- Most UK business leaders admit they would break the law to keep their company alive after ransomware attacks
- Publicly supporting ransomware bans means little when private survival instincts take over during a breach
- Anti-ransomware policies face collapse as firms quietly admit they’ll still negotiate with attackers
UK business leaders appear united in principle behind the recent government ransomware payment ban for the private sector, but new data reveals a stark contrast between public support and real-world intentions.
The Cyber Security Breaches Survey 2025 from Commvault found while nearly all respondents backed a ban, three out of four admitted they would ignore it if paying a ransom was the only way to save their company.
This contradiction reveals the tension between policy ideals and the realities of surviving a cyberattack.
Principles clash with survival instincts in crisis scenarios
The report found nearly half (43%) of UK businesses have experienced some form of cyber breach in the past year, with the risk cutting across size and sector.
As a result, cybersecurity readiness is now seen as a critical business function, with 98% of respondents planning to prioritise it in their spending.
There is growing recognition that reactive payments do little to guarantee recovery, especially when attackers may not restore data even after receiving funds.
“Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again,” said Darren Thomson, Field CTO EMEAI, Commvault.
“A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing…”
Many experts argue that the solution lies in resilience, not ransom – therefore, there is a shift toward more robust use of antivirus tools, well-maintained endpoint protection platforms (EPP), and ransomware protection strategies built into enterprise recovery systems.
These measures are becoming essential, as the average recovery time after an incident now stretches to 24 days.
For smaller firms, this duration can be catastrophic, and the pressure to recover quickly increases the temptation to pay.
Supporters of the proposed ban believe it could drive positive structural change – with a third of respondents saying the move would prompt greater government intervention and investment in cybersecurity infrastructure.
Another third suggest that removing the financial incentive for criminals could reduce the frequency of attacks.
However, even among those who support the idea, few are confident they would follow the rules if their business was on the line.
The UK government has already applied the ban to public sector institutions such as NHS trusts and local councils.
Despite the clear intent behind the proposed legislation, compliance in practice remains doubtful, as only a tenth of surveyed leaders said they would fully comply with the ban in a crisis.
Most are unwilling to risk the collapse of their business, even if that means violating legal provisions.
You might also like
Discover more from cplexmath tech stop
Subscribe to get the latest posts sent to your email.
Add Comment