The UK Government is consulting on whether to ban public organisations from paying ransomware demands in an effort to strike a “significant blow” to cybercriminal operating models. This follows a global crackdown in 2023, where a coalition of 40 nations signed an agreement aimed at stopping digital extortion. However, the best way to respond to ransomware is to prevent being impacted in the first place, writes Jonathan Lee, UK Cybersecurity Director at the cyber firm Trend Micro.
The government’s goal is to make the UK and its critical national infrastructure less attractive to ransomware threat actors. While this is commendable, the reality is more complex. Years of under-investment in cybersecurity have created a significant technology debt, and while digital maturity has increased, cybersecurity capabilities have not kept pace. Rather than just banning ransom payments, the national priority should be to build resilience against cyber threats. Preventing ransomware attacks from succeeding is far more effective than debating whether to pay a ransom after a breach has occurred.
Real cost of ransomware
If cybercrime were a country, it would have the third-largest GDP in the world, rivalling the economies of the UK and Germany combined. Ransomware plays a significant role in this economy, making it no surprise that the UK is keen to act. However, the financial aspect is only part of the story. The human impact of ransomware attacks cannot be ignored. The Synnovis ransomware attack, which resulted in thousands of cancelled and delayed NHS blood tests, is a stark reminder that cyber incidents have real-world consequences, including clinical harm. Simply banning ransom payments will not eliminate this human impact. Instead, preventing breaches and ensuring a swift recovery through robust business continuity and resilience planning is critical.
Many organisations take a reactive approach to cybersecurity-waiting until an attack occurs before investing in defences. This is akin to installing an alarm system only after a burglary. Instead, we believe that companies should focus on resilience before an incident occurs, not as a knee-jerk reaction after a breach. However, despite the growing sophistication of cybercriminals, many organisations remain under-prepared. A lack of investment in cybersecurity, over-burdened IT teams, legacy systems, and third-party security risks make ransomware an ongoing problem. Threat actors, meanwhile, have evolved into highly organised, corporate-style entities.
Right strategy
Building ransomware resilience is possible even for organisations with limited cybersecurity resources. A top-down, whole-organisation approach is required, with cybersecurity governance introduced at the board level. A breach’s financial and operational repercussions make this a business-wide concern, not just an IT issue.
Preparation is key. Organisations should assume that a ransomware attack is inevitable and take proactive measures to reduce the risk of a successful breach. Many of these measures, such as regular patching, staff training, and incident response planning, require little investment but can make a significant difference. The National Cyber Security Centre (NCSC) provides useful guide-lines, including its ‘Exercise in a Box’ tool, which helps organisations identify security gaps. An effective ransomware resilience strategy should also include a robust internal and external communications plan in case of an incident. This will help maintain trust and transparency while ensuring lessons are learned to improve future resilience.
Ransomware inevitable, your downtime doesn’t have to be
If ransomware does strike, reducing downtime is crucial for maintaining customer and stakeholder confidence. However, cyber insurance alone will not resolve the problem. While a policy may cover remediation costs, it will not restore systems any faster. To build resilience, organisations must focus on prevention and recovery through a multi-layered security strategy. Key measures include:
• Robust Network Security: Implement strong security controls across firewalls, servers, endpoints, and mobile devices. Regular penetration testing and vulnerability assessments ensure defences remain effective.
• Proactive Threat Detection: Move beyond passive security measures by actively hunting for vulnerabilities before they are exploited.
• Vulnerability Management: Keep software up to date, secure all devices, and leverage Extended Detection and Response (XDR) solutions to enhance visibility.
• Incident Response Planning: Develop and test an incident response plan that outlines how to identify, contain, eradicate, and recover from ransomware attacks.
• Data Backup and Recovery: Maintain regular backups, including offline copies, and test restoration procedures to ensure rapid recovery.
• Multi-Factor Authentication (MFA): Enforce MFA to add an additional layer of protection against compromised credentials.
• Strong Password Policies: Encourage the use of complex passwords and reputable pass-word managers to reduce the risk of credential theft.
• Principle of Least Privilege: Limit user access rights to only what is necessary for their roles, reducing the potential impact of a compromised account.
Resilience, not reaction
Regardless of the outcome of the government consultation, now is the time for organisations to enhance their ransomware resilience. Ransomware thrives on vulnerabilities and weak security postures. Organisations must continuously identify weaknesses, prioritise risks, and implement proactive countermeasures to reduce their attack surface.
Ensuring business continuity and minimising downtime is paramount. Security Operations Centres (SOCs) and Network Operations Centres (NOCs) are familiar concepts, but organisations must now consider Resilience Operation Centres (ROCs). The ROC goes beyond traditional security and network monitoring by integrating strategic risk management, business continuity, and operational resilience. Cyber risk exposure management plays a crucial role in understanding security vulnerabilities, and dynamic, continuous risk management is essential in fortifying defences against threat actors.
Ransomware is not going away, but businesses can significantly reduce their risk through a proactive and resilient security approach. Whether or not a ransomware payment ban is enforced, the real focus should be on preventing attacks from succeeding in the first place. Organisations that take cybersecurity seriously, invest in resilience, and embed security into their culture will be the ones best positioned to withstand the evolving cyber threat landscape.
