Operation Epic Fury — the US administration’s sustained kinetic pressure on core Iranian regime assets — introduces a new layer of operational risk for every multinational with people, assets, or dependencies in the Middle East region and beyond.
The immediate briefings from Washington — early damage assessments, stated intent, geopolitical framing, and situational updates and reporting — are useful for understanding what is transpiring but they do not account for the operational exposure that surfaces the moment hostilities begin.
Decades of watching similar events, most recently in Ukraine, show a consistent pattern: Enterprises often experience the operational impact of such actions before governments complete their assessments. CISOs, CSOs, and chief risk officers now own that expanded risk surface across personnel, infrastructure, travel, and digital posture.
Enterprise emergency action groups should already be validating assumptions and aligning organizational plans as conditions evolve. Today, however, that work becomes mandatory. This is a posture adjustment moment for all organizations that could be impacted by Operation Epic Fury and Iran’s response, not a wait and see moment.
Iran’s retaliatory toolkit
Iran retains a broad and durable set of tools it can use to impose cost on US and Western interests. These capabilities are not theoretical. They are active, distributed, and proven across multiple regions and time periods. Enterprise risk and security teams need to understand that these capabilities span several domains:
- Physical attacks on US-linked locations through direct action or partner groups. We are already seeing Iranian missile launches into a variety of nations in the region.
- Cyber operations that include disruptive activity, targeted intrusions, credential and access harvesting, destructive malware deployment, and the use of compromised infrastructure to support broader influence or operational objectives.
- Proxy networks across the Middle East provide reach, deniability, and flexibility. These extend beyond militias to organizations such as Hezbollah.
- Targeted attacks and assassination plots conducted selectively to create political or psychological pressure.
- Misinformation, disinformation, and influence activity designed to shape narratives or create friction.
- A global diaspora that, while overwhelmingly uninvolved, includes individuals who may be more susceptible to pressure or outreach from Iranian services.
These capabilities translate directly into enterprise‑level exposure across personnel, infrastructure, travel, and digital posture. This is the baseline. It is the capability set that informs every section that follows. The question for the enterprise is not whether Iran can retaliate, but which combination of these tools it chooses to employ and where these actions will surface first.
Cyber and risk leaders’ immediate next steps
Here are some guidelines on how CISOs, CSOs, and chief risk officers should respond to the new layer of risks introduced by Operation Epic Fury across the following key domains:
Personnel: Experience in conflict‑adjacent environments taught me that employees under stress behave according to circumstance, not policy. Once the conflict involves the region or country where your personnel are located, your workforce becomes part of the risk surface.
Confirmed reports from Bahrain, for example, show apartment buildings being damaged by Iranian drones, an illustration of how quickly civilian areas can become affected. Generic safety or travel briefings are no longer adequate. If you have employees and families in the area of conflict, you must have evacuation triggers and structured wellness checks for all staff and travelers. Those most likely to be affected must be included in the planning phase, because on‑the‑ground reality is indispensable. Resilience comes from preparation, not optimism.
Essential services: Water, power, fuel, and other critical lifeline infrastructure are attractive targets for groups seeking to disrupt regional stability. The daily resilience demonstrated in Ukraine shows a clear pattern: The organizations that remained operational were the ones able to source material to repair or replace what failed.
The question is simple. If your personnel lose water, power, or communications for two weeks, what is your plan, and who owns execution? The same logic applies to mobility and movement.
Travel: Travel is one of the earliest indicators of rising operational risk, and it becomes a liability long before leadership labels it as such. Years of intelligence assessments and Iran’s demonstrated capability require a different lens on all authorized international travel.
In post‑incident reviews, the pattern is consistent: Once tensions rise or conflict begins, civil aviation and maritime logistics become targeted, high‑impact levers for creating economic and political pressure. They are symbolic, visible, and deeply tied to global business operations. Any itinerary that transits the Gulf or relies on regional airspace or shipping lanes carries elevated risk.
Interference events, diversions, seizures, and delays do not need to be widespread to create operational disruption. Clear thresholds for pausing travel or adjusting operations must be in place. This is the moment to validate assumptions, confirm who owns the call, and ensure travel policies match the conditions that actually exist. The digital domain follows the same pattern, often with even less warning.
Cybersecurity: Iran’s cyber capability is not speculative; it is documented across years of joint advisories from CISA, FBI, NSA, and their international partners. Iranian state‑aligned actors routinely target poorly secured networks, internet‑connected devices, and critical infrastructure, often exploiting edge appliances, outdated software, and weak credentials. They have conducted disruptive operations against operational technology (OT) devices and have collaborated with ransomware affiliates to turn initial access into revenue or leverage.
Their pattern is consistent with what I have written for years: They favor targets of opportunity, they blend symbolic disruption with credential harvesting and access development, and they use compromised infrastructure to support broader influence or operational objectives. They also work social networks to compromise or recruit insiders, often under a false flag. And when required, they take the time to target, assess, and execute with patience and intent. Iran is a patient adversary.
The practical point is simple: Iran’s cyber activity accelerates during periods of geopolitical tension, and enterprises with exposed services, unpatched infrastructure, or unmanaged edge devices become part of the accessible attack surface.
Preparation is key
This is a period for disciplined preparation, not alarm. The organizations that fare best are the ones that adjust early and execute with clarity.
See also: