“In principle, this shift makes sense”
Paul Fleming, Chief Strategist, Public Sector, Softcat
The move to legislate against public sector organisations paying ransoms builds on long-standing guidance from central government and the NCSC.
In principle, this shift makes sense. Removing the financial incentive for attackers is critical but the effectiveness will depend on how the legislation is phased, implemented, and supported. Government must also anticipate unintended consequences, such as attackers shifting toward less regulated, softer targets or increasingly damaging attacks focused purely on disruption.
The real focus should remain on reducing not just the frequency, but the impact of ransomware attacks. This requires increased government support, sustained investment in cyber resilience, and holistic risk management across the full technology stack, spanning data protection, compliance, supply chain exposure, and human factors.
Public sector organisations must embed cyber resilience into their wider business continuity and strategic planning to fully meet the intent of the proposed legislation.
