In just the past five years or so, ransomware attacks have evolved from niche software created by underground groups into comprehensive software-as-a-service deployments that even the most unsophisticated threats actors can utilise. This availability to almost any nefarious group is pushing ransomware into national security threat territory, rather than just being a corporate issue. 

It’s therefore little surprise that, according to the latest figures by the World Economic Forum’s Global Cybersecurity Outlook 2025.ransomware attacks concern businesses the most (45%), well ahead of any other type of threat including cyber-enabled fraud and supply chain disruption. 

Attackers themselves are also evolving their tactics, exfiltrating data and initiating public extortion. These approaches include threats to release employee and client data, alongside other confidential information such as patents. It’s a risk that threatens businesses in the context of IT, legal, finance and their reputation. But often, what goes wrong in the response to a ransomware event is a focus on containment, rather than prevention. 

Fail to prepare, prepare to fail 

Many organisations remain unprepared for the damage that ransomware can cause. This lack of preparation often includes a lack of backups, meaning there’s nothing to restore to if data is stolen or lost during a breach. Some have cloud backups with the major providers, but a separate backup with a third-party can ensure that applications are brought back online quickly after an incident, mitigating the downtime. 

Additionally, organisations often lack the right administrative practices when it comes to backup storage. If only one Active Directory domain is in place for all functions, intruders can more easily through the network and destroy any backups. 

The ability to move through the network is even easier if provisions such as multi-factor authentication (MFA) aren’t deployed and patches aren’t applied regularly, leaving known holes. 

To add to the concern, many organisations fail to run sufficient cybersecurity training programs. But it’s the humans within a business that remain the weakest link. Positively, some training programs are now advising people on how to spot emerging threats such as deepfakes, phishing attacks and compromised credentials. 

Issues often persist where there’s no incident response plan in place, which details who exactly is responsible for what when protecting against potential attacks and responding to breaches. If an attack is underway, time is of the essence, and unclear responsibilities can lead to potentially damaging delays. 

Addressing the threat 

With threats becoming ever more sophisticated, businesses must respond with a potent combination of technology, refined processes and people skills. 

A key first step is to define a person in charge of cybersecurity. This could be someone internally or a vCISO that helps the C-suite bring together the different organisational functions. They can ensure that good cyber practices are followed day-by-day. Other measures should include the prompt replacing of default credentials, regular application of new patches and updates, and regularly updated backups that are isolated from the rest of the network. MFA, alongside other protections such as disk encryption, application allow-listing and secure boot can also protect the network and reduce the chance of false positives being flagged. 

Documentation of data stores, cloud accounts, network segments and devices and domains enable organisations to have a clear picture of what makes up their infrastructure, and role-based access should be applied to individuals based on seniority. 

All these provisions are vital to adding resilience against ransomware attacks, but so is clear ownership in the event of an incident. CTOs or an equivalent staff member, alongside operations, legal and communications, should work together to collect evidence, check backups, prevent further spread and initiate restoration of critical services. 

Responsibility must be taken for communications with not just employees, but suppliers, regulators and customers as well. Timely and informative updates that incorporate tangible next steps can help to mitigate reputational damage and provide stakeholders with peace-of-mind about the continuity of operations. 

Resilience for the future 

Looking ahead, ransomware won’t be going away any time soon, and businesses need to reframe the risk as a board-level concern. Instead of paying ransom amounts, which are set to be outlawed in the UK and potentially in Europe as well, there needs to be transparent ownership of cybersecurity, regular system maintenance, updated documentation and training on a regular basis. 

A key starting point for businesses is to undertake a cyber security assessment before they introduce other measures. This essentially provides transparency as to the current makeup of the infrastructure in place and where any current weak points exist. This enables new controls to be integrated to help manage potential risks. 

From here, organisations can devise their incident response and remediation plans to ensure minimal disruption, timely updates to regulators and a return to normality as fast as possible post-incident. By being fully prepared, even the most well-crafted ransomware attacks can be stopped in their tracks or potential damage mitigated in the case of a breach.

Chris Gunner Virtual Chief Information Security Officer Thrive

Chris Gunner is an Information Security professional, with experience ranging as CISO delivering firm-wide strategy to client-facing delivery as a cyber consultant in a variety of roles and industries. Gunner currently is Virtual Chief Information Security Officer at Thrive.