Somewhere in your organization, a well-meaning colleague has forwarded a news article about Iranian cyber attacks on American infrastructure with a single-word subject line, “Concerned”.
It is a fair concern. With U.S. and Israeli military operations against Iran intensifying since late February 2026, organizations across every sector are asking the same thing. Does the war in the Middle East change our cybersecurity risk profile, and if so, what should we do about it?
The answer, like most things in security, depends on who you ask.
The answer, like most things in security, depends on who you ask.
The Case for Elevated Risk
There is a credible, well-documented argument that the current conflict has materially increased cyber risk for U.S. and allied organizations. It does not require speculation. The evidence is in government advisories, threat intelligence reports, and the operational history of Iranian state-sponsored actors.
The advisories are real.
CISA, the FBI, and NSA have issued multiple joint advisories over the past two years warning of Iranian cyber actors targeting critical infrastructure. In October 2024, a joint advisory documented Iranian actors using brute-force password spraying and MFA push-bombing to compromise organizations across healthcare, government, IT, engineering, and energy sectors. In August 2024, the FBI and CISA warned that Iran-based actors were obtaining network access and then collaborating with ransomware affiliates to extort U.S. organizations. These are not theoretical warnings. They describe observed, confirmed activity.
The attacks have already happened.
In late 2023, IRGC-affiliated hackers compromised programmable logic controllers (PLCs) at a water treatment facility outside Pittsburgh, forcing the plant to operate manually. CISA updated that advisory as recently as December 2024 with new TTPs. Hospitals, water systems, and industrial facilities have been confirmed targets, not hypothetical ones.
The numbers support the concern.
The World Economic Forum’s Global Cybersecurity Outlook 2025 reported that nearly 60% of organizations say geopolitical tensions have directly affected their cybersecurity strategy. Seventy-two percent of respondents reported an increase in organizational cyber risk over the prior year, with ransomware remaining a top concern. When IBM published its 2024 Cost of a Data Breach Report, the global average cost had risen to $4.88 million, a 10% year-over-year increase and the largest jump since the pandemic. For healthcare, the figure reached $9.77 million, marking the fourteenth consecutive year as the most expensive sector for breaches.
If you operate in critical infrastructure, energy, water utilities, healthcare, financial services, or defense, the argument for elevated risk is not theoretical. It is documented, advised upon by the U.S. government, and supported by recent operational history. The question is not whether Iranian threat actors have the capability and intent to target these sectors. They have demonstrated both.
Allied governments have reached the same conclusion. The UK’s National Cyber Security Centre issued its own advisory warning of heightened indirect cyber risk, particularly for organizations with regional supply chains or operations.
The Case for Calm
And yet.
There is a credible counterargument that deserves equal consideration, one that is harder to make in the current news cycle but no less grounded in evidence. It goes something like this. Organizations with mature security programs are not facing a fundamentally different risk environment than they were a week ago.
Consider what has happened since U.S. and Israeli strikes escalated in late February 2026. Iran’s available internet connectivity dropped to between 1% and 4%, according to multiple network monitoring services. State-aligned threat actors depend on that connectivity to coordinate operations, communicate with command infrastructure, and execute sophisticated campaigns. With significant degradation of Iranian leadership and command structures, the ability of state-sponsored APT groups to launch coordinated cyber offensives has been materially diminished, at least in the near term.
Threat intelligence firms have noted a ‘noticeable lull‘ in outbound Iranian state-sponsored cyber operations since the strikes began. The activity that has increased is primarily unsophisticated hacktivist operations: website defacements, DDoS attempts, and loud social media claims from proxy groups located outside Iran. Sophos X-Ops observed a surge in hacktivist chatter but assessed it as noise, not signal, noting that for most businesses, the risk is functionally the same as it was a week prior.
This is an important distinction that often gets lost in the cycle of threat advisories and vendor alerts. There is a difference between an increase in threat actor chatter and an increase in actual organizational risk. A hacktivist group claiming to have defaced a website is not the same as an APT group with IRGC backing establishing persistent access to your Active Directory. The former makes headlines. The latter makes the CISA advisory.
Some security leaders will quietly acknowledge an uncomfortable truth. If your organization has…
- unpatched internet-facing systems
- no MFA on critical accounts
- flat network architecture
- an untested incident response plan
…you were already at elevated risk before the first missile was launched.
The war did not create those gaps. It may have focused attention on them, which is not the worst outcome, but the risk was already there.
Organizations with mature security programs are not facing a fundamentally different risk environment than they were a week ago.
There is a difference between an increase in threat actor chatter and an increase in actual organizational risk.
The Industry Divide
Perhaps the most honest answer to the question of elevated risk is, it depends on your industry.
High Risk
- Energy and utilities
- Water and wastewater
- Healthcare
- Financial services
- Defense contracting
- Telecommunications
Iranian state-sponsored groups have established track records of targeting these sectors including:
- APT33
- APT35 (Charming Kitten)
- MuddyWater
- Cotton Sandstorm
Lower Risk
- Regional accounting firms
- Restaurant chains
- Mid-market Saas companies
Note: The risk to lower-exposure organizations is not zero. Ransomware affiliates with Iranian connections operate opportunistically, but their threat model hasn’t materially changed since before the conflict. Their threat model is dominated by the same actors it was before:
- Financially motivated ransomware groups
- Business email compromise operators
- Credential-stuffing campaigns fueled by previous data breaches
This is where the security community sometimes does itself a disservice. When every conflict triggers a wave of vendor alerts and ‘heightened threat’ notices, it becomes difficult for organizations to distinguish between genuine, actionable intelligence and marketing dressed up as threat analysis.
If your threat advisory reads the same for a 50-person marketing agency as it does for a water utility,
it is not a threat advisory. It is a press release.
Business Continuity and Regulatory Compliance: The Overlooked Dimensions
While much of the discussion focuses on direct cyber attacks, the Middle East conflict creates second and third-order effects that business continuity and compliance teams should consider regardless of whether they believe their organization is a direct target.
Vendor Risk
Supply chain disruption is the most tangible. Organizations with technology vendors, cloud providers, or managed service providers that have operations in or dependencies on the affected region face potential service disruptions. A business continuity plan that does not account for the loss of a critical SaaS provider or a supply chain partner facing their own cyber incident is incomplete and this was true before the conflict.
Compliance Exposure
The SEC’s cybersecurity disclosure rules require public companies to assess the materiality of cyber incidents and disclose them within four business days. The EU’s NIS2 Directive and DORA regulation impose incident reporting requirements and board-level oversight obligations on a broad range of organizations. The question facing compliance teams is not only “Has our risk increased?” but “Can we demonstrate that we have assessed whether our risk has increased?” The regulators will ask, and “We didn’t think it was relevant to us” is not a defensible answer.
Policy Gaps
Cyber insurance implications are also real. Insurers are paying close attention to geopolitical conflict. War exclusion clauses, which gained prominence after the NotPetya litigation, are being scrutinized. Organizations should review their policies now to understand what is and is not covered in a scenario involving state-sponsored or state-affiliated cyber operations.
So What Should You Actually Do?
Rather than debating whether the risk has increased by 10% or 50% or not at all, the more productive question for most organizations is: Are we doing the fundamentals well enough to withstand the threats we already face?
Because here is the uncomfortable reality: the techniques Iranian actors are using are not exotic. Password spraying. MFA fatigue attacks. Exploitation of unpatched VPN appliances. Compromising internet-facing PLCs with default credentials. These are not zero-days. These are known gaps that organizations have been advised to close for years.
This is not a theoretical gap. As of early March 2026, CISA is operating under a partial government shutdown, has lost roughly a third of its staff, and its acting director was reassigned days after the conflict began.
If the current moment of heightened awareness motivates your organization to finally address the items that have been sitting in the “accepted risk” column of your risk register, the war will have done your security program a favor.
For organizations in targeted sectors, the actions are specific and well-documented.
- Review CISA’s current Iran threat advisories and map findings to your environment
- Enforce MFA on all remote access and privileged accounts, not selectively, universally
- Patch internet-facing systems now, VPN concentrators, firewalls, and OT/ICS devices first
- Run a tabletop exercise with actual decision-makers in the room, not a theoretical review
- Validate that your SOC has detection coverage for the TTPs in current advisories
For organizations not in directly targeted sectors, the playbook is simpler. Keep doing what you should have been doing.
- Patch what needs patching
- Enforce MFA
- Segment your network
- Monitor for anomalies
- Review your business continuity plan
- Update your cyber insurance policy
- Resist the urge to spin up a ‘Middle East threat task force’ if the basics aren’t covered
A threat intelligence feed does not help you if your domain admin password is Admin2026.
Are we doing the fundamentals well enough to withstand the threats we already face?
A threat intelligence feed does not help you if your domain admin password is Admin2026.
The Bottom Line
The war in the Middle East has created a genuinely elevated cyber threat environment for specific industries and specific types of organizations. For critical infrastructure operators, the threat is real, documented, and demands immediate attention. For the broader business community, the threat is a reminder, and an urgent one, that the gaps in your security program are the same gaps that were there before the conflict began.
The most dangerous outcome is not an Iranian APT compromising your network. It is the complacency that returns six weeks from now when the headlines move on and the ‘heightened alert’ notices stop arriving. The organizations that will be best positioned, regardless of the geopolitical climate, are the ones that treat cybersecurity as a continuous program rather than a crisis response.
The fundamentals do not change because a war started. They also do not become optional because the war stops.
About Armor
Armor is a global leader in cloud-native managed detection and response. Trusted by over 1,700 organizations across 40 countries, Armor delivers cybersecurity, compliance consulting, and 24/7 managed defense built for transparency, speed, and results. By combining human expertise with AI-driven precision, Armor safeguards critical environments to outpace evolving threats and build lasting resilience. For more information visit our website, follow us on LinkedIn, or request a free Cyber Resilience assessment.