Over the past few years, the UK has seen a clear rise in both the frequency and impact of cyber extortion attempts. As the Government moves towards tighter rules on ransom payments, boards and IT leaders need to ask themselves a difficult question: could we recover if paying a ransom was no longer an option? It is important to remember that these are criminals, and there is no guarantee that you will get your data back or that it will not be shared on public forums. That is before you even consider the often significant financial and reputational costs involved.
The policy shift that changes everything
The UK Government’s proposal to limit ransom payments, particularly across the public sector, is set to change the way incidents are handled throughout supply chains. Organisations that may have relied on the ability to “buy back” their data could soon face a difficult reality. To stay resilient, they must be able to continue operating, communicating and restoring services without entering into negotiation.
For boards and IT leaders, this means resilience can no longer depend on the option to pay. Recovery needs to be built into the organisation’s everyday operations, underpinned by tested technical and executive procedures.
Why traditional plans fail
When incident response plans sit untouched until they are suddenly needed, they can potentially fail at the first real test. If they have never been rehearsed, the situation quickly becomes unfamiliar territory. Communication breaks down, responsibilities blur, and team members can be left scrambling.
True readiness is not about having a policy on paper, it is about having a tested process that holds up under pressure.
Three critical steps to take now
1. Rehearse your incident playbook.
Run a Cyber Incident Exercise that simulates a live attack. This will expose blind spots and build confidence across both technical teams and leadership.
2. Clarify decision ownership.
Define who is responsible for authorising containment, recovery, and external communications. Establish out-of-band communication routes in case your email or collaboration tools are compromised.
3. Secure what matters most.
Review privileged accounts, backup processes and administrative access. Work on the assumption that at least one of these areas will be targeted during an incident. Apply the principle of least privilege – only those who genuinely need elevated access for their role should have it, and these permissions should be removed as soon as they are no longer required.
The new benchmark for 2025
Within the next 12 months, insurers, regulators and procurement frameworks will expect evidence that organisations can recover without paying attackers. Proving that capability will separate those who are resilient and forward thinking from those who are simply reactive.
Cyber Incident Exercise
Book a Cyber Incident Exercise with Prism Infosec today. Our experienced technical team can simulate a realistic ransomware breach, assess your response capability, and give you a clear improvement plan tracked within Luxis AI.
