By Robbie Ross, cyber security lead, Converged Communication Solutions
It’s not if but when.
This is a phrase that has been echoed across the cyber security industry for several years, but when it comes to ransomware the message is still not penetrating widely enough.
The 2025 UK Government Cyber Breaches Survey highlighted that just 32% of organisations have adopted the technical controls required in all five key Cyber Essentials areas, and that only 27% of UK businesses have a board member explicitly responsible for cyber security. The same survey highlighted that as few as 19% of businesses overall reported conducting formal staff cyber training activities while a mere 23% of businesses have a documented incident response plan in place.
These statistics show that despite the inevitability of a cyber attack organisations are predicted to face, many are not prioritising their defences effectively.
However, if the warning statements aren’t enough to drive action, perhaps looking back at the largest attack of 2025 will be more impactful.
It’s hard to believe that an organisation as large as Jaguar Land Rover (JLR) is still suffering the consequences of the incident it faced last year, which is already estimated to have cost the company over £3 billion. While this attack has been well publicised, it remains one of the clearest illustrations of the scale of operational and financial damage ransomware can cause.
The incident brought JLR to an operational standstill, threatening the solvency of thousands of businesses across the automaker’s supply chain, while also leaving employees locked out of systems and unable to perform their jobs.
While most businesses don’t operate on the same scale as JLR, this does not mean the threat should be underestimated as loss is relative.
Instead, business leaders must be asking: if my business were unable to operate due to ransomware for an hour, how much would it cost? What about a day, a week, a month, or six?
When business leaders carry out this calculation, they often find that the cost of not preparing for an attack is much greater than the cost of preparing for one.
So, what steps should organisations adopt to ensure they can not only defend against ransomware but also survive it?
- Train staff to be the greatest line of defence
Ransomware exploits people, so organisations must treat staff as their most important line of defence.
Most attacks begin with phishing emails, social engineering or deceptive prompts designed to exploit human behaviour rather than technical vulnerabilities.
Despite this, many organisations still frame staff as the weakest link, while failing to invest properly in their education and training.
Training should not be a tick-box exercise designed to satisfy compliance requirements. Effective security awareness training should focus on behavioural change, not just knowledge transfer. Staff should understand:
- What phishing really looks like in the real world
- How attackers use urgency, authority and familiarity
- Why unexpected MFA prompts can be a warning sign
- What the early stages of a ransomware attack might look like
- Make reporting easy, safe and clear
Spotting suspicious activity is only half of the battle. Staff must feel confident and supported when reporting potential incidents.
If employees worry about blame, embarrassment or getting into trouble, they are less likely to speak up and silence gives attackers more time to cause harm.
A strong security culture encourages reporting at the earliest possible moment, even if someone has already clicked a link or made a mistake. Clear reporting routes, simple guidance and visible support from leadership all reinforce the message that raising concerns is the right thing to do.
- Ensure security is adopted from the top down
Security awareness training cannot be delegated to only certain job levels, it must be adopted company-wide, from the top down.
Senior leaders should never be missed out of training, they should be required to participate in it, just like all employees within the organisations.
Furthermore, senior leaders are often the priority target for threat actors, so they are at a higher risk than many other employees, while they also often have the power to action large monetary transfers which attackers will try to hijack.
This means when it comes to security, all senior leaders must be trained and it’s best to implement policies preventing any single employee, regardless of their position, from carrying out a large monetary transfer. All such transactions should be doubly verified before being authorised.
- Prepare for ransomware attacks before they happen
One of the most common mistakes organisations make is assuming that ransomware is something they will “deal with if it happens”.
By the time an attack is underway, decision-making becomes harder, stress levels rise and mistakes are more likely.
Preparation significantly improves an organisation’s ability to respond calmly and effectively. Having nn incident response plan in place is only useful if it can be accessed when systems are down.
If the plan lives solely on SharePoint or internal systems, it may be unavailable during a ransomware incident. For this reason, it must be accessible and physically available, and all employees included in the plan must be aware of the role they need to play.
The plan must also be updated regularly, especially to account for staff moves plus new technology deployments, and it must lay out all the actions an organisation will take in the event of an incident, with the ultimate goal being to minimise losses and disruption.
- Rehearse incident response
The time to discover that a plan does not work is not during a live ransomware attack.
Organisations must ensure plans don’t simply sit on shelves gathering dust, they must be rehearsed regularly so gaps can be identified and remediated before plans are put into action during genuine incidents.
No organisation can guarantee immunity from ransomware.
Those that invest in people, culture and planning are far more likely to contain incidents, recover quickly and protect their reputation.
