all carry geopolitical exposure. A platform banned in one jurisdiction, or a hardware component sourced from a sanctioned supplier, creates legal and operational risk that security teams were not previously asked to manage. This is why the concept of supply chain risk has expanded far beyond patch management. Panorays, which we offer as part of our third-party risk practice, approaches this as a continuous monitoring challenge rather than an annual audit exercise. The threat surface changes as geopolitical conditions change, and static assessments leave organisations exposed between review cycles. The technology stack your organisation runs is now a strategic decision, not just a procurement one.

What Does a State-Grade Cyber Attack Actually Look Like?

State-sponsored attacks differ from opportunistic cybercrime in several ways that matter to defenders. Understanding those differences changes how you prioritise your defences. Criminal ransomware groups move fast and noisily — they want payment within days. State actors are patient. The average dwell time for state-sponsored intrusions in 2023 was 16 days according to Mandiant's M-Trends 2024 report, but some campaigns maintained persistent access for months before triggering any visible activity. The goal is often not immediate disruption but persistent access: intelligence collection, data theft, or pre-positioned capability for future use. State actors also invest in initial access methods that evade standard detection. Spear phishing remains a primary vector, but living-off-the-land techniques — using legitimate system tools to move laterally so that activity blends with normal network traffic — are now a signature of advanced campaigns. These techniques specifically defeat endpoint detection tools that rely on known malware signatures. What this means in practice: conventional perimeter security is insufficient. Organisations need continuous visibility across their attack surface, not periodic scanning. Hadrian's continuous attack surface management approach addresses this directly — mapping your exposed assets as an attacker would see them, in real time, rather than providing a point-in-time snapshot that ages the moment it is produced.

• State actors maintain average dwell times measured in weeks, not hours — standard alerting often misses them entirely
• Living-off-the-land techniques use legitimate Windows and Linux tools, bypassing signature-based detection
• Supply chain compromise allows attackers to reach targets through trusted software update mechanisms
• Data exfiltration often precedes any ransomware deployment — by the time encryption triggers, the breach is already complete

Why Data Exfiltration Is the Threat Ransomware Headlines Miss

When ransomware makes the news, the coverage focuses on encryption and recovery time. That framing misses the more serious harm: in the majority of modern ransomware incidents, data is exfiltrated before encryption begins. According to Palo Alto Networks' Unit 42 Ransomware and Extortion Report 2024, data theft was involved in over 70% of ransomware cases they investigated. Attackers steal the data first, encrypt second, and threaten publication as leverage. For state-sponsored actors, the encryption may not even happen — the objective is the data itself. This changes the defence calculus. Blocking the encryption event — which traditional endpoint protection focuses on — does not prevent the breach. You need to stop the data leaving the network in the first place. BlackFog's anti data exfiltration technology works at the point of egress, blocking unauthorised data transfers before they complete, regardless of whether malware is involved. In a state-sponsored intrusion scenario where the attacker is using legitimate tools and has valid credentials, that egress-layer control is often the last line of meaningful defence. For organisations in regulated sectors — financial services, healthcare, legal, defence supply chain — the regulatory consequences of exfiltration are severe whether or not encryption occurs. The ICO does not distinguish between a breach caused by ransomware and one caused by a state actor. The data was lost. The notification obligation and potential fine apply either way.

How UK and NZ Organisations Should Respond to Geopolitical Cyber Risk

Framing geopolitical cyber risk as someone else's problem is no longer defensible. The question for security and business leaders is not whether this threat class applies to them, but whether their current controls are calibrated for it. Several practical steps follow from the analysis above. First, map your attack surface from the outside in. You cannot defend what you cannot see. Most organisations have a poor understanding of their internet-exposed assets, particularly legacy systems, unmanaged cloud deployments, and third-party integrations. Hadrian's continuous pen testing and attack surface management provides that external visibility on an ongoing basis — the kind of persistent monitoring that matches how state actors conduct reconnaissance. Second, treat your supply chain as an extension of your own network. The Volt Typhoon campaign is instructive here: the target was not the contractor, it was whoever the contractor connected to. Panorays provides continuous third-party risk monitoring that flags changes in supplier security posture in real time, rather than relying on annual questionnaires that cannot keep pace with active threat campaigns. Third, add egress controls. If an attacker is already inside your network with legitimate credentials, your endpoint protection alone will not stop data theft. BlackFog operates independently of whether malware is detected — it monitors and blocks the data movement itself. Fourth, ensure your endpoint and email security is tuned for advanced threats, not just commodity malware. For UK organisations, Coro provides unified endpoint, email, and cloud security in a single platform designed to reduce the gaps that state actors exploit. For organisations operating across New Zealand and Australasia, ESET's enterprise endpoint protection offers the detection depth needed for advanced persistent threat scenarios. Finally, treat this as a board-level conversation, not an IT one. Geopolitical cyber risk affects business continuity, regulatory standing, and shareholder value. The organisations that will manage it well are those where the board asks the same questions about cyber resilience that they ask about financial or operational risk.

The Honest Assessment: Most Organisations Are Not Ready

The NCSC's Cyber Security Breaches Survey 2024 found that only 31% of UK businesses had a formal incident response plan in place. Fewer than 20% had conducted a cyber security risk assessment in the previous 12 months. These are the baseline capabilities — the minimum threshold before any conversation about defending against state-grade threats becomes meaningful. Geopolitical cyber operations do not require organisations to be specifically targeted. Opportunistic campaigns sweep for known vulnerabilities at scale. Collateral damage from state-on-state conflict hits whatever sits in the network path. The NotPetya attack of 2017, attributed to Russian military intelligence by the UK government, caused an estimated $10 billion in global damages — the majority of which hit commercial organisations that were not the intended targets. Shipping giant Maersk lost an estimated $300 million in that single incident. The threat is not theoretical. The exposure for unprepared organisations is quantifiable. And the controls that close the most significant gaps are available and deployable now. Kyanite Blue Labs publishes ongoing threat intelligence analysis to help organisations understand the threat landscape they are actually operating in. If you want to understand your current exposure or discuss how to close specific gaps in your security programme, our team is ready to help.

Frequently Asked Questions