Home » Managing » Cyber Security » State-backed cyberattacks are no longer a government problem – they’re now a boardroom priority

State-backed cyberattacks are no longer a government problem – they’re now a boardroom priority

Business leaders are worried about being targeted

Avatar photoby Sam Peters

Building resilience can help you maintain business operations in the face of state-backed cyberattacks, especially if you're a small supplier

  • State-backed cyberattacks are being geared at smaller suppliers and third-party vendors
  • The National Cyber Security Centre said that last year, it handled 204 ‘nationally significant’ cyber incidents in the 12 months to August 2025 – up from just 89 the year before – equating to around four serious attacks every week.
  • Smaller suppliers often lack the security level of the organisations they serve, making them ideal backdoors into more valuable targets for state-backed threat actors.
  • It can be tempting to focus on high-profile technology investments or offensive capabilities. While advanced tools have their place, they are not a silver bullet.
  • Aim for resilience instead – the ability to anticipate, withstand, respond to and recover from cyber incidents while maintaining business operations. This requires more than technology. It demands strong governance, clear processes, trained people and a culture that treats security as a shared responsibility.
  • One of the most practical starting points is ISO 27001, the internationally recognised standard for information security management.

Global instability is no longer confined to distant battlefields. Today’s conflicts are just as likely to be fought in cyberspace as on land or sea. The result is a new reality in which private organisations, often unknowingly, find themselves on the front line of geopolitical confrontation.

State-backed actors and organised cybercriminal groups no longer focus solely on governments and defence bodies. They exploit supply chains, compromise third-party vendors, and probe weaknesses in commercial systems that are often less protected but just as strategically valuable.

This shift has not gone unnoticed. Our research revealed an overwhelming 88 per cent of British and American cybersecurity professionals say they are concerned about state-sponsored cyberattacks. The UK National Cyber Security Centre (NCSC) has been explicit about the scale of the threat. Last year, it revealed it handled 204 ‘nationally significant’ cyber incidents in the 12 months to August 2025 – up from just 89 the year before – equating to around four serious attacks every week. Many were linked to nation-state actors or highly capable criminal groups.

The rise of CRINK and the expanding target list

The NCSC identifies China, Russia, Iran and North Korea – often referred to collectively as ‘CRINK’ – as the most persistent state-backed cyber threats. Each poses a distinct risk. China is widely viewed as the most sophisticated and well-resourced, targeting a wide range of sectors and institutions across the globe. According to the NCSC, “Russia’s invasion of Ukraine and the ongoing Israel-Gaza conflict have also inspired a growing number of Pro-Russia hacktivist groups seeking to target the UK, Europe, US, and other NATO countries in retaliation for what they perceive as the west’s support for Ukraine and Israel.” 

According to the NCSC, Iran and North Korea, while generally less technically advanced, are still capable of highly disruptive attacks. The NCSC states the ‘need for increased vigilance for potential cyber activity by Iranian state-sponsored or affiliated threat actors against US critical infrastructure and other US entities. The NCSC assesses this threat highly likely extends to UK entities.’ While North Korean actors, according to the NCSC, are often financially motivated, targeting cryptocurrency and financial services to fund state priorities.

Historically, defence and government bodies assumed they would be the primary targets of such activity. Increasingly, however, CNI operators and private businesses are in the crosshairs. These organisations hold sensitive data, have little tolerance for downtime, and can be exploited for extortion or sabotage.

Crucially, companies do not need to be geopolitically or strategically important in their own right to be targeted. They may be attacked because they hold valuable intellectual property or crypto assets, because they provide a stepping stone into a larger partner’s network, or because disrupting them could trigger cascading failures across an entire sector.

Supply chains: the weakest link

Supply chains have become one of the most attractive attack vectors. According to our State of Information Security report , 61 per cent of organisations were impacted by a cybersecurity or information security incident caused by a third-party vendor or supply chain partner in the past year. Smaller suppliers often lack the security maturity of the organisations they serve, making them ideal backdoors into more valuable targets for state-backed threat actors.

Business leaders are acutely aware of the danger. Nearly a quarter of security professionals say their biggest concern for the year ahead is a lack of preparedness for geopolitical escalation or wartime cyber operations. Over a third worry about the impact on CNI, while many believe governments are not doing enough to support them – even as national security agencies warn that hostile cyber activity is increasing in frequency, sophistication and intensity.

Why resilience matters

In response, it can be tempting to focus on high-profile technology investments or offensive capabilities. While advanced tools have their place, they are not a silver bullet. The reality is that modern attack surfaces are vast – spanning office workstations, cloud infrastructure, home-working devices, APIs and third-party integrations. Intrusions are increasingly inevitable.

What organisations should be aiming for instead is resilience – the ability to anticipate, withstand, respond to and recover from cyber incidents while maintaining business operations. This requires more than technology. It demands strong governance, clear processes, trained people and a culture that treats security as a shared responsibility.

Encouragingly, 74 per cent of cybersecurity and information security leaders say they are already building resilience against nation-state-linked threats, with a further 21 per cent planning to do so within the next year. The challenge now is ensuring that ambition is realised in a structured, effective way.

ISO 27001 as a foundation for cyber resilience

One of the most practical starting points is ISO 27001, the internationally recognised standard for information security management. Far from being a box-ticking exercise, ISO 27001 provides a disciplined framework for identifying critical data, assessing risks, understanding business impact and implementing proportionate controls.

Its “Plan-Do-Check-Act” approach encourages continuous improvement rather than annual compliance checks, ensuring that security practices evolve alongside the threat landscape. Importantly, the standard also addresses incident response planning and supply chain risk, requiring due diligence, clear contractual expectations and ongoing monitoring of third parties.

Aligning with ISO 27001 also makes it easier to meet regulatory obligations such as GDPR and forthcoming legislation like the UK’s Cyber Security and Resilience Bill.

We are already living through a period of silent cyber conflict. In this environment, resilience, not retaliation, will be the true measure of both corporate and national defence. Every organisation, whether part of critical infrastructure or not, is now part of the defence. With the right preparation, collaboration and commitment to robust risk management, businesses can avoid becoming collateral damage and instead play their part in strengthening the UK’s overall security posture.

Sam Peters is chief product officer at IO.

Read more

ISO 27001: the cyber security standard that organisations should strive for – The current cybersecurity landscape is one of confusion, but also one of recognition that things need to change

The Cyber Security and Resilience Bill – what’s next for SMEs? – The government’s Cyber Security and Resilience Bill was announced in April. Here’s what your business can do to prepare for what’s ahead

12 cybersecurity questions every VC should ask – VC portfolio companies can suffer a one-third drop in enterprise value if they’ve been crippled by a cyber attack. Ian Shelby says there are a dozen questions VC investors need to ask potential investments

Related Stories

Cyber Security

The Cyber Security and Resilience Bill – what’s next for SMEs?

The government's Cyber Security and Resilience Bill was announced in April. Here's what your business can do to prepare for what's ahead

Cyber Security

12 cybersecurity questions every VC should ask

VC portfolio companies can suffer a one-third drop in enterprise value if they’ve been crippled by a cyber attack. Ian Shelby says there are a dozen questions VC investors need to ask potential investments

Cyber Security

Five ways to boost SMB cyber defence so you can focus on growth

Want to boost your cybersecurity? Check out these five ways to strengthen your defences against attacks

Cyber Security

Cloud security posture management (CSPM): A must-have for modern businesses

Here, we talk about what cloud security posture management (CSPM) is and why you need it for your business

Related Topics

Cybersecurity