Operating in an Age of Permanent Instability: Keeping Organisations Running in Conflict Zones and Crisis Conditions

How to build a resilient business continuity plan for modern threats

Start by carrying out a thorough risk assessment every year, treating geopolitical instability and hybrid threats as baseline conditions. Build risk scenarios that show how modern conflicts really happen, including hybrid warfare, cyber operations, economic coercion, and information warfare. These scenarios should match the realities of today’s conflicts, not just rely on past experience or best practices.

Once identified, these risks must be translated into actionable continuity and operational resilience plans, ensuring that organisations are prepared to sustain critical business operations under conditions of heightened instability or armed conflict.

Ukraine's IT sector, which comprised over 5,000 companies before the invasion, saw only 2% of firms cease operations entirely as a result of the war. This was not luck. It was the product of organisations that had treated continuity planning as a strategic function, not a bureaucratic obligation.

Effective business continuity management must cover several critical dimensions.

• Stress-testing business models against scenarios involving economic sanctions, border closures, regulatory unpredictability, mobilisation, and critical infrastructure disruptions should become a recurring discipline, not a one-off exercise.
• When planning recovery strategies, look closely at any reliance on single countries, suppliers, or transit routes, and consider how utility outages could affect your business. Make sure your continuity and recovery plans address the possibility of disruptions lasting more than a month.
• Business plans should also be designed to support fast and effective decision-making, including simplified approval and escalation processes that can operate under crisis conditions.
• Given the increasing volume and sophistication of information and influence operations targeting organisations, it is equally important to monitor the external information environment for narratives that may affect the organisation. This should be supported by prepared rapid-response communication plans to address reputational or informational risks.
• Business continuity strategies should build a culture of preparedness and organisational resilience, not fear. Make sure your employees know the risks, their roles, and how to respond, so they feel confident the organisation can keep running even in tough situations.

Blog post

Explore how to strengthen resilience in national electricity grids

Read more

How to protect and prepare your workforce

No continuity plan survives contact with reality if the people who execute it are unavailable, unreachable, or unable to work. The ability to retain key employees during periods of instability is one of the strongest predictors of whether an organisation will sustain operations or collapse under pressure.

Ensuring employee safety, along with proactive planning to address key-person dependencies, should therefore be considered a core element of organisational preparedness. This includes identifying critical roles, defining succession and backup arrangements, and ensuring that essential knowledge and decision-making authority are not concentrated in a single individual.

It is just as important to keep a strong management team that can keep making decisions when things get tough. Having steady leadership helps organisations adapt and stay resilient when situations change quickly.

Now, let’s look at some general tips for keeping employees safe and preparing your organisation for crisis conditions.

These recommendations are not just theoretical. They come from the real experiences of tens of thousands of Ukrainians who kept delivering software, managing logistics, and maintaining services even as their cities were being bombed.

Facilities and utilities: how to prepare for physical disruptions

The physical dimension of organisational resilience is often underestimated in strategic planning. Yet Ukrainian experience offers an unambiguous lesson: any plan that assumes continuous access to a specific building, data centre, or utility connection is a plan that will fail under conflict conditions. Facilities may be damaged, destroyed, or rendered inaccessible; critical utilities may be disrupted for weeks or months.

As noted in the employee safety section, operations should be distributed and designed for remote execution wherever possible to ensure continuity and resilience. Concentrating large numbers of employees in a single facility should be avoided. Civilian buildings are increasingly targeted in modern conflicts, and the risk is compounded by the fact that air raid warnings do not always provide sufficient advance notice, particularly in the case of high-speed weapons such as hypersonic missiles.

Pillars of resilient facilities and operations continuity

How to strengthen your organisation against cyber threats

Of all the risks examined in this article, cyberattack is the most immediate, the most broadly applicable, and the one most likely to affect organisations regardless of their physical proximity to a conflict zone. Ukrainian organisations and government bodies have faced a high volume and intensity of cyberattacks throughout the war. Critically, many of these campaigns began well before open military hostilities, as part of hybrid warfare operations designed to weaken state and organisational resilience.

The following are general cybersecurity focus areas and recommendations that should be strengthened.

Vulnerability management

A strong vulnerability management process is key to cyber resilience. This involves continuous monitoring of vulnerabilities from software and hardware vendors, following updates from security researchers and feeds, and conducting regular vulnerability scans of both internal and external systems. Aim to scan at least once a month, but daily scanning is even better.

Plan to run penetration tests on your external networks and Active Directory environments once or twice a year.

Remediation timelines (SLAs) should follow best practices:

• Critical vulnerabilities: within 1-2 weeks
• High severity: within 1 month
• Medium severity: within 2 months
• Low severity: within 3 months

If remediation is not immediately possible, compensating controls must be implemented. Do not rely only on network isolation or hiding systems; make sure to patch regularly, depending on the criticality of each issue.

Asset management

Effective defence is impossible without a clear, complete inventory of what is being defended. Companies should maintain a clear and complete inventory of:

• IT assets
• Network devices
• Hardware and software
• Cloud resources

Poor asset management creates shadow IT, systems that exist outside the security perimeter, unpatched and unmonitored, and undermines every other security capability, from vulnerability management to incident response.

Network security

Network defences should include:

• Properly configured Next-Generation Firewalls (NGFWs)
• Deployment of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
• Enabling network-based malware detection (NBMD)
• Use of packet inspection to improve data leakage prevention and malware detection

Strict network segmentation is essential, particularly between administrative and operational technology environments to protect industrial control systems (ICS), such as Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS) and Programmable Logic Controllers (PLC)-based control systems.

Endpoint security

Endpoint security demands deployment of Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions across all devices, combined with full disk encryption, restricted USB ports, elimination of local administrator accounts, enforced multi-factor authentication, strong password policies, and conditional access with VPN for remote connections.

Agent-based Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions provide extra protection against data loss.

Equipment security

During wartime, it must be assumed that devices containing confidential information may be lost, seized, or captured by hostile forces. Because of these risks, companies need to make sure they take the following steps:

• Use full disk encryption on every device, including servers.
• Set up remote wipe and device disablement features.
• Have clear procedures for reporting and responding to lost or compromised equipment.

Configuration management

Baseline secure configurations should be established and maintained across systems. Frameworks such as CIS Benchmarks can be used as a foundation. Where possible:

• Configurations should be continuously monitored.
• Critical configurations should be immutable or protected against unauthorised changes.

Log collection and security monitoring

Effective log collection and analysis are essential. Organisations should operate a Security Operations Centre (SOC), internal or outsourced, with coverage of at least five days a week and eight hours a day, and ideally around the clock. Logs from all critical systems must be collected, correlated, and analysed to detect incidents and enable rapid investigation.

If SOC services are outsourced, organisations must actively monitor service quality and maintain contingency plans, including backup providers and limited internal monitoring capabilities.

Training and awareness

The human element remains one of the most exploited attack vectors. Regular cybersecurity training with a strong emphasis on phishing awareness and guidance on appropriate response and reporting, as credential compromise continues to be among the most common initial access methods. These efforts directly support organisational resilience by reducing potential risks from social engineering.

Quarterly simulated phishing campaigns help maintain vigilance and provide measurable data on organisational readiness.

Since information warfare is common in today’s conflicts, training should also help employees spot and respond to propaganda and disinformation. These skills support both cybersecurity and the overall strength of the organisation.

Conclusions

The erosion of international norms has reintroduced force, coercion, and intimidation as increasingly accepted tools of influence. Legal frameworks and moral constraints are giving way to raw power dynamics, while economic interdependence itself is being weaponised.

At the same time, rapid technological change has undermined many traditional assumptions about security and defence. Low-cost, asymmetric tools, including cyber intrusions, drones, disinformation campaigns, and sabotage, can now inflict disproportionate damage on both private companies and public institutions. Concentrated assets, whether physical facilities, data centres, digital infrastructure, or key personnel, have become high-value targets in efforts to maximise economic and societal disruption.

In this constantly evolving environment, adaptability has emerged as the decisive advantage. Success depends less on pre-existing strength and more on the ability of organisations to learn quickly, adjust operations, and deploy new defensive measures under pressure.

At the same time, effective preparation and proactive risk identification provide critical time and flexibility. Together with adaptability, they form the foundation of truly resilient organisations. Companies must systematically identify relevant risks, regularly update recovery plans and procedures, implement corrective actions, and prepare for scenarios that were once considered unthinkable.

In today’s environment, resilience is not a defensive cost. It is a strategic capability and an increasingly decisive source of competitive advantage.