Cyber threats are increasingly discussed in the language of warfare, yet they rarely resemble the dramatic scenarios often imagined. There are no declarations, no clear beginnings or ends. Instead, modern cyber activity operates in what policymakers describe as the grey zone: the space between peace and armed conflict, where hostile actors pursue strategic advantage without triggering overt military response.

While governments remain primary targets, it is the private sector, often unknowingly, that provides the terrain on which these campaigns play out. Businesses of all sizes and across all sectors now sit on the front line of geopolitical competition, not because they are adversaries themselves, but because their systems, data and supply chains are deeply interconnected with those that matter most.

To manage risk in an increasingly contested environment, it’s essential for you to understand how cyber operations have evolved and why they’re used in this way. In this article, we explain what grey zone cyber activity is and how you can protect your organisation.

The evolution of cyber conflict

Early cyber incidents were typically visible and disruptive: denial‑of‑service attacks, ransomware or high‑profile data breaches. Over time, state‑linked cyber activity has evolved into something quieter, more patient and strategically purposeful.

Rather than seeking immediate disruption, many modern campaigns aim to establish long‑term access to your systems. Systems are compromised not to break them, but to observe, map your dependencies, extract sensitive information and retain the option to act later. Access itself becomes an asset.

This shift reflects the strategic advantages cyber offers as a tool of grey zone competition: operations can be plausibly denied, calibrated in intensity, and sustained over long periods without crossing legally or politically defined thresholds of conflict. And that fundamentally changes how you need to think about risk.

Why your business is part of the risk landscape

If you think you’re “too small” or “not a target”, you need to reassess.

Grey zone cyber activity exploits connectivity and your organisation is part of a much wider network of suppliers, service providers, technology platforms and professional advisers. That complexity creates opportunity for attackers.

You’re particularly exposed if you:

• provide software or managed services
• operate in logistics, manufacturing or infrastructure
• advise clients on financial, legal or technical matters
• sit anywhere within the supply chain of a larger organisation

You’re not being targeted because of who you are, you’re being targeted because of what you can access.

If an attacker can reach your systems, they may also be able to reach your clients, partners or critical services. That makes your organisation a potential entry point into something much bigger.

Your supply chain is your biggest vulnerability

You can no longer treat cyber risk as something confined to your own systems.

One of the defining features of grey zone cyber activity is the focus on indirect compromise. Rather than attacking a well‑defended target head‑on, hostile actors exploit weaker points in the ecosystem around it.

You should assume that risk exists across your ecosystem, especially where:

• you rely on multiple suppliers across jurisdictions and regulatory regimes
• cyber maturity varies significantly between partners
• access has been extended for operational efficiency
• you have limited visibility beyond your tier one suppliers

A compromise several steps removed from a critical asset may still provide valuable intelligence, operational leverage or future disruption capability.

This reframes cyber risk from an internal issue to a shared, systemic exposure, one that you can’t manage in isolation.

What this means for you

Against this backdrop, you should be asking different questions about cyber risk.

Not simply:

• Are our systems secure?

But:

• Where do we sit in other organisations’ supply chains?
• What access do third parties have to our systems, and vice versa?
• How would a persistent, low‑level compromise change our risk profile over time?
• Are cyber issues considered in procurement, contracting and M&A decisions?

Grey zone cyber activity challenges the assumption that risk can be neatly categorised as operational, legal or strategic. In reality, it increasingly sits across all three.

What you should do next

This shift isn’t theoretical, you need to respond now.

You should:

• Map your supply chain risk: understand who you rely on and where your exposure sits
• Review and limit third-party access: ensure access is proportionate and actively managed
• Plan for persistent threats: assume that compromise may be ongoing, not one-off

Cyber awareness as a core business competence

Grey zone cyber operations are unlikely to recede. They offer hostile actors a low‑cost, high‑impact means of shaping competitive environments in ways that are difficult to attribute and harder to counter.

The implication is clear: cyber resilience is no longer just about protecting your business from crime or technical failure. It is about understanding how interconnected systems can be exploited in pursuit of strategic objectives and how those risks translate into commercial, legal and reputational exposure.

If you recognise this shift early and respond through governance, supply‑chain engagement and strategic planning, you’ll be better placed to operate with confidence in an environment where cyber risk is no longer exceptional, but structural.

For further information, please contact Nick Stubbs or Della Heptinstall.