The UK government is moving forward with proposals to ban public sector bodies and critical national infrastructure organisations from paying ransoms to cybercriminals. However, new research from cyber resilience firm Commvault highlights a stark contradiction: 75% of UK business leaders say they would risk breaking such a ban if it were extended to the private sector and their organisation´s survival was on the line, even with the prospect of criminal or civil penalties.
The study, which surveyed leaders from companies with over £100 million in revenue, found that while 96% support a ban on ransomware payments across both public and private sectors, only 10% would actually comply if faced with a ransomware demand. Another 15% expressed ambivalence. These findings suggest that, in theory, executives endorse measures designed to curb ransomware, yet would prioritise their own company’s survival over public policy if pressed by an actual attack. The tension illustrates the real-world complexity of enforcing cybercrime regulations.
Government proposals include requiring most organisations to notify authorities within 72 hours before paying a ransom, with officials empowered to block payments connected to sanctions violations or terrorism. The government also considered imposing penalties for non-compliance. Supporters of the payment ban believe it could lead to greater government intervention in cybersecurity and decrease incentives for attackers, key goals of the policy. Yet the persistent threat is underscored by data from the latest Cyber Security Breaches Survey, which reported that 43% of UK businesses—over 600,000 companies—experienced a cyber-attack in the past year. Experts caution, however, that payment rarely guarantees data recovery and may simply increase the chances of repeat targeting. Others warn that overly tight restrictions could result in punishing victim organisations, while doing little to deter attackers motivated by reasons beyond money.
The findings reflect a growing recognition of the economic impact of ransomware. Experts including Commvault’s Darren Thomson advocate for a balanced approach: banning payments alone is not enough and must be accompanied by greater investment in cyber prevention, detection, and recovery capabilities. Legal specialists also point out the challenges of enforcing a payment ban and the need to avoid victim-blaming, especially as cyber-attacks are likely to continue regardless of legislation. Overall, the research reveals the high-stakes ethical and operational dilemmas UK businesses face in the era of escalating cybercrime.
