In an exclusive interview with The Cyber Express, Dr. Amit Chaubey, Managing Director and Board Chair of Chakra-X, provides new insight into what he calls the “2026 Business Blast Radius”, a rapidly expanding risk landscape where cyber incidents spill far beyond IT and into national, economic, and societal consequences.
Based in Sydney, Australia, Dr. Chaubey is one of the region’s most respected cybersecurity leaders. He is a co-founder of Chakra-X, an organization focused on cyber resilience, sovereign capability, and the protection of critical infrastructure. His work centers on cyber risk, compliance, and governance, with a strong emphasis on national security and digital resilience.
Over the course of his career, Dr. Chaubey has held influential leadership roles across government and industry. These include Chair of the AISA NSW branch, National Cybersecurity Advisor for the Australia India Business Council (AIBC), and Cyber Ambassador for Investment NSW.
The Expanding Blast Radius in 2026
According to Dr. Amit Chaubey, the most dangerous cyber events facing large organizations in 2026 will not necessarily originate inside corporate networks. Instead, the greatest risk comes from outside dependencies failing simultaneously, such as power, connectivity, cloud platforms, identity systems, and core suppliers, forcing organizations to operate with reduced visibility, coordination, and control.
This is the new “business blast radius”: a disruption that may begin as a cyber incident or geopolitical shock but rapidly becomes a continuity, safety, legal, and trust crisis. Dr. Chaubey describes it as a sovereign resilience challenge, one that can escalate into national consequences across critical infrastructure and essential services. Crucially, this blast radius is expanding faster than most boards and executives realize.
When “the lights go out,” whether due to a cyberattack, cascading technology failure, or deliberate containment action, organizations don’t just lose IT systems. They lose coordination itself: approvals, communications, trusted records, customer service, logistics, payroll, and the ability to make confident decisions.
Threat Activity Accelerating in 2025
This expanding risk is reinforced by threat intelligence. According to Cyble’s Global Cybersecurity Report 2025, new data highlights a sharp escalation in cyber activity across sectors and regions:
- Ransomware attacks increased by 50% year over year, with telecom, government, and financial services among the hardest hit.
- Over 6,000 data breaches were observed, with government (16.5%) and BFSI (10.5%) sectors the most frequently targeted.
- Dark web activity surged nearly 30%, including sales of stolen data, initial access, and discussions of zero-day exploits.
- Top targets remain government, banking and finance (BFSI), and IT/technology organisations due to the value and leverage of their data.
- Most impacted geographies include the United States, India, Indonesia, Brazil, and the United Kingdom.
Threat actors are using expanding social engineering, zero-day vulnerabilities, and underground forums for extortion. Ransomware groups such as Qilin, Akira, and Play continue to dominate, while access brokers and infostealer operators fuel a growing underground economy designed for both financial gain and strategic advantage.
Dr. Amit Chaubey Speaks with The Cyber Express
TCE: How should enterprises and boards rethink the ‘blast radius’ of a cyberattack in 2026, considering operational, reputational, and regulatory impacts, and how do common misconceptions about cyber resilience expand that risk?
Given today’s geopolitical volatility, the rapid adoption of AI, and an expanding external attack surface driven by heavy reliance on third parties, managing security and resilience is becoming increasingly complex. Organizations and leadership teams need to recognize that these factors make cyber risk a shared problem – one that can’t be managed internally alone. To reduce exposure and strengthen resilience, they must work in close partnership with both internal stakeholders and external providers, aligning controls, responsibilities, and response plans across the broader ecosystem.
TCE: In the first critical hour of a cyberattack that shuts down core systems, what do executives most often underestimate about keeping the business running?
In the first critical hour of a cyberattack, executives often underestimate how quickly the organization loses operational certainty – and how hard it becomes to keep the business moving when the digital foundations disappear. Core systems don’t fail neatly; they fail in unexpected, interdependent ways. Teams can’t immediately tell whether they’re dealing with a simple outage, an active compromise, or deliberate containment shutdowns, so decision-making slows while pressure rises.
In that vacuum, people default to improvisation- switching to personal devices, using unofficial channels, bypassing controls, or actioning requests without verification. This is the moment when consequence management becomes essential. While technical teams work to understand what has failed, executives must immediately stabilize the organization – protecting people, operations, safety, regulatory obligations, and public trust before the technical diagnosis is complete. In modern incidents, the first hour is not just about containment; it’s about preventing cascading consequences.
That’s where business impact multiplies, not because teams are incompetent, but because the organization hasn’t rehearsed how to operate safely and compliantly without the digital scaffolding that it normally depends on.
TCE: If digital systems are unavailable for days, which non-technical capabilities, people, processes, and decision-making structures truly determine whether a business survives?
If systems are down for days, survival depends less on cyber tools and more on strong leadership and command structure. It begins with a clear crisis operating model: one accountable incident leader supported by empowered deputies across critical functions.
A disciplined decision of cadence keeps everyone aligned, reduces confusion, and prevents competing priorities. The business must also be ready to run in degraded mode, with minimum viable operations clearly defined and rehearsed manual or offline workarounds available – rather than relying on ad hoc fixes.
The next determinant is people’s readiness and role clarity; in prolonged disruption, fatigue, uncertainty, and fear become operational risks that must be actively managed through shifts, support, and clear escalation paths. Finally, trust is sustained through communication discipline – consistent, verified updates internally and externally – so the organization maintains credibility while it stabilizes, recovers, and meets its obligations.
TCE: Beyond ransomware, which newer cyber threats do you see as the most dangerous for 2026, and why are most organizations unprepared for them?
While ransomware remains a key threat, the other cyber threats in 2026 are those that don’t need to encrypt anything to cause maximum business impact. AI-enabled identity attacks are accelerating – phishing, vishing, and executive impersonation are becoming more convincing and scalable, while infostealers and token theft let attackers walk in using legitimate sessions rather than “breaking” in.
By 2026, this evolves further into Agentic AI – autonomous systems capable of navigating identity and cloud control planes at machine speed, compressing the time between compromise and consequence.’ At the same time, rapid exploitation of internet-facing edge systems is shrinking the window between vulnerability discovery and compromise, and cloud/SaaS control-plane attacks can create enterprise-wide blast radius by disabling logging, creating new identities, or changing critical configurations.
Add to this a rise in disruptive campaigns – wipers, sabotage, and denial-of-service used for pressure rather than profit – and the real pattern emerges that attackers are targeting high-leverage layers like identity, access, and shared services. Most organizations are unprepared because they still plan for technical recovery, not sustained “degraded mode” operations; they lack continuous visibility into identity and cloud admin behavior, and third-party concentration risk means a single provider compromise or outage can cascade straight into their own business.
TCE: How should executives approach personal accountability and regulatory obligations when a cyber event disrupts operations or public services?
Executives should treat a disruptive cyber event as a personal governance obligation, not something to hand off to IT. Leaders must still make timely risk decisions and ensure everything is documented – timelines, approvals, and rationale – from the first hour for audit and review.
At the same time, they need to identify which regulatory regimes apply and meet notification obligations early where required, updating as facts are confirmed. Success depends on tight alignment across security, legal, risk, comms, and operations to keep actions and messaging accurate and consistent, while enforcing verification controls to prevent secondary fraud, unsafe workarounds, and further compliance exposure.
TCE: In your experience, what’s the most surprising source of operational failure during a major cyberattack, something leaders never see coming until it hits?
A surprisingly common operational failure is that many organizations don’t plan the restoration sequence – they simply assume that “backups exist” and everything will come back quickly. In reality, recovery is a dependency puzzle, not a restore button: you need to know which foundations come first (identity/AD, DNS, certificates, networking, core storage, virtualization, endpoint management), then which platforms (databases, middleware, messaging), and only then the business applications that sit on top. If that order isn’t mapped and tested, teams burn precious hours restoring systems that can’t function because their upstream services aren’t online yet, or because integrations and service accounts can’t authenticate.
Without current architecture diagrams, CMDB accuracy, and integration maps, leaders often discover mid-crisis that “critical” systems rely on hidden components – SaaS connectors, API gateways, license servers, time synchronization, hinting services, or a single shared database instance. Recovery then stalls while teams scramble to identify missing dependencies, rebuild configurations, or recreate secrets and certificates. Even worse, cyber containment can deliberately break the very pathways you need to restore – segmentation blocks, disabled admin accounts, frozen IAM policies, or quarantined management networks – so recovery requires not just restoring data but re-establishing clean administrative control.
The real twist is that even when backups are available, recovery can still fail if the backup environment isn’t usable. Access keys may be locked out, encryption keys may be unavailable, backup consoles may sit behind the same identity system that’s down, or the backup storage may be reachable only through networks you’ve isolated. In some cases, the backup platform itself is impacted – corrupted catalogues, compromised backup credentials, or insufficient compute to rehydrate at scale. That’s when leaders learn the hard lesson: “we have backups” doesn’t equal “we can restore,” and outages stretch far longer than expected unless restoration sequencing, access pathways, and recovery infrastructure have been designed, documented, and exercised in advance.
Lastly, if you’re serious about managing cyber risk, you need a disciplined approach to “controls hygiene.” My parting message is to focus on three fundamentals: people, identity/authentication, and vulnerability management. Most attacks start with people – through deception that steals credentials – then use those identities to authenticate as if they’re legitimate, and finally exploit exposed or unpatched vulnerabilities to get into your “HOUSE” and move around undetected.