Balancing cyber response readiness against prevention can be a tricky task. Prevention is important but treating it as the whole strategy is where organisations run into trouble.
Ransomware actors are persistent and well-resourced; eventually something gets through. The organisations I've seen handle incidents well weren't necessarily the ones with the most tools. They were the ones who had actually practised their response, and while it might not make for perfection, it definitely helps to get up and running after a breach.
Tabletop exercises, documented runbooks, pre-agreed escalation paths − these things sound administrative until you're in an active incident at 2am. Response readiness is consistently underfunded relative to prevention tooling, and that imbalance is where real risk lives.
By all means build the walls and the moat around them but know exactly what you're doing when someone climbs over them.
To pay or not to pay
When is the right time to have a policy on ransom payment? Nobody wishes to respond to this question directly, which is exactly why it needs to be answered before an incident, not during one.
Payment funds criminal operations and guarantees nothing. Moreover, it carries growing legal complexity. Those are real concerns; however, so is three weeks of operational downtime, or inaccessible client records. The principled "never pay" position is easy to hold until the business is on its knees. Then it’s another matter.
Gartner wisely counsels against paying ransomware attackers because it does not guarantee data recovery, with some estimates showing only 8% of data might be returned, while encouraging future attacks. Instead, companies are advised to prioritise robust, tested backups and focus on defensible recovery to avoid the risks of trusting criminals.
Response readiness is consistently underfunded relative to prevention tooling, and that imbalance is where real risk lives.
Every organisation with a meaningful risk profile should work through this decision in advance, factoring in backup integrity, data sensitivity, the threat actor involved, insurance conditions and legal obligations.
It is important to understand that arriving at an active incident without a payments policy is a governance failure. This is a responsibility that the board should own, not the IT team.
How is ransomware evolving and are defences keeping pace?
According to the same Gartner report, ransomware attacks are evolving, growing faster and more sophisticated than ever. The research house emphasises that one thing is certain: the pervasive threat of ransomware will continue to plague organisations into the future.
Whether these attacks come from established groups or the increasing number of ‘lone wolf’ threat actors, failing to prepare thoroughly can cost a business time and money, as well as trust among stakeholders.
The Veeam 2025 Risk to Resilience Report surveyed 1 300 organisations globally to gauge how chief information security officers, security professionals and IT leaders are recovering from cyber threats.
JOIN THE CONVERSATION
To learn more about defending organisations against today’s evolving cyber threats, register for ITWeb Security Summit Cape Town 2026 or ITWeb Security Summit 2026 in Johannesburg, where global and local experts will unpack the latest security trends and solutions.
The field-tested strategies from companies that recovered faster from attacks reflect a set of best practices for cyber resilience that all organisations are recommended to consider implementing.
The report does contain some good news in that compared to the 2024 survey, the percentage of companies impacted by at least one ransomware attack resulting in encryption or data exfiltration declined slightly from 75% to 69%.
This decrease likely stems from businesses continuing to improve their preparation and resilience practices, as well as increased collaboration between IT and security teams.
So, it seems the “spray and pray” days are largely behind us. Ransomware now operates as an industry: ransomware-as-a-service platforms, specialist affiliates, professional negotiators. These are organised, incentivised groups, and many operate with effective geopolitical shelter.
The more important shift is double extortion. Encrypting data is almost incidental now − the real leverage is exfiltrated data and the credible threat of publication. That makes “we have backups” an incomplete answer. Attackers are also deliberately targeting backup infrastructure and using legitimate admin tools to avoid detection, which makes early identification genuinely difficult.
Defences have improved, particularly in detection and threat intelligence. But the asymmetry hasn't gone away: attackers need one success; defenders need consistent success. Mid-market and public sector organisations remain significantly exposed, and they know it.
What a mature ransomware resilience strategy contains
It should look less like a technology deployment and more like an organisational discipline. The companies that have genuinely got this right share a few things in common: the board understands the risk and has approved a clear risk appetite; asset visibility is comprehensive − you cannot protect what you don't know exists. Backups are offline, immutable and recovery has been tested under realistic conditions and not just documented. Importantly, network segmentation means a successful intrusion doesn't automatically become a catastrophe.
Truly the most telling indicator of maturity is how an organisation behaves under pressure. Do staff recognise phishing? Has the incident response team rehearsed? Is there a communications plan for regulators, customers and media? Resilience is a people and process capability as much as a technical one.
The bottom line is that the measure of the strategy isn't whether you have been or will be attacked, it's how quickly and cleanly you have or are capable of recovering.
Share
