When at­tacks be­come hy­brid: why Dan­ish com­pan­ies must re­think se­cur­ity from the ground up

Ole Willers, postdoc at CBS, puts it clearly:

“Hybrid threats are the methods and capabilities that foreign states use to achieve strategic outcomes without employing conventional military force. Cyber attacks, sabotage and disinformation function together as a point of pressure against society.”

This is not a future scenario. Sabotage of European infrastructure – railways, energy supply and undersea data cables – has already occurred. Denmark is particularly exposed because it is a digital hub in Northern Europe. According to the International Institute for Strategic Studies, Europe’s critical infrastructure has been weakened by decades of underinvestment and neglect. This means attackers do not need to hit hard – they just need to hit accurately.
 

Companies are the first targets

Danish companies face thousands of attacks every week. Ransomware and supply-chain attacks are no longer exceptions, but standard tools. At the same time, the attacks have become more destructive.

The attack on the water company in Køge marked a shift. It was not an attempt at extortion, but an attempt at physical damage.

For companies, this fundamentally changes the risk landscape. Risk is no longer linear but systemic. A single compromised system can trigger chain reactions across supply chains already vulnerable to geopolitics, trade conflicts, and supply disruptions. At the same time, the line between state and criminal actors has become blurred. Hackers operate in grey zones where states turn a blind eye – or actively exploit their activities.

Disinformation: a potential but still uncertain business risk

Research indicates that false information can spread faster than factual content on digital platforms, partly due to algorithmic amplification and increased use of automated tools. Studies in information dissemination and political communication also show that the effects are complex and difficult to isolate.

For businesses, the picture is less clear. There are still relatively few well-documented cases of companies suffering direct, measurable financial damage from state-orchestrated disinformation. Uncertainty is high, and causal links are hard to establish.

Nevertheless, several analyses suggest the risk should not be dismissed. As states increasingly use information operations as a geopolitical tool, companies – particularly those with strategic significance, national ties, or politically sensitive products – could in principle become indirect targets. Not necessarily through direct attacks, but via narratives that influence regulatory behaviour, consumer trust, or market access.

In short: disinformation is not yet a well-documented, systematic business threat – but it is a plausible future risk that companies should approach analytically and pragmatically, not alarmistically.

The real vulnerability is organisational

Most companies now understand that the threat landscape is serious. The problem is not awareness, but incentives.

Ole Willers highlights a fundamental market failure:

“Companies rarely bear the full cost of an attack. When a small supplier is compromised, it is often used as an entry point into larger customers’ systems. At the same time, security is hard to measure, and customers rarely pay for what they cannot see.”

The result is familiar: everyone knows security is necessary. No one wants to invest first. SMEs have the least capacity and the greatest risk, but large companies are not immune either. Complex organisation, unclear responsibilities, and short-term business goals make security a secondary concern.

The crucial shift is managerial. Cybersecurity cannot be just an IT issue.

“Only when security is a C-level responsibility can efforts be coordinated across IT, legal, supply chain, and external partners,” says Ole Willers.

It is about moving from compliance to risk management. From firefighting to resilience. From isolated cybersecurity to integrated business security.

The state and business: voluntarism is not enough

Companies cannot solve the problem alone. Structural market failures require political intervention. In Denmark, there is still too much reliance on voluntary compliance.

Public-private cooperation is necessary, but it must be functional. Too many partnerships end up as discussion forums without real decision-making. The state must create frameworks where security becomes a rational investment—not an idealistic choice.

This requires:

• consistent enforcement of existing regulations
• support schemes that work in practice
• clear and realistic requirements
• a clear recognition that certain tasks are critical to society—not just to business

In a world of hybrid threats, security is not a safeguard. It is a prerequisite for remaining competitive.