By Joseph Hedegaard Ganly, Solutions Architect at Halcyon
Ransomware is no longer just a cybersecurity issue; it's a business resilience challenge.
In a recent session, we explored the growing disconnect between what boards expect from cybersecurity investments and the reality of modern ransomware attacks. The discussion highlighted why resilience, not just protection, must be at the centre of every organisation’s cybersecurity strategy.
A Different Conversation
A few years ago, ransomware was largely viewed as an IT problem.
Security teams worried about malware. Infrastructure teams worried about backups. The board occasionally asked whether cyber insurance was in place and whether the business was protected.
Today, the conversation is very different.
Ransomware has evolved from being a technical security issue into a business resilience challenge that affects every part of an organisation. It impacts revenue, operations, reputation, customer confidence, shareholder trust and, increasingly, long-term business viability.
During a recent session hosted by Trust Systems, we discussed the growing disconnect between what boards expect from cybersecurity investments and the reality of a modern ransomware attack.
The truth is that most organisations are spending more than ever on cybersecurity, yet ransomware remains one of the most financially damaging threats facing businesses today.
The problem is not always a lack of investment. More often, it is a misunderstanding of what resilience actually looks like when an attack succeeds.
The Assumption Gap
Most board members understandably assume that significant investment in cybersecurity tools should result in significant protection.
After all, if an organisation has endpoint detection, network security, backups, cyber insurance and a documented incident response plan, it should be well positioned to withstand an attack.
Unfortunately, modern ransomware groups have adapted to these assumptions.
What we increasingly see is a gap between the confidence organisations place in their security stack and the reality of how attackers operate. Many boards still view ransomware through the lens of prevention, while attackers focus on disruption, extortion and business interruption.
Key Takeaway
The question has shifted from:
“Can we stop ransomware?”
to
“How quickly can we recover when something inevitably gets through?”
That distinction matters,.
Why Ransomware Is Now a Business Resilience Problem
One of the biggest misconceptions about ransomware is that it remains a malware problem.
Attackers are no longer interested solely in encrypting files. Modern ransomware operations are sophisticated criminal enterprises. Their objective is to create enough pressure that organisations feel compelled to pay, negotiate or endure prolonged disruption.
That means targeting operational dependency.
Attackers look for businesses where downtime translates directly into lost revenue, lost productivity or reputational damage. Retailers, manufacturers, professional services firms and construction companies have become attractive targets because every hour of disruption has measurable commercial consequences.
Many groups are also focused on stealing data before encryption takes place. Even if an organisation refuses to pay for decryption, attackers may still possess sensitive information that can be used for extortion or public disclosure.
This means recovery is no longer simply about restoring systems.
It is about managing a full-scale business crisis.
Attackers Are Becoming More Sophisticated
Phishing and vulnerability exploitation remain common routes into organisations.
However, the methods used by ransomware operators continue to evolve.
We are increasingly seeing attackers purchase valid credentials or gain access through third-party suppliers and service providers. In some cases, one criminal group gains access and then sells that access to another group specialising in ransomware deployment.
This trend presents a significant challenge.
A compromised administrator account often appears legitimate at first glance. Security teams can find it much harder to identify suspicious behaviour when valid credentials are being used.
The result is that organisations can no longer rely solely on keeping attackers out.
They must also prepare for the possibility that attackers gain access despite existing security controls.
Why Backups Alone Are Not Enough
Whenever ransomware is discussed, one response appears almost immediately:
“We have immutable backups.”
Immutable backups are essential. Every organisation should have them.
However, they are not a complete answer.
Attackers have adapted their tactics. Rather than trying to delete backups, many now focus on compromising surrounding systems, degrading the quality of data being backed up or creating uncertainty around whether recovered data can be trusted.
We have seen organisations discover during recovery that critical data was incomplete or unavailable when they needed it most.
Even when backups remain untouched, recovery itself introduces challenges.
Questions quickly arise:
- Which systems should be restored first?
- Which applications are critical to revenue generation?
- How do you verify the threat actor has been removed?
- Who makes recovery decisions?
- How long will validation take?
These challenges often become more significant than the backup technology itself.
The Recovery Exercise That Changed Expectations
During our session, I shared an example involving a large UK retailer that wanted to understand its true ransomware readiness.
Rather than conducting a traditional tabletop exercise, the organisation built a realistic test environment and engaged a red team to simulate a genuine ransomware attack against representative infrastructure.
Before testing began, the business believed recovery would take approximately six days.
The reality was very different.
Reality Check
Expected Recovery Time: 6 Days
Actual Recovery Time: Nearly 1 Month
Potential Financial Impact: More than £100 Million
The problem was not a lack of preparation.
The problem was that real-life incidents rarely follow the script.
The exercise uncovered missing data, unexpected dependencies, delayed decision making and recovery bottlenecks that had never surfaced during previous planning exercises.
Plans worked well on paper. Reality introduced a level of complexity that had not been fully appreciated.
This is exactly why realistic testing matters.
The goal is not simply to prove that a recovery plan exists.
The goal is to understand how that plan performs under pressure.
Communication Can Determine the Outcome
Technology alone does not determine whether an organisation recovers successfully.
Communication often proves just as important.
One of the recurring themes in major ransomware incidents is confusion around responsibility. When systems are unavailable and pressure is mounting, organisations need absolute clarity regarding who owns critical decisions.
Questions include:
- Who communicates with customers?
- Who engages legal teams?
- Who works with insurers?
- Who manages media relations?
- Who authorises key recovery decisions?
Without clear answers, valuable time is lost.
A ransomware attack tests more than technology.
It tests leadership, governance and organisational preparedness.
That is why boards must become active participants in resilience planning, rather than passive recipients of security updates.
Understanding the Minimum Viable Company
One of the most thought-provoking discussions during the session centred on a simple question:
How much of your organisation needs to function for the business to survive?
Many organisations know their recovery objectives.
Fewer understand their minimum viable operation.
The most resilient organisations identify:
- Their most critical systems
- Their essential suppliers
- Their primary revenue-generating services
- Their communication channels
- Their key decision makers
The objective is not necessarily restoring everything immediately.
The objective is restoring enough capability to continue serving customers and generating revenue while broader recovery activities continue.
As one attendee highlighted during the discussion, there is an important difference between surviving and thriving.
A business may technically remain operational for several days after a significant cyber incident, but customer trust, revenue and reputation may already be suffering.
Building True Resilience
True resilience does not come from a single technology purchase.
It comes from combining:
- Strong security controls
- Realistic testing
- Validated recovery procedures
- Executive engagement
- Proven incident response capabilities
The organisations best positioned to handle ransomware are not those that believe they are immune.
They are the organisations that assume an attack may eventually occur and prepare accordingly.
They test.
They refine.
They learn.
They recover.
Final Thoughts
Ransomware has fundamentally changed.
What began as a malware problem has evolved into a boardroom issue that affects every aspect of the business.
The organisations that succeed in this environment will not necessarily be the ones that spend the most on cybersecurity.
They will be the organisations that understand the difference between protection and resilience.
Because when ransomware strikes, customers do not judge you solely on whether you were attacked.
They judge you on:
- How quickly you recover
- How clearly you communicate
- How confidently you continue to operate
That is the real gap between what boards expect and what ransomware delivers.
Closing that gap should be a priority for every organisation today.
Ready to Strengthen Your Ransomware Resilience?
Ransomware isn’t going away, but your organisation can be better prepared.
Book a no-obligation discovery session with our security specialists to discuss your current approach, identify potential gaps and explore how a prevention-first strategy can strengthen your cyber resilience.