With the UK government mulling a ban on ransom payments, market observers are debating what such restrictions would mean for businesses and public services. Darren Thomson, field CTO EMEAI at Commvault, discusses the current ransomware landscape and argues that building true cyber resilience is the only way forward.
To set the scene, where do we stand with ransomware in 2025?
If you ask information and security chiefs what keeps them up at night, ransomware is consistently number one on the list. Attacks have been growing for more than a decade, both in frequency and sophistication. We’re now seeing attackers use automation and AI to launch more accurate and convincing campaigns. Phishing emails, for instance, are now generated with AI to look frighteningly authentic. Criminals are scaling up their operations, and defenders are struggling to keep up.
Are organisations paying ransoms more often?
It’s difficult to say, because few admit to paying. What’s clear is that many businesses don’t have a robust alternative. There’s now a widespread acceptance that breaches are inevitable. Executives understand that perimeter defences alone won’t save them.
The missing piece is recovery. If you look at the National Institute of Standards and Technology framework, most organisations pour resources into ‘protect’ and ‘detect’. Much less has gone into ‘respond’ and ‘recover’. That’s where resilience comes in. Cyber resilience is about not just defending but being able to bounce back when, not if, an attack succeeds.
The government argues that banning ransom payments will reduce criminals’ incentives. Do you agree?
In principle, yes – it makes sense to cut off their revenue stream. But the reality is more complex. Commvault research shows that while most organisations support a ban in theory, around 75% would probably pay anyway if their backs were against the wall. Why? Because they don’t have a cyber-recovery plan.
If you take away the option to pay without ensuring organisations can recover, you risk putting them out of business. That’s especially true in the public sector, where budgets are often stretched thin.
You mentioned many organisations confuse disaster recovery with cyber recovery. What’s the difference?
Disaster recovery was designed for physical catastrophes – fires, floods, terrorist attacks. It works by replicating data to a secondary site. But in a ransomware attack, what happens? The malware is simply replicated too.
Cyber recovery, by contrast, is about identifying clean data, isolating it and restoring critical operations safely. It’s a different discipline and requires different tools, processes and testing. Too many organisations only discover the gap after an attack.
In a worst-case scenario, what absolutely must function for your organisation to survive?
So how can organisations realistically build resilience?
Start by defining your ‘minimal viable company’. In a worst-case scenario, what absolutely must function for your organisation to survive? For a bank, it might be core payment systems. For a retailer, supply chain and POS systems. Not everything needs to come back instantly – but those essentials do.
Then, invest in people, processes and technology that enable you to recover those critical functions quickly. Test the plan. Refine it. Recovery planning is not hypothetical; it has to be drilled.
Looking ahead, what’s the bigger message for the private sector?
Whether or not a ban comes into force, resilience is key. Regulators are already shifting in this direction. The EU’s Digital Operational Resilience Act, for example, focuses squarely on resilience, not just security.
We’re moving into a world where assuming you can prevent every breach is no longer realistic. The organisations that thrive will be the ones that can absorb an attack, contain the damage and bounce back. In that world, whether ransom payments are legal or not becomes almost irrelevant – because you don’t need to pay.
But away from the ransom-payment ban, the real priority for every board should be investing in tested, reliable cyber recovery. That’s how we shift the balance of power away from criminals and back to businesses.
For more information, visit commvault.com
With the UK government mulling a ban on ransom payments, market observers are debating what such restrictions would mean for businesses and public services. Darren Thomson, field CTO EMEAI at Commvault, discusses the current ransomware landscape and argues that building true cyber resilience is the only way forward.
In a worst-case scenario, what absolutely must function for your organisation to survive?
For more information, visit commvault.com
