Live updates: Follow the latest news on US-Iran war
The Iran war is already spilling into corporate systems. Hackers are targeting infrastructure, banks, logistics and energy systems – sectors that underpin day-to-day business operations. For many companies, this is no longer just a technical risk. It affects their ability to keep operating.
Recently, an Iran-linked cyber attack on US-listed medical group Stryker disrupted internal systems for thousands of employees and knocked its share price, in retaliation for a school bombing.
It is a reminder that companies – even those thousands of miles away – are being pulled directly into the conflict. Geography offers little protection when systems are interconnected.
Much of this activity is only visible with hindsight: cyber conflict is difficult to track in real time. Lots of state-linked attacks only become apparent after the fact, meaning incidents like Stryker’s that make headlines are just a fraction of what is actually happening.
Others go undetected or are never publicly disclosed, meaning companies are underestimating the scale of the risk because they can’t see it. The risk is not just what is known, but what is not.
That risk is pushing companies round the world to ready themselves for cyber attacks that come from state actors rather than criminal groups, where economic disruption – not financial gain – is often a primary objective.
The implications for boards are immediate. Firms need to rethink how they assess cyber risk. The traditional focus – what assets or data do we have, and who might want to steal them – is no longer sufficient. They need to ask how their operations could fail under attack, and how their systems could be used to cause wider disruption.
In modern conflict, companies can be targeted directly – or caught in the spillover. Some sectors are more likely to be hit, including energy, financial services and other systems underpinning daily life. If a state actor wants to create disruption or send a signal, these are the sectors they will target first.
But the effects do not stay contained there. Disruption in these sectors cascades across the wider economy. And many companies are overestimating how protected they are.
One major blind spot is insurance. Many policies exclude acts of war, but cyber attacks are creating a grey area for coverage. After the 2017 NotPetya malware attack, widely attributed to Russia and causing more than $10 billion in damage, insurers sought to classify it as an act of war, placing it outside standard coverage and leaving firms on the hook for losses.
In practice, coverage can disappear precisely when it is most needed.
Visibility is often delayed, too. Companies should not rely solely on government threat reports – alerts from national cyber agencies about known threats and vulnerabilities – because they are often too slow to support real-time decisions.
Instead, they should use more timely information and share what they are seeing, even where it may feel commercially sensitive, including through groups such as the Cyber Threat Alliance.
Another issue is governance. In many companies, the chief information security officer still reports through IT rather than directly to the board, which limits their influence. This reflects an outdated view of security as a technical problem, instead of a business risk.
One example of that risk is showing up in how companies have spent years cutting buffers such as inventory and spare capacity, and running systems in real time to boost efficiency. That leaves little room to absorb disruption when something goes wrong. Some redundancy is necessary in this environment.
Resilience now requires accepting some inefficiency. Many boards have not caught up yet, often misunderstanding cyber resilience. It should not just be about preventing attacks or restoring systems quickly, but about keeping core operations running while systems are down. When disruption hits, can you degrade gracefully?
That requires prioritising what must continue and accepting that some systems will fail.
For now, the immediate priority is action. CEOs should be stress testing their systems today. That means running scenarios based on current geopolitical risks and assuming the company is not the target, but collateral damage. The focus should not just be on data theft alone, but on whether core services can continue.
Too often, testing is treated as a cost or a compliance exercise rather than a priority. It should be treated as core to business continuity.
That said, the direction of travel is clear. This is not just a cyber issue. It is about whether the business can keep operating. And the key question is no longer whether companies will be attacked, but whether they can keep running when they are.
Öykü Işık is professor of Digital Strategy and Cyber security at IMD
