DIGITALISATION

When attacks become hybrid: why Danish companies must rethink security from the ground up

Hybrid threats are not a security issue – they are the reality of business. Cyber attacks are no longer isolated incidents. They have become part of a broader strategic toolkit in which states and criminal actors combine digital attacks, physical sabotage and information influence operations. The objective is rarely purely financial gain. It is about pressure, destabilisation and strategic advantage.

By CBS Executive Education

Ole Willers, postdoc at CBS, puts it clearly:

“Hybrid threats are the methods and capabilities that foreign states use to achieve strategic outcomes without employing conventional military force. Cyber attacks, sabotage and disinformation function together as a point of pressure against society.”

This is not a future scenario. Sabotage of European infrastructure – railways, energy supply and undersea data cables – has already occurred. Denmark is particularly exposed because it is a digital hub in Northern Europe. According to the International Institute for Strategic Studies, Europe’s critical infrastructure has been weakened by decades of underinvestment and neglect. This means attackers do not need to hit hard – they just need to hit accurately.

Companies are the first targets

Danish companies face thousands of attacks every week. Ransomware and supply-chain attacks are no longer exceptions, but standard tools. At the same time, the attacks have become more destructive.

The attack on the water company in Køge marked a shift. It was not an attempt at extortion, but an attempt at physical damage.

Danish companies don't know where to start

In this interview, CBS Assistant Professor Jan Lemnitzer and Senior Political Consultant at Dansk Erhverv Joen Magieres speaks on the threat landscape in Denmark and what challenges Danish companies are facing when implementing the NIS2-directive from the EU on cybersecurity.

For companies, this fundamentally changes the risk landscape. Risk is no longer linear but systemic. A single compromised system can trigger chain reactions across supply chains already vulnerable to geopolitics, trade conflicts, and supply disruptions. At the same time, the line between state and criminal actors has become blurred. Hackers operate in grey zones where states turn a blind eye – or actively exploit their activities.

Disinformation: a potential but still uncertain business risk

Research indicates that false information can spread faster than factual content on digital platforms, partly due to algorithmic amplification and increased use of automated tools. Studies in information dissemination and political communication also show that the effects are complex and difficult to isolate.

For businesses, the picture is less clear. There are still relatively few well-documented cases of companies suffering direct, measurable financial damage from state-orchestrated disinformation. Uncertainty is high, and causal links are hard to establish.

Nevertheless, several analyses suggest the risk should not be dismissed. As states increasingly use information operations as a geopolitical tool, companies – particularly those with strategic significance, national ties, or politically sensitive products – could in principle become indirect targets. Not necessarily through direct attacks, but via narratives that influence regulatory behaviour, consumer trust, or market access.

In short: disinformation is not yet a well-documented, systematic business threat – but it is a plausible future risk that companies should approach analytically and pragmatically, not alarmistically.

The real vulnerability is organisational

Most companies now understand that the threat landscape is serious. The problem is not awareness, but incentives.

Ole Willers highlights a fundamental market failure:

“Companies rarely bear the full cost of an attack. When a small supplier is compromised, it is often used as an entry point into larger customers’ systems. At the same time, security is hard to measure, and customers rarely pay for what they cannot see.”

The result is familiar: everyone knows security is necessary. No one wants to invest first. SMEs have the least capacity and the greatest risk, but large companies are not immune either. Complex organisation, unclear responsibilities, and short-term business goals make security a secondary concern.

The crucial shift is managerial. Cybersecurity cannot be just an IT issue.

“Only when security is a C-level responsibility can efforts be coordinated across IT, legal, supply chain, and external partners,” says Ole Willers.

It is about moving from compliance to risk management. From firefighting to resilience. From isolated cybersecurity to integrated business security.

The state and business: voluntarism is not enough

Companies cannot solve the problem alone. Structural market failures require political intervention. In Denmark, there is still too much reliance on voluntary compliance.

"We need a public sector that both defines responsibilities, supports implementation – especially in SMEs – and actually enforces the rules. Many executives delay investments because they do not anticipate consequences."

Ole Willers, postdoc at CBS

Public-private cooperation is necessary, but it must be functional. Too many partnerships end up as discussion forums without real decision-making. The state must create frameworks where security becomes a rational investment—not an idealistic choice.

This requires:

consistent enforcement of existing regulations
support schemes that work in practice
clear and realistic requirements
a clear recognition that certain tasks are critical to society—not just to business

In a world of hybrid threats, security is not a safeguard. It is a prerequisite for remaining competitive.

Cyberwar in Ukraine and critical infrastructure protection: what NIS2 means for you

EU Cybersecurity Regulations: leaders have had a year to get ready

Denmark is not ready for EU's new cyber security rules

Did you find this content interesting? Sign up for our newsletter and gain access to more of our research findings and events.

With the world’s grand challenges awaiting us, we need to continuously evolve, gain new knowledge and insights, and upskill.

Dive into a world of knowledge by signing up below. You will get:

Personal event invitations
Pertinent research-based insights on business and society
Information about the next intakes of our Executive Education programmes and courses

Future Tech for Business

Gain insights into future technologies like artificial intelligence, blockchain, and quantum computing to future-proof your organisation and optimise business operations.

Go to course

Digital Business

The course focuses on the development and implementation of digital business solutions and on evaluating digital business models in relation to practical situations.

Go to course

Master of Business Development

The programme is for those passionate about creating new, innovative solutions and eager to take responsibility for advancing and developing the business—for those who want more.

Go to programme

When attacks become hybrid: why Danish companies must rethink security from the ground up

Danish companies don't know where to start

"We need a public sector that both defines responsibilities, supports implementation – especially in SMEs – and actually enforces the rules. Many executives delay investments because they do not anticipate consequences."

Keep reading

Your gateway to more knowledge

Learn more