Resilience over retaliation: How to respond to state-backed cyber attacks

Global volatility is rising, and companies everywhere are paying close attention. “State-based armed conflict” was considered by business leaders to be the risk most likely to present a “material” crisis in 2025, according to the World Economic Forum (WEF). But conflicts have changed and are as likely today to be fought online as on the battlefield. This increases the risk of ordinary businesses being singled out as targets, or else ending up as collateral damage.

An overwhelming 88% of British and American cybersecurity professionals told us that they’re now concerned about state-sponsored attacks. The most effective response may not lie with head-turning investments in flashy cyber tools - but in the nitty-gritty of compliance programmes and organisational risk management.

CRINK attacks are cranking up

A digital period of heightened geopolitical friction is in many ways already here. Emboldened threat actors from China, Russia, Iran and North Korea each pose a different threat, according to the National Cyber Security Centre (NCSC). According to the NCSC’s recent annual report, China is the most sophisticated and well resourced. It boasts a large number of government-employed hackers and taps private “contractors” for plausible deniability when necessary - combining large-scale cyber-espionage operations with “pre-positioning” in critical infrastructure (CNI) networks.

The NCSC’s report also says that Russia is prolific- having launched espionage as well as destructive campaigns designed to weaken its perceived enemies. It also has an ace up its sleeve - a huge cybercrime underground of professional hackers who are allowed to go about their business as long as their financially motivated attacks are turned against Ukraine and NATO countries.

Iran and North Korea round out this “CRINK” quartet. Although less skilled, they’re still able to inflict damage in more targeted attacks. Geopolitically motivated data theft, sabotage and hacktivism are the most likely end goals for Tehran-based hackers. Their counterparts in East Asia are more often financially motivated - striking crypto organisations repeatedly in search of money to “improve their internal security and military capabilities”, according to the NCSC.

Defence and government organisations have long (correctly) assumed they are a target for CRINK actors. But increasingly, CNI is becoming a popular target for state-backed hackers and associated groups - and for obvious reasons. These organisations often hold geopolitically sensitive information, they have a low tolerance for outages (exposing them to extortion), and are prime candidates for sabotage or pre-positioning in the event of a kinetic conflict.

However, the threat continues to evolve. Business leaders are right to fret about the implications for their organisation. They may be singled out as a high-value target in their own right - for their IP or crypto. They might be targeted in a “stepping stone” attack because they have access to or store data on a more significant partner or customer. Or they may be taken out in order to cause a cascading domino effect in a particular sector. Nobody had heard of pathology service provider Synnovis until a June 2024 ransomware incident led to blood shortages and the cancellation of thousands of NHS appointments and operations.

Concerns on all fronts

Against this backdrop, it’s perhaps not a surprise that so many businesses are concerned about the threat from hostile countries. Nearly a quarter (23%) of respondents to our survey claimed their biggest concern for the year ahead is a lack of preparedness for “geopolitical escalation or wartime cyber operations”. Over a third (36%) said they’re concerned about the impact of these threats on CNI, and 33% argued that their government isn’t doing enough to support them.

They’re right to be concerned. MI5 recently revealed a 35% increase in the number of individuals it is investigating for involvement in China-linked “state threat activity”. The NCSC claims it dealt with 204 “nationally significant” cyber attacks against the UK in the 12 months to August 2025 – amounting to four per week, and a sharp rise from 89 in the previous year. 

On the road to resilience

Many business leaders may prefer to tackle these challenges by investing in high-profile technology solutions. There’s certainly no shortage of flashy products on the market today. But while tech has its place, it’s the less sexy business of risk management where the hard work needs to focus.

What businesses should be aiming for is resilience - the ability to anticipate, withstand, respond to, and recover from attacks and breaches, while maintaining business as usual. The sheer size of the typical cyber-attack surface makes intrusions almost inevitable. It might stretch from office-based workstations to cloud apps and infrastructure, home working laptops and APIs. The focus must therefore be on minimising the number of security breaches in the first instance, and then having the people, process and technology in place to rapidly detect and contain the threat if it escalates.

It’s not easy to achieve this kind of security-first culture, which also demands continuous training and awareness for all employees. But a good place to start is ISO 27001, an internationally recognised standard for information security. It provides a blueprint for identifying risks, protecting critical assets and ensuring security evolves alongside the threat landscape.

ISO 27001 forces organisations to methodically assess and document where their most sensitive data is, and identify critical threats andvulnerabilities and business impact. Then they must select and implement the relevant controls to mitigate these risks. A “Plan-Do-Check-Act” (PDCA) approach ensures they don’t treat compliance as a “one-and-done” exercise each year, but instead are focused on continuous improvement and adaptation, to keep pace with threat levels.

Even better, compliance with standards like ISO 27001 will make it much easier to align with mandated regulations like GDPR and the forthcoming Cyber Security and Resilience Bill. Conflict is bad for business, and in the current era of continuous digital instability, every organisation is in the crosshairs. But cyber resilience is not just important for your business. It’s a matter of national security.