“A bold step I view with cautious optimism”
Paul Starr, Co-Founder and CEO, SEP2
The UK government’s ban on ransomware payments for public sector bodies and critical national infrastructure (CNI) presents a bold, perhaps drastic, step that I view with cautious optimism as a Managed Security Service Provider (MSSP). Conceptually, it’s a good idea if it acts as a catalyst for a much-needed cultural shift towards cyber security within these bodies.
Currently, too many of these compromised organisations discover a breach or attacker entry only after data is stolen and encrypted, often followed by the realisation that inadequate backup and recovery processes leave them no choice but to pay the ransom. This ban could be crippling if we don’t address these underlying issues. The ultimate goal must be a proactive shift towards prevention and detection, supported by robust processes and procedures for remediation.
This ban must be more than just a piece of legislation; it must be a line in the sand. It’s a declaration that as a nation, we are moving from a reactive to a proactive cybersecurity posture. For this to happen, the government’s crackdown must be accompanied by a massive push for improved cyber hygiene and resilience across the board.
As an MSSP, we’ve seen first-hand the difference between organisations that “do” cyber security and those that “are” cyber-secure. The former treats it as a box-ticking exercise, a compliance hurdle to be cleared. The latter embeds it into their company culture, from the top down. They invest in robust defences, they train their employees to be the first line of defence, and they have a well-rehearsed incident response plan.
This is the culture change that the UK needs. The ransomware payment ban, while a bitter pill to swallow for some, could be the very thing that forces organisations to finally take cybersecurity seriously. It’s a chance to move beyond the endless cycle of attack and response and build a truly resilient digital Britain.
So, do I agree with the government’s move? Yes, I do. But with a significant caveat. This ban must be the start of a new chapter, not the end of the story. It must be the spark that ignites a revolution in how we think about and approach cyber security. It’s time to stop feeding the beast and start building our fortress. And for that, we all have a role to play.
“Impossible to enforce” – which MSSP leader said this about the ban? See following page…
