When the Iran conflict escalated the way it did, most businesses had no playbook for it. The disruption didn’t stay in the region. It showed up in energy supplies, financial systems, hospitals, and communication networks, touching organisations that had simply been going about their day. No warning, no preparation, just a sudden wave of uncertainty about what was happening and what it meant for them. That lack of readiness tends to get lost in conversations about cyber warfare, and it’s exactly what we wanted to address.
James Blake is VP of Global Cyber Resiliency Strategy at Cohesity. He has handled hundreds of ransomware and wiper incidents, advised boards on recovery priorities, and spent the better part of three decades thinking about what it takes for an organisation to survive a serious cyber attack. We spoke with him against the backdrop of the Iran conflict, and what it exposes about the state of business preparedness.
James, from where you sit, how are businesses actually handling this right now, and what are the real struggles you’re seeing?
I’m going to say something that probably sounds strange: ransomware was already a massive problem, already a board-level conversation, and businesses still haven’t managed to build resilience to it. The headlines confirm that every week. So when you add geopolitical threats on top of unresolved criminal threats, you’re asking companies to solve a harder problem when they haven’t solved the easier one.
What I see in practice is boards issuing edicts without understanding what they’re actually asking for. Real resilience requires a genuine business conversation: what do we recover first, what can wait, what can we accept losing temporarily? Those are hard conversations, and most companies are not having them. As I keep saying, “It’s not a technology problem. Technology helps. This is a business problem.” Until boards internalise that, the gap between perceived resilience and actual resilience stays wide.
Wiper attacks are less well understood than ransomware. What makes them different, and why are they the tool of choice in state-sponsored attacks?
They’re just another tool of statecraft, sitting alongside sanctions, diplomacy, and conventional military action. Regardless of where you stand politically on the countries using them, states use everything at their disposal for their own advantage. And as some become more isolated and contained internationally, they tend to reach for more destructive options. Wiper attacks fit that pattern.
What people often miss is that this isn’t new. I’ve dealt personally with the Shamoon attacks on Saudi Arabia. That methodology is over ten years old. After the invasion of Ukraine there was a massive jump in the number of distinct wiper strains being deployed. We’ve been talking about cyber warfare for forty years as though it were going to be some kind of nuclear-scale escalation moment. What actually happened is far more gradual: it became background noise. The problem is it’s not background noise to the organisations that get hit.
NotPetya is the clearest illustration of why that matters. That was a wiper attack dressed up as ransomware, a false flag that let someone say “not me, nothing to see here,” while the damage spread globally, hitting companies that had nothing to do with the underlying conflict. Unless you target a wiper attack very precisely, collateral damage is real and wide.
And that spread is often deliberate. States aren’t just trying to harm a government anymore. They want to damage a whole economy. If people stop trusting their bank, their hospital, their transport system, their utilities, panic sets in. That’s the same logic behind disinformation campaigns. Wiper attacks are the infrastructure version of the same strategy, and for a state trying to gain advantage, triggering that kind of civilian panic is frequently the whole point.
What does good security preparedness actually look like in practice, and what separates organisations that handle incidents well from ones that don’t?
The biggest gap is almost always human, and not in the way most people expect. When companies talk about the human element they usually mean phishing awareness training. That’s not what I mean.
What I mean is this: a major cyber incident is one of the most stressful situations a professional will ever face. No phones, no email, no playbooks accessible, regulators calling, executives calling, and usually years of deferred security recommendations suddenly mattering all at once. I’ve seen people quit in the middle of incidents. Not afterwards. During. And when that happens, you discover that your entire response capability was built on tacit knowledge sitting in one person’s head, and it just walked out the door.
The organisations that handle this well have codified their processes: the decision gates from investigation to remediation to recovery, the handoff points between teams, who has authority at each stage. They’ve also run real drills, not tabletop exercises. Tabletops are theoretical, involve mainly senior executives, and don’t build muscle memory. A real drill involves operational teams working through a simulated incident together, the messy handoffs and the communication failures included. That’s what creates actual resilience.
The psychological dimension runs deeper than most people account for, too. In some incidents I’ve dealt with, attackers who’ve stolen data threaten to expose personal information about executives or their families. I’ve seen cases where children were threatened with kidnapping. That pressure, on top of an already chaotic situation, can make an organisation completely dysfunctional. Preparing people emotionally for what a serious incident actually feels like is part of resilience, and almost nobody does it.
And then there’s the persistence problem, which catches almost everyone out. Ransomware-as-a-service actors typically dwell inside a network for one to five days. Targeted criminal groups: sixty to a hundred days. Nation state actors I’ve dealt with? Hundreds of days. Sometimes years. By the time they strike, their persistence mechanisms run all the way back through your backup history. “Persistence is a keyword in advanced persistent threat.” If you recover a vulnerable system, it gets attacked again. If you restore a malicious account or a compromised configuration, you’ve recovered the attack itself. Most organisations don’t have a structure for rebuilding trust from the ground up, across identities, network layers, configurations, and operating systems. They miss something, recover, and get hit again.
What practical guidance would you give organisations trying to build resilience right now?
Start with backups, because if they’re gone, all bets are off. Both criminal actors and nation state attackers target backup infrastructure specifically because they know it’s your last line of defence. Vault it, make it immutable once written, enforce separation of duties and strong authentication. If your backups are compromised, you have no resilience. That’s the fundamental.
The next thing people often collapse together is business continuity and cyber resilience, and they’re not the same thing. A lot of organisations have the same people leading cyber recovery as they do for flood, fire, or power loss scenarios. Disaster recovery is about restoring data. Cyber resilience is about restoring trust. Those require different approaches and different environments. You need an isolated clean room that lets you either rebuild systems to a trusted state, or recover from snapshots that don’t carry forward whatever persistence the attacker left behind. A third of the attacks we see come through vulnerabilities. Restore a malicious account, a Trojanised binary, a compromised GPO object in Active Directory, and you’ve just recovered the attack along with it.
Then there’s the question of who owns recovery decisions. Security teams often get stuck in what I’d call perfection paralysis, trying to eliminate every possible risk before declaring a system clean. That causes damage to the business because you can’t deliver your products, your services, your mission. The better model is a shared responsibility structure: security investigates and scopes the threat, IT remediates specific issues, and line-of-business owners make the call on when to bring systems back online, weighing security risk against operational impact. If those relationships and decision boundaries are set up in advance, recovery moves fast and without internal conflict.
And above all of that: muscle memory. Your staff need to know exactly what the handoff points are, who communicates what and to whom, without having to think about it under pressure. The organisations that handle attacks well are the ones that have drilled properly, not theoretical tabletop exercises involving only senior executives, but actual tests of people, process, and technology working together. When the attack comes, and it will come, you handle it calmly, consistently, and effectively. That familiarity is what resilience actually looks like when it counts.
How much has AI shifted the balance between attacker and defender, and are businesses keeping up?
AI has genuinely improved analyst effectiveness inside security operations. Classification, pattern recognition, multi-vector models. My university degree is in machine learning from 1990. We just called it statistics back then. The defensive capability is meaningfully better than it was.
But on the offensive side, my considered view is that AI hasn’t created new categories of attack. What it’s done is increase the speed and efficiency of existing ones. Attackers can move faster, scan more, exploit vulnerabilities in a shorter window. The attack types aren’t new. The pace is.
Cyber warfare used to feel abstract. The Iran conflict suggests it isn’t anymore. Where is this all heading?
Governments and militaries have been trying to establish a governing doctrine for cyber warfare for over a decade. There are books on my shelf from fifteen years ago wrestling with where it’s applicable, what proportionate looks like, whether a UN convention is possible. The short answer is: no such doctrine exists, and even if it did, the countries most likely to use these tools aggressively are the least likely to observe the rules. We already have conventions on conventional warfare that certain parties ignore openly.
What has changed is our dependence on IT, and that’s what makes the impacts so much greater now. It doesn’t matter what kind of business you are. Every organisation, in every sector, runs on interconnected systems, and that interconnection is exactly what makes supply chain attacks so effective. Attack one common provider and you hit hundreds of downstream organisations at once.
So the context organisations need to understand is this: even if you have no connection to a defence contractor or a government, you can still become collateral damage. Cyber warfare is just the reality. The good news is that resilience to ransomware and resilience to state-sponsored attacks are the same capability. You don’t have to go from zero to perfect. Every step you take reduces the impact when an attack comes, and the sooner you start that journey, the better placed you’ll be.
Any final thoughts?
The Stoics had a wise saying: “Don’t try and change everyone else. Change the things that are in your power to change.” That’s genuinely where I land on this. You can’t control geopolitics. You can control your own defensive space. You own the battlefield because it’s your company.
What I see in organisations that end up with weeks or months of impact is that they skipped the hard things. They didn’t have the difficult conversation with line-of-business owners about what actually gets recovered first. They avoided asset management because it’s tedious. They didn’t map the interdependencies between their applications and the identity and network layers underneath. And so when an attack came, the applications they tried to recover were built on sand.
The customers I see who end up with weeks or months of impact are the ones who avoided the difficult conversations. “I can’t recover all of your applications immediately” is not a technology conversation or a security conversation. It’s a business conversation, and it’s often the one that never gets had. Do the hard things once, and they’re done. Start there.
Find the full conversation of this interview on YouTube
Dilki Rathnayake is a cybersecurity content writer and the Managing Editor at Information Security Buzz, with a BSc in Cybersecurity and Digital Forensics. She is skilled in computer network security and Linux system administration. Dilki has also led awareness programs and volunteered for communities promoting best practices for online safety.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.