- Most British business leaders admit they would break the law to keep their company alive after ransomware -attack
- Publicly supporting ransomware -bans mean little when private survival instincts take over during a violation
- Antiransomware policies are facing collapse as companies quietly admit that they will still negotiate with attackers
The British business leaders in principle appear united behind the recent ban on ransomware payments for the private sector, but new data reveals a sharp contrast between public support and intentions in the real world.
Cyber Security Breaches Survey 2025 from Commvault found, while almost all respondents supported a ban, three out of four admitted that they would ignore it if paying a ransom was the only way to save their company.
This contradiction reveals the tension between political ideals and the realities of surviving a cyber attack.
Principles collide with survival instincts in crisis scenarios
The report found that almost half (43%) of British companies have experienced some form of cyber break in the past year with the risk of cutting over size and sector.
As a result, cyber security readiness is now seen as a critical business function in which 98% of respondents plan to prioritize it in their expenses.
There is growing recognition that reactive payments do not do little to guarantee recovery, especially when attackers may not recover data even after receiving funds.
“Paying a ransom rarely guarantees improvement and often increases the likelihood of being targeted again,” said Darren Thomson, Field CTO Emeai, Commvault.
“A well -enforced ban could help take the profits out of ransomware, but it must be matched with major investments in prevention, detection and recovery testing …”
Many experts claim that the solution lies in resilience, not ransom – therefore there is a shift against more robust use of antivirus tools, well -maintained endpoint protection platforms (EPP) and ransomware -protection strategies built into Enterprise Recovery Systems.
These measures become important as the average recovery time after an incident now extends to 24 days.
For smaller businesses, this duration can be disastrous and the pressure to recover quickly increases the temptation to pay.
Supporters of the proposed ban believe it could have a positive structural change – with one -third of respondents who say the move would encourage greater government intervention and investment in cyber security infrastructure.
Another third suggests that the removal of the economic incentive for criminals could reduce the frequency of attacks.
However, even among those who support the idea, however, few are sure they would follow the rules if their business was on the field.
The British government has already used the ban on the public sector institutions such as NHS Trusts and local councils.
Despite the clear intent behind the proposed legislation, compliance remains questionable in practice, as only one tenth of the researchers surveyed said they would fully comply with the ban in a crisis.
Most are unwilling to risk their business, even if it means violating legal provisions.
