75% of UK business leaders are willing to risk criminal penalties to pay ransoms

Ransomware criminal concept image showing hacker in a hooded top working on a laptop in a dark room.

(Image credit: Getty Images)

UK business leaders are overwhelmingly in favor of a ban on ransomware payments in the private sector - but would break such a ban themselves if they thought it was necessary.

The government is proposing a ban on the payment of ransoms by public sector bodies and operators of critical national infrastructure, including the NHS, local councils, and schools.

For the time being, the ban doesn’t extend to private firms. However, analysis from Commvault found that 96% of UK business leaders believe payments should be banned across both the public and private sectors.

In the event of a ban being imposed on private sector firms, three-quarters (75%) admitted they would still pay a ransom themselves if it were the only way to save their organization, regardless of whether civil or criminal penalties applied.

“Paying a ransom rarely guarantees recovery and often increases the likelihood of being targeted again,” said Darren Thomson, field CTO EMEAI at Commvault.

“A well-enforced ban could help take the profit out of ransomware, but it must be matched by greater investment in prevention, detection, and recovery-testing. Without that, more organizations could find themselves exposed at the worst possible moment, with no viable path to recovery.”

The survey found that 94% of business leaders support limiting ransom payments for public bodies, and 99% for private organizations.

However, in real-world situations within the private sector, only 10% said they would actually comply with any ban if they were attacked. A further 15% said they'd be neither likely nor unlikely to comply.

Of those who supported a proposed payment ban, 34% reckoned it would lead to increased government support and intervention to help build up cyber resilience.

Another third thought it would bring down the number of attacks by reducing the incentive for attackers.

Ransom payment bans are a tightrope for private firms

While the government's proposals so far only ban the payment of ransoms by public sector bodies and operators of critical national infrastructure, they do place certain constraints on private firms.

Businesses would be required to notify the government of any intent to pay a ransom - which would then tell them whether or not they'd be breaking the law by sending money to sanctioned cyber criminal groups, many of which are based in Russia. 

“Ransomware and cyber attacks will be a concern for a long time, as international cyber gangs make huge profits from them and use these resources to continually develop their attack tools," says Jane Frankland, CEO of security training firm Knewstart.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.