A ransomware payment ban will focus minds, but will it fix the problem?

Darren Thomson

The UK Government has recently stated it intends to advance a proposal that would prohibit ransomware payments by public sector organisations and operators of critical national infrastructure (CNI). This would apply to a host of organisations including schools, NHS trusts, local authorities, and providers across the transport, energy, and telecommunications sectors.

Designed to “crack down on cyber criminals and safeguard the public”, the ban would “target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups.”

Under the proposed measures, other organisations not covered by the ban, including many thousands in the private sector, would be required to notify the government of any intention to make a payment, a move which would also equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities.

The payment dilemma

Long advocated by voices across the cybersecurity industry and beyond, if all goes according to plan, the UK will be one of the first countries to ban payments.

Viewpoints within the private sector in the UK underline the challenges involved and make clear the concerns around ‘unintended consequences’ of the ban, including the conundrum of practicality vs reality. Recent industry research among 1,000 UK business leaders from companies with annual revenues exceeding £100 million found that 94% support the ban in the public sector and 99% believe it should also apply to private organisations.

The problem is, however, that there is also a significant gap between support for the principle of a ransomware ban and the likelihood of complying with it in practice. If a private sector ban were in place and an attack left payment as the only means of ensuring business survival, 75% of respondents also said they would still pay, even if both civil and criminal penalties applied. Only 10% confirmed they would actually comply with the ban under such circumstances.

The risks on both sides of the argument are significant. If implemented effectively, a ransomware payment ban could indeed reduce the financial incentive for attackers, as intended. But for those organisations without a solid cyber recovery plan or the time and resources to recover from an attack, banning payments brings the potential for existential risk.

Clearly, something needs to change, with the recent and devastating experiences of KNP, a 158-year-old UK logistics company which employed nearly 700 people, showing just how quickly ransomware can move beyond operational disruption to complete business closure when recovery is not possible. In this instance, the ransom payment, potentially in the millions as some have estimated, was a sum that KNP simply could not afford, and the company was not able to survive.

Related:   Interview: Bentsi Ben Atar on the Danger of Hardware Based Attacks

The Minimum Viable Company model

Irrespective of where each organisation stands on the value and practicalities of a payment ban, what is absolutely clear is the near inescapable requirement to improve protection and recovery capabilities.

One approach gaining wider recognition is the Minimum Viable Company (MVC) concept, a strategy focused on protecting the systems, assets, processes, and people needed to maintain essential services during a cyberattack. If an attack occurs, the objective is to recover core operations as an absolute priority so that the business can operate in a fundamental way until full recovery is achieved, minimising disruption and protecting long-term viability.

An effective MVC strategy should be based on identifying the applications and services that must remain secure and operational at all times. This often includes authentication and identity management, communication platforms such as email and collaboration tools, financial and customer-facing systems, and core operational workflows. Data integrity and availability are clearly important here, with immutable, air-gapped backups and regular recovery point validation playing a vital role in the availability of clean data for restoration.

Resilience also depends on people as much as technology. In particular, clearly defining roles and responsibilities, embedding cybersecurity awareness training into continuous improvement processes, and running regular scenario-based recovery drills, all can contribute to faster and more effective restoration to a minimum viable state.

If and when a ransomware payment ban arrives, businesses in the UK will face a more complex legal and business debate. But by embedding MVC principles into their resilience planning, they can significantly reduce the likelihood of catastrophic outcomes if (or more likely, when) an attack occurs. MVC can also be an important approach to consider as organisations look to support on-going compliance requirements.  

In practice, a well-defined MVC strategy can help organisations remain in a state of continuous business, where core services can be recovered quickly and safely, brand reputations can be upheld, and a focus on delivering exceptional customer-focused outcomes can be maintained.

Leave a Reply

Your email address will not be published. Required fields are marked *