SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Locked computer chains office uk government data protection ransomware
#
Data Protection
#
Ransomware
#
Advanced Persistent Threat Protection

Ban on ransom payments seen as start, not solution, to cyber risk

Fri, 25th Jul 2025
Author image
By Shannon Williams, News Editor

The UK government's latest move to ban public bodies from paying ransomware demands is being hailed as a significant, yet long overdue, measure in the ongoing fight against an increasingly sophisticated cyber threat landscape. However, industry experts warn that legislation alone is not enough and underline the need for broader, systemic improvements if the country is to achieve real resilience against ransomware.

James Moss, Director of Cyber Investigations at Addleshaw Goddard and former lead lawyer at the Information Commissioner's Office, describes the current situation as "endemic," with ransomware ranking among the most critical dangers faced by both businesses and public sector organisations. "I don't think the public realises just how widespread the issue really is. It's endemic," Moss said. He commended the government's willingness to act, noting, "Given that the current situation is unsustainable, the fact that government is attempting to do something is positive."

Ransomware attacks have plagued UK institutions with increasing regularity in recent years, affecting everything from health trusts to local authorities and, most recently, private enterprises such as the 158-year-old Northamptonshire transport company KNP Transport. The National Crime Agency and the National Cyber Security Centre have both previously warned of surges in such activities, with several high-profile incidents resulting in operational paralysis and sensitive data being seized by criminal gangs.

The UK government's new stance prohibits the use of public funds by public sector organisations, including arm's-length bodies and other entities solely funded by central government, to pay off ransomware attacks. While aimed at deterring both attacks and the business model that fuels them, Moss pointed out the challenges inherent in such a strategy. "For companies, paying a ransom often feels like the only way to avoid further disruption, and can be the least bad option. Given the reputational damage that can result from public awareness of an attack, and the government's stated position which frowns upon paying ransoms without currently banning the practice, many companies will pay quietly and not publicise the issue, especially when under pressure to get back online quickly."

Moss also highlighted that the proposed measures may introduce a new risk landscape. "There remains an asymmetry between what is best for any particular organisation and what is best for the economy as a whole. The proposed legislation will not change that and is in fact likely to throw it into starker relief by banning certain organisations and sectors from making payments whilst permitting others to do so. The risk is then that cyber criminals will simply tailor their approach to maximise their profits, as criminals of all types have always done."

Vivek Dodd, CEO and co-founder of compliance specialist Skillcast, described the announcement as a "bold move," but urged that it is only one part of a wider solution. "Banning public bodies for paying ransom payments is a watershed moment and sends a clear message to cybercriminals across the globe, that the UK will not be coerced. But, policy alone won't drive resilience." Dodd referenced the KNP Transport breach, stressing that it was human error - a single compromised password - that led to significant business loss. "You simply can't legislate your way to resilience; you have to build it from the inside out."

Both experts agreed that while banning ransom payments in the public sector is a critical step, it must be paired with deeper investment in cyber security and workforce training. Moss concluded, "Ultimately we need stronger law enforcement and serious investment in cyber security. But those aren't quick fixes - they'll take time to make a meaningful impact."

Dodd added that the new policy should act as a wake-up call. "Prevention is a fraction of the cost of response, yet too many enterprises are still chasing compliance in spreadsheets. This policy change is the wake-up call to invest in your defences, because the next breach won't wait for a policy update."

As the government attempts to stem the tide of ransomware attacks, the clear message from those on the cyber frontlines is that cohesive action - blending legislative measures with organisational preparedness and behaviour change - remains the UK's best hope against this evolving form of crime.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Visionplatform.ai adds AI agents to Milestone XProtect
Ofcom probes X over Grok deepfake sexual imagery risk
European privacy teams warn of cuts amid rising risks
Phishing services drive 389% surge in account breaches
isVerified launches AI voice deepfake defence for execs

Top stories

UK unveils Software Security Ambassadors to push new code
Dun & Bradstreet outlines seven key compliance trends
Asimily boosts Cisco ISE with new device microsegmentation
Cyb3r Operations raises $5.4m to tackle cyber risk
Deepfake boom fuels relentless wave of celebrity scams