Data loss can strike anyone, be it businesses, public sector bodies, or individuals. It’s a strong reminder that regular backups, good cyber hygiene, and proactive planning aren’t optional in today’s threat landscape. As digital risks continue to rise, the need for action is ever present.
Protecting data should be at the top of every leadership agenda year-round. What makes this urgent is not just the growing sophistication of cyberattacks; it’s also the fluctuating policy landscape. For example, the proposed ban on ransomware payments for the UK public sector is a well-intentioned step toward disrupting cybercriminals’ preying on vulnerable companies. However, it highlights something we don’t discuss enough: the importance of self-reliance. Even with government cyber taskforces and national security strategies in place, resilience begins at an organisational level. This means tailored disaster recovery plans that align with the risks, systems, and people involved to ensure a swift response when disruption strikes.
The real message behind the ban
There’s a certain logic to banning ransomware payments. If attackers can’t profit, perhaps the attacks will stop. In reality, it’s rarely that simple. Underfunded public services and overstretched teams may not have the infrastructure to bounce back without external help. A ban removes the option to pay but doesn’t automatically equip organisations with better recovery tools.
That’s why this policy shift should be viewed as a wake-up call. It proves reactive approaches alone are no longer viable in this fast-evolving cybersecurity landscape. Leadership teams should stop seeing cybersecurity as just an IT function and start embedding resilience into the core of their operations.
This isn’t just about avoiding ransom payments. It’s about ensuring that when something goes wrong, the organisation doesn’t grind to a halt.
Resilience is a strategy, not a spend
Cyber preparedness is often equated with spending or the number of tools in place, but real resilience isn’t about budget; it’s about mindset. The most secure organisations are those thinking strategically and proactively about risk, not just those with the latest software. In fact, ransomware attacks don’t succeed solely because attackers are always sophisticated. They often result from fundamental organisational failures, like weak passwords, unpatched systems, poor access controls, and untested recovery plans.
Leadership teams should be thinking ahead and asking themselves practical, business-critical questions: “What happens if our systems go offline tomorrow?” “Can we restore them quickly?” If the answers are undetermined, more should be done to ensure the business’ backups are genuinely secure and tested so stakeholders can be confident that access to systems is tightly controlled.
Backups are a starting point, not the solution
Regular data backups remain a non-negotiable part of any resilience strategy. However, many organisations treat backup as a compliance tick-box rather than a process that could potentially rescue a business from a catastrophic data breach.
It’s not enough to back up once a week and store this on the same network – backups must be frequent, offsite, encrypted, and tested. An unreadable or compromised backup is just as useless as no backup. The gold standard is still the 3-2-1 rule: three copies of your data on two different media types, one stored offsite or offline. But what matters most is not the configuration, it’s the mindset. Leaders must ensure their teams are prepared to restore, not just store.
Imagine facing a ransomware attack with no legal option to pay. Recovery becomes your only path forward. In that moment, the strength of your preparation is key. Clean, accessible backups, clear recovery protocols, and a team that knows exactly what to do are vital and the result of leadership that made resilience a priority long before a crisis hit.
Rethinking identity and access
We also need to be honest about how cybercriminals are getting access. In most cases, they’re not exploiting complex or unknown software vulnerabilities, instead, they log in with stolen or reused credentials. That puts identity security at the centre of any serious cybersecurity strategy.
Multi-factor authentication, strong password policies, and role-based access control are some of the most effective ways to safeguard sensitive systems, adding layers of defence that limit the blast radius of a breach and ensuring only the right people access at the right time.
However, there’s little value in investing heavily in network monitoring or endpoint protection if attackers can bypass it all by logging in as a legitimate user. Identity and access management is a business-critical infrastructure essential for protecting sensitive systems and maintaining operational integrity. It’s down to leadership to reinforce this.
Resilience is reputation
Ransomware isn’t just a cybersecurity issue; it’s a leadership test. In a crisis, help rarely arrives fast enough and with ransomware payments potentially off the table, the responsibility to respond and recover falls squarely on the organisation. That’s why cyber resilience must be embedded into business continuity planning and treated as a strategic priority, not a technical afterthought.
The organisations that will thrive are those which invest in people as much as technology, view backups, access controls, and training as enablers, and understand that cyber risk is everyone’s responsibility. Ultimately, resilience isn’t just about staying online, it’s about maintaining trust when it matters most
