More than eight out of 10 UK public sector organisations paid a ransom to cybercriminals in the past 12 months, according to new research.
The study by Semperis found that 83 percent of UK government and public sector organisations paid out to attackers – a far higher figure than the 69 percent of companies that did the same across the private sector.
The research coincides with the UK government proposing a ban on ransom payments by public sector organisations and operators of critical national infrastructure (CNI), including schools, NHS trusts, local authorities, and transport, energy, and telecoms providers. All other businesses, including the private sector not covered by the ban, would be required to notify the government of any intent to pay a ransom.
However, separate research from Commvault has revealed a sharp divide between principle and practice around the ban.
While 96 percent of surveyed UK business leaders from £100 million+ companies believe payments should be banned across both public and private sectors, 75 percent admit that if a ban was extended to the private sector, they would still pay a ransom if it were the only way to save their organisation – regardless of whether civil or criminal penalties applied.
Ninety-four percent of respondents support limiting ransom payments for public entities and 99 percent for private organisations. However, the survey found that in real-world situations within the private sector, if a ban were to take hold, only 10 percent said they would comply if they were attacked. A further 15 percent said they would be neither likely nor unlikely to comply. This suggests that while respondents think the ban is a good idea on paper and makes sense for government agencies, if their own company’s survival is at stake, all bets are off.
If you liked this content…
Of those who support a proposed payment ban, more than a third (34 percent) believe it would lead to increased government support and intervention to safeguard cyber resilience. Another third (33 percent) believe that it would decrease the prevalence of attacks by reducing the incentive for attackers.
“Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again,” said Darren Thomson, field CTO EMEAI, Commvault. “A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing. Without that, more organisations could find themselves exposed at the worst possible moment, with no viable path to recovery.”
Ransomware ban – a disaster in practice?
However, not everyone thinks the ban is viable in practice. Some IT service providers believe it would be more effective to mandate stricter security measures.
Forrester’s principal analyst Allie Mellen also doesn’t think banning ransomware payments is a good strategy.
“While banning organisations from providing ransomware payouts sounds good in theory, it is a disaster in practice,” she said.
“If an organisation is paying a ransom, it is because they have no other option, not because they want to. While it’s unfortunate that ransomware payouts happen, the better effort should be spent on supporting organisations in protecting against these kind of attacks. We absolutely recommend discouraging paying the ransom, but to ban it outright is unrealistic and detrimental to the organisations they look to protect.”
