Last year, the UK government said it wanted to take a more proactive stance in the fight against ransomware by introducing a targeted ban on ransomware payments.
Under the proposed measures, all government-funded agencies and critical national infrastructure (CNI) providers, including the NHS, schools and local authorities, would be banned from paying ransoms.
At the same time, the government plans to introduce a mandatory ransomware pre-notification system, which will introduce new reporting obligations for private companies. As long as companies remain legally solvent, they must notify the government of their intention to pay.
The government’s proposal to ban ransomware payments aims to “strike at the heart of the cybercrime business model” and make UK public services a less attractive target for cybercriminals by removing all financial incentives.
However, there is growing concern that the ban and the new reporting system could have unintended consequences for private sector companies.
The conundrum of compliance
As public entities become increasingly less attractive targets, there are concerns that attackers may shift their efforts to private sector companies. If this happens, it means SMEs, retailers, manufacturers and non-profit organizations will be caught in the crossfire between cybercriminals.
At the same time, the advance payment notification system has significant implications for private sector companies, which will need to contact the authorities and notify their intention to pay the ransom.
Businesses affected by ransomware face a real dilemma if the government decides to exercise its blocking powers and sanction the payments made.
While no company is willing to pay a ransom, many may feel they have no choice but to pay and risk criminal charges if the company’s survival is at stake. There is also a risk of secret ransomware payments if companies decide to make secret payments rather than risk bankruptcy.
Our latest research highlights the dilemma that private companies currently face. While 94% of UK business leaders say they support a ban on public payments in principle, they are more ambivalent about enforcing it.
A significant 75% admitted that if the ban were extended to the private sector, they would still pay a ransom if it was the only way to save their organization, regardless of whether civil or criminal penalties were imposed. Only 10% of them can say with certainty that they will adapt in the event of an attack.
The implications of these findings cast doubt on the likelihood of full compliance with the government’s proposed reporting system. If companies were required to obtain prior government approval for ransomware payments, they could choose to quietly pay the attackers and resolve the incident without notifying regulators.
Given the increasing likelihood of an attack and the fact that payment decisions for ransomware attacks pose a variety of ethical, legal and practical challenges for organizations, private sector companies should take steps to strengthen their cyber resilience and reduce their reliance on paying ransom in the event of an attack.
Take a business-oriented approach: implement the model of minimum profitability
The Minimum Viable Enterprise (MVC) concept offers companies a pragmatic, business-oriented approach to maintaining critical services during a cyber attack.
For many organizations, the ability to continue operating at a reduced level is essential to minimize disruption until full recovery is possible.
The primary goal of the MVC approach is the initial recovery of critical services to maintain critical operations and reduce downtime. By focusing only on the critical services required to maintain core functionality, businesses gain the time required for full recovery.
To create an effective MVC framework, companies must:
1. Identify critical applications and services that must remain secure and functional. These typically include authentication and identity management, communication platforms such as messaging and collaboration tools, financial and customer-facing applications, and basic operational workflows.
2. Invest in advanced data protection mechanisms, such as isolated, immutable backups that cannot be altered or deleted by malicious actors. This ensures that the company’s most valuable information remains intact and can be recovered.
In this case, it is critical to perform regular recovery point validation to confirm that your organization can truly ensure that clean data is available for recovery.
3. Clearly define the roles and responsibilities of key stakeholders so that the organization can achieve its recovery goals. Regularly conducting scenario-based recovery exercises ensures that everyone is prepared for a faster and more effective recovery to a minimum viable condition.
The goal is to test the organization’s preparedness and ability to recover from an attack and continuously improve its processes and operations.
Build a sustainable organization
Once the government has formalized the proposed pay ban and new mandatory reporting requirements, UK businesses will need to prepare for the next step.
Until then, public and private sector organizations must have a clear and actionable plan for recovering critical systems, data and processes after an attack, especially since paying a ransom rarely guarantees recovery and can often increase the likelihood of another attack.
By integrating principles of minimal resilience into resilience planning and recovery strategies, organizations can minimize the risk of complete operational failure in the event of an attack.
