Why Ransomware Will Keep Winning Until Cybersecurity Becomes a Business Risk – Not a Tech Problem (Part 3/3)
The Cure
The Lie That’s Killing You
There’s a phrase still uttered in boardrooms across the UK, right before everything falls apart:
“Cybersecurity? That’s IT’s problem.”
It isn’t. It never was.
Ransomware is what happens when you spend five years ignoring reality, when governance is just a word on a strategy slide, and when security is buried in the ‘Ops’ section of the board agenda and discussed only after someone’s inbox gets popped.
What businesses survive ransomware? They don’t just buy tools. They lead. They plan. They take cyber risk seriously at the top. And they understand one fundamental truth:
Cybersecurity is a leadership issue.
From Symptoms to Systemic Change
If you’ve read Parts 1 and 2, you already know the anatomy of the breach: the click, the MSP failure, the misconfigured firewall, and the missing logs.
But that’s not what nearly killed the business. What was the paralysis in the boardroom, the endless confusion about who was responsible, the untested incident plan that everyone assumed someone else had written, the backups no one knew how to restore, and the absence of an accountable decision maker when every second counted?
Most ransomware victims never truly recover—not because the tech can’t be fixed, but because the business was never designed to survive.
The CEO Who Finally Asked the Right Question
Three weeks after their business was hit, a managing director sat in a debrief with his leadership team. The IT partner was gone. The rebuild had begun. The costs were mounting. The room was still raw with shame and confusion.
He leaned forward and asked, “Why didn’t I know any of this?”
And the answer, unspoken but deafening, was this:
-
Because no one told you.
-
Because no one was made to.
-
Because no one owned it.
-
Because you assumed that IT would deal with it, that cyber was something that lived in server rooms, with acronyms and reports you never had to read.
But those days are over. The threat landscape changed. You didn’t.
Governance Isn’t Optional Anymore
Every business has governance. Some of it’s good. Most of it’s just structure and noise. But when it comes to cybersecurity, you need more than policies.
You need ownership.
Someone at board level must own the risk. That person must understand what Cyber Essentials requires. They must know whether the business has MFA. They must understand how the backups work, how the incident response plan is triggered, and who gets called when everything burns.
You wouldn’t accept financial governance that said, “We think our accounts are sort of accurate.”
So why is “we think IT has it covered” still acceptable?
What Real Cyber Resilience Looks Like
Resilient businesses don’t trust blindly. They verify.
They know their assets, have mapped out risk, rehearsed incident response, tested backups, not just run them, and locked down access. They log and monitor, and when something fails, they know who to call and what to do.
Their boards don’t wait to be told what’s wrong. They ask.
They challenge.
They own the problem.
And when a threat does hit, they don’t flail. They respond.
A Short, Sharp List of What Matters
You don’t need 47 tools. You don’t need AI.
You need to focus. Here’s what moves the needle:
-
You need visibility. You can’t secure what you can’t see.
-
You need MFA. Everywhere. Always.
-
You need patching. Not once a quarter. Every week. As a habit, not an event.
-
You need EDR with rollback. Antivirus isn’t enough. Not in 2025.
-
You need backups. Offline, tested, and separate from your production environment.
-
You need monitoring. Real eyes on real logs.
-
You need to know your RTO, RPO, and max downtime.
-
You need someone who’s actually in charge and fully empowered to act.
And you need to stop pretending that being small makes you safe.
Accountability Is the Cure
Any business’s most dangerous cybersecurity assumption is that “someone else has it sorted.”
No one will care more about protecting your company than you, and certainly not your MSP, vendor, or cyber insurance provider.
You are the one who has to lead.
You don’t need to know how to configure a firewall, but you damn well need to ask if one has been installed.
You don’t need to write PowerShell scripts. But you need to know what happens when a system goes offline.
You don’t need to fear ransomware.
But you must respect what enables it.
What Surviving Looks Like
Some businesses walk away from ransomware.
They recover in hours, not days. They don’t pay. They don’t panic. They lose data, but not reputation. They lose time, but not trust. They face regulators, but they’re prepared.
Why?
Because they rehearsed it.
They had a plan. They had leadership. They had oversight. They had buy-in from every department.
They had a culture where security wasn’t someone else’s problem.
And that’s the cure.
This Is the Part Where You Change
If you’ve made it to the end of this trilogy and still think ransomware is just about IT, I wish you luck.
But if you’ve realised that it’s about ownership, governance, and responsibility,you’re already ahead of most of your competitors.
Start now.
Bring cybersecurity into the boardroom.
Assign it. Fund it. Test it. Own it.
And next time a red screen tries to take your business offline, it won’t win.
Because you’ll already know what to do.
Sources
| Source | Article |
|---|---|
| National Cyber Security Centre | NCSC Cyber Security Toolkit for Boards |
| Harvard Business Review | Cybersecurity Is Everyone’s Job Now |
| Gov.uk | Cyber Security Breaches Survey 2024 |
| ENISA | ENISA Threat Landscape 2023 |
| Gartner | What Boards Should Know About Cybersecurity |
| IBM | Cost of a Data Breach Report 2024 |
| Cyber Essentials Scheme | Cyber Essentials Overview |