Unpreparedness invites ransomware chaos, says Chris Gunner, Virtual Chief Information Security Officer, at the tech firm Thrive.
With the UK government preparing to ban ransomware payments, and a broader move across Europe possible, the security landscape is entering a pivotal phase. This policy shift signals a new era where ransomware is treated not just as a corporate issue but as a national security threat, forcing both public and private sectors to re-evaluate their cyber readiness.
It is a move that, in part, reflects the need to counter the cybercriminals’ ever-evolving methods of working. Over the past five years or so, ransomware has shifted from custom, installed software created by underground groups into software-as-a-service, whereby relatively unsophisticated criminal organisations can partner with ransomware providers to run attacks – frequently working on a commission basis.
As the attacks evolve, so do the tactics. Today’s attackers exfiltrate data and engage in public extortion. They threaten to release employee and client information, patents and other confidential assets, which erodes stakeholder trust. The resulting damage goes well beyond the IT department, impacting legal, financial and reputational standing. Yet, too many businesses still focus on containment rather than addressing root-cause prevention.
Failure to prepare
Recent high-profile incidents have highlighted how many organisations still remain unprepared. One key problem is that backups are often incomplete or improperly stored. That’s a significant issue in that if data has been lost, and a company doesn’t have a backup of that data, it doesn’t have anything to recover to.
Granted, lots of organisations now have cloud backups with Amazon, Google or Microsoft, but a separate backup of that cloud data with a specialist third-party can provide that added peace-of-mind. This can bring critical applications back online as soon as possible after a cyber incident. More broadly, administrative practices are frequently lacking. A single Active Directory domain for all locations and functions lets an intruder move freely. Backups kept inside that same domain can be found and destroyed.
Built-in protections on hardware and services remain off, including secure boot, disk encryption, application allow listing, multi-factor authentication (MFA) for administrator actions, and logging with alerting. Updates and patches lag after new security flaws are disclosed, leaving known holes. Access stays too broad and too permanent, so one stolen credential opens far more than it should.
Coupled with this, many firms don’t conduct sufficient cybersecurity training. This needs to move to the top of the C-suite agenda because humans remain the weakest link in any cybersecurity plan. The good news is that more advanced programs are starting to be orchestrated, which train staff on the ways to identify emerging threats such as deepfakes, phishing attacks and compromised credentials, and on how to prevent a potential event from escalating. Detection technologies are also in place to spot the real threats in-amongst the noise of the internet.
The problems continue when it comes to responding to an attack. Many organisations lack a rehearsed incident response plan, and clear roles and responsibilities around cybersecurity are often undefined. People don’t know who to call or who is in charge, leaving firms and their employees scrambling to make an effective and fast response when an attack is already under way.
A way forward
Against that backdrop, progress tends to come from clarity of responsibility and a balanced mix of people, process and technology. Organisations often find that naming an accountable security lead, whether in-house or as a vCISO, helps the C-suite align IT, legal, finance and communications. The value lies less in the title and more in the ability to set expectations, test assumptions and maintain good practices week by week.
Ensuring consistent adherence to the right processes and procedures is critically important here. Outcomes improve when default credentials are replaced promptly, patches are applied without delay, updates follow a routine cadence, and backups are both segregated and tested on a schedule. Keeping backups outside the primary directory domain, or in a separate cloud tenancy with independent credentials, reduces the chance of simultaneous compromise. Built-in protections such as secure boot, disk encryption, application allow-listing, MFA for privileged actions and logging with alerting tend to pay off most when they are enabled consistently and monitored with care.
With all these detailed processes and procedures in place, there is a clearer chain of command and fewer false positives to manage. As a result, security teams spend less time ‘chasing noise’ and more time addressing real risks. Just as important is the need to have a good understanding of inventory. Teams should maintain documentation that lists domains, cloud accounts, data stores, network segments and devices, and that maps critical dependencies.
The people dimension is key. Organisations should give relevant employees a shared view of all this equipment, while applying role-based access and relevant operating system control. But they also need to provide practical training to all staff on everything from deepfakes to phishing and credential theft. All these measures will help to build an environment that is resilient to ransomware, but organisations also need to be able to react in an effective way when the worst happens.
Responding to ransomware
When an attack occurs, ownership is clearer when a named executive, typically the CTO or equivalent, chairs the response with legal, communications and operations alongside. Early priorities usually include preserving evidence, containing further spread, validating backup integrity and restoring critical services in a controlled sequence.
Communication matters as much as containment in these situations. Employees, customers, suppliers and regulators respond best to timely, accurate updates that focus on continuity and practical next steps, with decisions on notifications and engagement with authorities taken alongside legal advice and in line with evolving policy.
Staying resilient
Ransomware is not going away. In fact, it continues to grow, with threat intelligence provider, Flashpoint reporting that ransomware activity in the first half of 2025 rose 179% year-on-year, nearly tripling the volume seen in H1 2024. As we look to the future, ransomware will continue to test organisations. Best practice for businesses is to treat it as a board-level risk with clear ownership, disciplined system upkeep, current documentation and practical, regular training.
A proactive start point for a business would be to conduct a cyber security assessment. This involves a thorough analysis of the current infrastructure in place and identification of potential vulnerabilities that need to be addressed. From here, controls can be incorporated to manage risk and a comprehensive incident response and remediation plan can be built out.
With a detailed plan in place, signals stay clear and recovery follows a known path. Employees and customers face less disruption, regulators receive timely updates, and the business returns to normal more quickly. Incidents stay smaller, services keep running and stakeholders receive clear updates, while the business itself can protect revenue and reputation, meet its obligations and move forward positively with renewed confidence.
