Earlier this year, the UK government opened proposals on a set of world-leading proposals to protect businesses against ransomware threats.
The proposals would make it illegal for public sector organisations to make ransomware payments and increase reporting requirements for all victims.
The goal of this has been to undermine the ransomware business model, ultimately making UK businesses less profitable for cybercriminals to target. At the same time, it is designed to bolster the government’s intelligence on evolving ransomware practices, and inform future interventions.
Naturally, there’s no guarantee that the proposals will become law, or how long such implementation will take. Nonetheless, it’s a clear signal that all businesses must strengthen their ransomware defences. Indeed, taking proactive steps to prevent attacks and avoid the difficult decision of paying a ransom is in every business’s best interest, regardless of any potential legislation. But how can businesses prepare and bolster their own resilience?
Understanding the scale of the ransomware problem
First, it’s important to understand how pervasive the threat has become. Ransomware attacks reached an all-time high in 2024, with the average recovery cost rising to $4.88 million, marking a 10% increase over 2023. In addition, the attacks are not only costing more each year, but are also becoming more common. It is estimated that a business is attacked every 39 seconds. As a result, it’s unsurprising that the government is keen to make such attacks less lucrative for cybercriminals.
The tactics, techniques and technologies used by malicious agents are also constantly evolving. For most businesses, it can be difficult to keep up with what to look out for, and to continually understand how attacks can be prevented – especially without a dedicated cybersecurity team. As a result of this, businesses must ensure they adopt an “always-on” approach to ransomware.
A fundamental shift is needed
The starting point is to change how businesses think about ransomware, and there’s two elements to this. The first is to let go of the assumption that only specific sectors or organisations above a certain threshold are targeted. While public sector organisations are targeted more frequently due to the sensitivity of the data they hold, customer data, patent information, or employee details are similarly lucrative targets for hackers.
Secondly, businesses must treat ransomware as a question of when, not if. This mindset has an emphasis on proactivity and resilience which will help mitigate, or prevent ransomware attacks altogether. If you assume your business will suffer a ransomware attack, you’re more likely to consider factors like the recoverability of your data, the frequency of backups, or how quickly those backups could be restored allowing the business to resume operations.
The result? A flourishing, security-first culture within the organisation. It’s also instrumental in tackling the root of most ransomware incidents: insider threats. This is not to say employees are engaging in ransomware operations themselves, but that human error is responsible for most incidents.
That’s why reducing the likelihood of employees accidently clicking on a phishing email, or falling for a social engineering attack, is one of the most effective ways of preventing ransomware attacks. And ultimately, preventing ransomware attacks is the most effective way of complying with any future legislation that may outlaw these payments.
Turning theory into action
There’s a number of practical things business can do to achieve to boost their cybersecurity. Creating and implementing a data management strategy is the foundation. The strategy must include frameworks for regular data backups, ensuring they are regularly tested and stored securely, ideally offline or in immutable storage.
This ensures recoverability without resorting to ransom payments. In addition, this will allow organisations to also ensure they understand their critical data resides, who has access to it, and implement strict access controls. Additionally, the strategy should also set out provisions to regularly audit and update these controls to reflect changes in personnel and data sensitivity. This proactive stance ensures that should an attack occur, the ability to restore operations lies firmly within the business’s control, negating the perceived necessity of engaging with cybercriminals.
The strategy can also allow insider threats to be managed. Implementing measures like multi-factor authentication across all critical systems adds an essential layer of defence against compromised credentials. Similarly, businesses should go further and bring in mechanisms for multi-admin verification for sensitive actions, requiring multiple authorised individuals to approve changes like the deletion of sensitive files. This prevents single points of failure and significantly reduces the risk posed by compromised accounts or malicious internal activity
Another tactic that should not be overlooked is investing in comprehensive and ongoing employee education and awareness programs. This will empower employees to spot and resist common entry points for ransomware. All of this allows the creation of a human firewall that complements technological safeguards.
Towards ransomware resilience
So, even with the UK government looking at making ransomware payments illegal, the smart move for businesses is clear: aggressively bolster cyber defences, meticulously plan for swift recovery, and foster a security-first culture. By taking these proactive steps now, organisations not only significantly reduce their risk of falling victim to these damaging attacks, but also ensure they are well-positioned to meet the demands of any future regulations designed to dismantle the ransomware business model.
About the Author
Chris McKean is Technical Solutions Specialist at NetApp. Build an intelligent data infrastructure with NetApp that brings it all together — a smarter way to let data thrive. Any application, any data, anywhere.
