Getty Images/iStockphoto
Geopolitics reshapes data protection plans
Business and technology leaders are revising their data protection plans as global conflicts challenge current resilience and risk management plans.
Geopolitical conflict is expanding the enterprise threat model beyond cyberattacks, pushing IT and data leaders to rethink security and data management strategies.
A World Economic Forum report released in January underscores this shift: 64% of executives surveyed identified geopolitics as their top cyber risk concern. Cybersecurity isn't the only issue, however. Physical threats against data centers and cloud infrastructure have escalated in recent months. Iranian drone attacks in March 2026, for instance, damaged AWS data centers in Bahrain and the United Arab Emirates in the opening salvoes of the Middle East conflict.
For CIOs, CISOs and CDOs, the issue extends beyond cybersecurity to data residency, infrastructure exposure and operational resilience. The result is a broader approach to data protection that accounts for state-backed threats, supply chain dependencies and regional instability.
"The future of data protection isn't about just security or privacy," said James Turgal, vice president of cyber risk, strategy and board relation at cybersecurity services provider Optiv Security. "We have to think bigger -- about sovereignty, resilience and strategic risk management."
Rethinking data strategy amid geopolitical risk
Geopolitical concerns intensified after Russia's invasion of Ukraine and have gained new urgency as conflict in the Middle East affects infrastructure, cloud availability and data operations across borders.
Turgal, who meets regularly with corporate boards, said he has discussed establishing crisis response teams with clients considering the recent data center attacks. He said these incidents should push organizations to classify their data assets -- especially the ones most critical to operations, compliance and recovery planning.
"You have to change your mindset about data," he said. "You have to think of data as a commodity, and it has to be an integral part of your supply chain."
Now more than ever, organizations treat data as a strategic asset and are reassessing how it's stored, analyzed and transferred across jurisdictions, said Mir Kashifuddin, partner and data risk and privacy practice leader at PwC. AI adoption has raised the stakes and has influenced several data measures, he added.
"We're seeing greater focus on data governance, modern data and AI platform adoption, and building flexibility into data security architectures, so companies can adapt quickly to changing geopolitical and regulatory requirements," Kashifuddin said.
Evaluating data residency and hosting
Data residency has emerged as a pivotal area as geopolitical risk and regulatory requirements shape where organizations store, process and move data.
"Geopolitical considerations are playing a larger role in hosting decisions," Kashifuddin said. "Many organizations are diversifying cloud providers and regions."
After enterprises identify their strategic data, they can assess whether they need a multi-region or multi-cloud strategy, Turgal said. The specific approach will vary.
"There's no silver bullet," he said. "It absolutely depends on the type of organization that you have."
Factors to consider include data type, where it moves, the regions where the organization operates and the supply chain locations, Turgal said. Depending on those factors, an enterprise might need a primary and secondary hosting region, he added.
Data replication supports resilience by providing copies of critical data in multiple regions for failover or disaster recovery. But Turgal cautioned that organizations should weigh geopolitical developments before deciding on data transport and replication.
Preparing for AI-enhanced attacks and drone threats
State-sanctioned attacks, amplified with AI, are another concern for C-level executives.
"Organizations recognize that AI can increase the speed and sophistication of state-sponsored activity," Kashifuddin said.
AI can make attackers more efficient by accelerating tasks that once required significant expertise and time, including reconnaissance, phishing campaigns, vulnerability research, content generation and social engineering, said Avitesh Kesharwani, an enterprise AI and cloud architect and AI governance consultant.
The response to such AI threats is multifaceted. Enterprises are strengthening protections for sensitive data, intellectual property and AI systems, while also using AI to bolster threat detection, monitoring and response capabilities, Kashifuddin said.
Enterprises also need to coordinate efforts with technology partners and government entities to address the challenge, he noted. Geopolitical risk requires organizations to strengthen physical security in tandem with cybersecurity. Recent drone attacks have boosted funding for counter measures.
Anti-drone technology is moving beyond military use, said Daiva Rakauskaitė, managing partner at Aneli Capital, a venture capital fund management firm based in Vilnius, Lithuania. She said energy companies in Lithuania are buying anti-drone systems to protect their facilities.
"Russia's invasion of Ukraine has already accelerated investment in anti-drone technologies," said Rakauskaitė. "The Iran war, as well as drone incursions from Russia and Belarus along NATO's eastern flank, will no doubt accelerate investment in anti-drone technologies further."
Developing a geopolitical risk response plan
Resilience is the new watchword for enterprises revising data protection plans in unstable geopolitical environments. Conversations that once focused on security now include resilience in many organizations, Kesharwani said.
"The question isn't simply whether your data is protected," he said. "It's whether your business can continue operating, serving customers, and making decisions when the unexpected happens."
Kashifuddin said PwC advises clients to take a resilience-focused approach to data protection.
"That includes reviewing data residency requirements, strengthening third-party oversight, and improving visibility into critical data, AI assets, and technology dependencies across the organization," he said.
Turgal said organizations can combine technology dependencies with threat intelligence to identify threats to their digital operations. More mature enterprises are expanding their threat intelligence feeds to track regional conflicts, trade disputes and countries under sanctions, he added.
With the threat map in place, organizations should inventory every cloud, SaaS and telecom provider along with hardware and semiconductor dependencies, Turgal said. Planners can then overlay the geopolitical risk map with the technology dependency inventory to find potential trouble spots. Flagging these critical intersections helps teams with contingency planning, he said.
The analysis might lead an organization to host critical data in a second or third region if the primary site is in a particularly volatile area, Turgal said. Some clients are considering how to integrate geographic dependency plans into their incident response plans, he added.
State-sanctioned incidents, meanwhile, are expected to continue.
"You've got these highly geopolitically motivated organizations now trying to attack," Turgal said. "They understand the value of that data."
John Moore is a freelance writer who has covered business and technology topics for 40 years. He focuses on enterprise IT strategy, AI adoption, data management and partner ecosystems.
