Data loss can strike anyone, be it businesses, public sector bodies, or individuals. Itโs a strong reminder that regular backups, good cyber hygiene, and proactive planning arenโt optional in todayโs threat landscape. As digital risks continue to rise, the need for action is ever present.
Protecting data should be at the top of every leadership agenda year-round. What makes this urgent is not just the growing sophistication of cyberattacks; itโs also the fluctuating policy landscape. For example, the proposed ban on ransomware payments for the UK public sector is a well-intentioned step toward disrupting cybercriminalsโ preying on vulnerable companies. However, it highlights something we donโt discuss enough: the importance of self-reliance. Even with government cyber taskforces and national security strategies in place, resilience begins at an organisational level. This means tailored disaster recovery plans that align with the risks, systems, and people involved to ensure a swift response when disruption strikes.
The real message behind the ban
Thereโs a certain logic to banning ransomware payments. If attackers canโt profit, perhaps the attacks will stop. In reality, itโs rarely that simple. Underfunded public services and overstretched teams may not have the infrastructure to bounce back without external help. A ban removes the option to pay but doesnโt automatically equip organisations with better recovery tools.
Thatโs why this policy shift should be viewed as a wake-up call. It proves reactive approaches alone are no longer viable in this fast-evolving cybersecurity landscape. Leadership teams should stop seeing cybersecurity as just an IT function and start embedding resilience into the core of their operations.
This isnโt just about avoiding ransom payments. Itโs about ensuring that when something goes wrong, the organisation doesnโt grind to a halt.
Resilience is a strategy, not a spend
Cyber preparedness is often equated with spending or the number of tools in place, but real resilience isnโt about budget; itโs about mindset. The most secure organisations are those thinking strategically and proactively about risk, not just those with the latest software. In fact, ransomware attacks donโt succeed solely because attackers are always sophisticated. They often result from fundamental organisational failures, like weak passwords, unpatched systems, poor access controls, and untested recovery plans.
Leadership teams should be thinking ahead and asking themselves practical, business-critical questions: โWhat happens if our systems go offline tomorrow?โ โCan we restore them quickly?โ If the answers are undetermined, more should be done to ensure the businessโ backups are genuinely secure and tested so stakeholders can be confident that access to systems is tightly controlled.
Backups are a starting point, not the solution
Regular data backups remain a non-negotiable part of any resilience strategy. However, many organisations treat backup as a compliance tick-box rather than a process that could potentially rescue a business from a catastrophic data breach.
Itโs not enough to back up once a week and store this on the same network โ backups must be frequent, offsite, encrypted, and tested. An unreadable or compromised backup is just as useless as no backup. The gold standard is still the 3-2-1 rule: three copies of your data on two different media types, one stored offsite or offline. But what matters most is not the configuration, itโs the mindset. Leaders must ensure their teams are prepared to restore, not just store.
Imagine facing a ransomware attack with no legal option to pay. Recovery becomes your only path forward. In that moment, the strength of your preparation is key. Clean, accessible backups, clear recovery protocols, and a team that knows exactly what to do are vital and the result of leadership that made resilience a priority long before a crisis hit.
Rethinking identity and access
We also need to be honest about how cybercriminals are getting access. In most cases, theyโre not exploiting complex or unknown software vulnerabilities, instead, they log in with stolen or reused credentials. That puts identity security at the centre of any serious cybersecurity strategy.
Multi-factor authentication, strong password policies, and role-based access control are some of the most effective ways to safeguard sensitive systems, adding layers of defence that limit the blast radius of a breach and ensuring only the right people access at the right time.
However, thereโs little value in investing heavily in network monitoring or endpoint protection if attackers can bypass it all by logging in as a legitimate user. Identity and access management is a business-critical infrastructure essential for protecting sensitive systems and maintaining operational integrity. Itโs down to leadership to reinforce this.
Resilience is reputation
Ransomware isnโt just a cybersecurity issue; itโs a leadership test. In a crisis, help rarely arrives fast enough and with ransomware payments potentially off the table, the responsibility to respond and recover falls squarely on the organisation. Thatโs why cyber resilience must be embedded into business continuity planning and treated as a strategic priority, not a technical afterthought.
The organisations that will thrive are those which invest in people as much as technology, view backups, access controls, and training as enablers, and understand that cyber risk is everyoneโs responsibility. Ultimately, resilience isnโt just about staying online, itโs about maintaining trust when it matters most
