Ransomware Rules and Realities: Why UK Businesses Say One Thing and Do Another

The Compliance Illusion at the Boardroom Table

A new Commvault survey reveals a striking contradiction inside UK organisations: three-quarters of leaders say they support a ban on ransomware payments in principle, yet most admit they’d break that rule if breached.

This isn’t just a moral dilemma. It’s a crisis of operational clarity. And it exposes a gap between how businesses talk about cyber resilience — and how they behave under pressure.

The Stats Behind the Split

• 75% of UK organisations support a private-sector ransomware payment ban.
• 62% say they would still pay, if needed, to recover quickly.
• 43% have already experienced a ransomware attack.
• 98% plan to increase cybersecurity spending in 2025.

What these numbers reflect isn’t a lack of ethics — it’s a lack of preparedness.

When Resilience Meets Reality

The board wants to appear compliant.
Legal wants to be protected.
Ops just wants payroll to run.

When ransomware hits, principles collide with panic. And unless your recovery plan has been designed to function under duress, decisions start being made outside the playbook — by whoever is loudest, not necessarily who is right.

The breach moment is rarely when a company gets hacked. It’s when they realise they don’t actually have a clear recovery stance.

Paying Ransom = Losing Control

Even when companies say “we’ll never pay,” many haven’t accounted for:

• Critical system downtime that outlasts backups
• Data recovery gaps that affect regulatory reporting
• Internal pressure from finance, HR, and communications
• Supplier chains that can’t function without fast response

This isn’t a justification — it’s a visibility problem.

The Case for Ransom-Ready Recovery (Not Ransom-Centric Strategy)

ENHALO’s approach isn’t to shame organisations for what they might do under pressure. It’s to build structures that reduce the panic in the first place.

Because when companies rehearse ransomware scenarios, they don’t just test tech — they test leadership.

3 Signs Your Organisation Isn’t Ready

1. You haven’t documented your no-pay stance across departments.
   If legal and comms weren’t in the war room during planning, they won’t follow the script during crisis.
2. You treat backups as your only fallback.
   What if the backups are encrypted too? What if the window to restore is 36 hours, and you’ve got 12?
3. You’ve never run a ransomware simulation with your exec team.
   If it’s only IT rehearsing scenarios, your business isn’t aligned to survive one.

Compliance Is Not the Same as Capacity

Ransomware bans are coming. The private sector knows it, and many support it. But unless those policies are backed by true cyber resilience, they’re just empty promises waiting to be broken.

The Bottom Line

What will your board say when the ransom note arrives?

If your answer starts with “we’d never pay,”
make sure your systems, people, and response strategy back that up.

Or don’t call it policy — call it hope.