Most UK firms pay ransomware demands, despite ‘do not pay’ policies
With ransomware attacks on the rise, organizations are paying up but still take weeks to recover


Most "do not pay" ransomware policies in the UK aren't worth the paper they're written on, according to a new report.
While 94% of UK organizations have a policy not to pay out in the event of a ransomware attack, 97% of those that have fallen victim in the past two years have paid out a ransom.
The research, from data security and management firm Cohesity, polled over 900 IT and security leaders in the UK, US and Australia. It found that three quarters of respondents said their company would be willing to pay over £2.4 million to recover data and restore business processes, with four in ten saying the figure would be more than £4 million.
"Many organizations said they would pay a ransom to reduce disruption. Paying the ransom almost certainly results in a loss of some of the data," said James Blake, Cohesity's global head of cyber resiliency GTM strategy.
"Not to mention we’ve seen the UK sanction ransomware operators; the last thing senior management need after dealing with a ransomware attack is the prospect of a huge fine or custodial sentence for breaching sanctions."
More than eight in ten (83%) respondents said they'd fallen victim to a cyber attack in the second half of last year and 95% believe that the threat of cyberattacks to their industry will increase this year, with seven in ten predicting it will increase by more than 50%.
Respondents are also pessimistic about their ability to deal with incidents, with only a quarter having full confidence in their company’s cyber resilience strategy and its ability to address today’s challenges and threats.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Everyone said they needed more than 24 hours to recover data and restore business processes, with only one in ten saying their company could recover data and restore business processes within three days.
RELATED RESOURCE
Discover the different ways your businesses can use AI
DOWNLOAD NOW
A third (34%) said they would need one to two weeks to recover, and almost a quarter (24%) said they would need more than three weeks to recover data and restore business processes.
"The figures in the survey show huge deficiencies in an organization’s ability to achieve the required recovery times to avoid significant disruption," said Blake.
Respondents were keen to see improvements in executive awareness and responsibility for data security, with only three in ten saying their senior and executive management fully understands the "serious risks and daily challenges of protecting, securing, managing, backing up, and recovering data".
Four in five said executive management and boards should share the responsibility for their company’s data security strategy, while 64% said their company’s CIO and CISO, in particular, could be better aligned.
In terms of the effects of a successful data breach or cyberattack, the biggest concerns were brand and reputational damage, long-term operational outcomes and projects, a direct hit to revenue, and a loss of stakeholder trust, all cited by around a third.
"Cyber resilience and data security should be a holistic organizational priority because the use of data and technology occurs in every function by every employee," said Cohesity CEO and president Sanjay Poonen.
"The severe impact of a successful cyberattack or data breach on business continuity, revenue, brand reputation, and trust is enough to keep all business, IT, and Security leaders awake at night."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
By Nicole Kobie
-
Simplifying Password Management eBook
Whitepaper
By ITPro
-
Living off the Land eBook
Whitepaper
By ITPro
-
The Public Sector's Guide to Privilege and Password Management
Whitepaper
By ITPro
-
Zero Standing Privilege: Automating Cybersecurity Without Disrupting Productivity
Whitepaper
By ITPro
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
By Ross Kelly
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott
-
Cyber attacks against UK firms dropped by 10% last year, but experts say don't get complacent
News More than four-in-ten UK businesses were hit by a cyber attack last year, marking a decrease on the year prior – but security experts have warned enterprises to still remain vigilant.
By Emma Woollacott