Ransomware and cyber security: Why choose investing over damage control

What if operations in your organisation could continue running smoothly, even when you’re facing cyber attacks? With effective cyber security measures, you can ensure your data stays secure and your business runs without interruptions. 

By implementing proactive cyber security strategies, you can protect your organisation from ransomware attacks and prevent financial losses far beyond the initial investment. It doesn’t mean the attacks won’t happen, but you’ll be much better prepared to tackle them. 

We've talked to Caroline Wong, the Chief Strategy Officer at Cobalt, to gain insight into the threat of ransomware attacks and the difference between a reactive and proactive approach to cyber security, including how a certification like ISO 27001 can help.

Watch the full conversation with Caroline Wong: Video | What’s cheaper: paying the ransom or investing in cyber security? (dataguard.uk)

This article covers:


What makes ransomware so effective? 

In 2023, 72.2% of organisations worldwide were affected by ransomware attacks, the highest number ever reported. The healthcare and manufacturing industries are especially affected, leading to data loss, operational downtime, and recovery efforts. Besides the successful attacks, even more were attempted last year. Over 300 million ransomware attempts worldwide were reported, making it a growing concern for organisations of all industries. 

According to Caroline Wong, software's biggest value is allowing people to share information and connect with each other. Still, she states, “Software is created by humans. And software is inherently insecure.” 


It's always a security versus profit discussion  

Modern software offers many opportunities for bad actors. Therefore, it must be shaped so that it's resistant to exploitation. But what's standing in the way of doing that? 

Software developers often create software under time pressure. On their long list of software bugs, including security vulnerabilities, some remain unfixed by the time it goes live. “It's always a security versus profit discussion,” says Caroline Wong.  

Like any other budgeting decision, the question is how to spend the money available in an organisation. It can be spent on an engineer, a salesperson, a marketing campaign—or fixing a security bug. 

“That's a challenging decision to make, and this is risk management,” concludes Caroline Wong. The NIS2 policy will cover these considerations in the EU, obliging organisations operating in the EU of essential and important sectors to secure their assets by regulation.  

Watch video: How to prepare for NIS2   


How likely is it to be targeted by ransomware? 

Thinking that your company won’t be affected can lead to severe consequences. Today's cyber climate demands a realistic approach to the likelihood of ransomware attacks.  

Ransomware is a common threat  

As Caroline Wong states, “The most common belief, particularly amongst folks who may not be working in cyber security, is that hacks are uncommon and that they're rare.” In reality, people and organisations are getting hacked all the time. “Everyone's vulnerable, whether we are consumers or representatives of the organisations that we work with,” Wong adds.  

For the ones deploying the ransomware attacks, it's a business model. They calculate the probability that a share of their targets will be vulnerable to the attack and try to take advantage of this. 



Cyber threats have advanced over the years  

The Ransomware as a Service (RaaS) business model has existed for over a decade. This system includes hackers and affiliates. Hackers create ransomware models and sell them to affiliates, who then use these models to target victims independently. 

The hacker who designed the RaaS earns a fee for each ransom collected. In the first quarter of 2022, there were 31 Ransomware as a Service (RaaS) groups globally. This number is expected to be even higher now, showing the advanced tactics of cyber threats.  

You might also be interested: Don't take the email bait: How to identify and prevent phishing 


Is cyber insurance the answer to ransomware threats? 

Nowadays, significant controls must be in place instead of just providing insurance with a certificate or test report. Customers are struggling to renew their contracts and get coverage in case of an attack. At this point, the question is whether getting cyber insurance to protect your organisation from ransomware threats makes sense. 

Cyber insurance isn't enough 

The concept of insurance appears promising when navigating advanced cyber threats like ransomware attacks. Still, it isn't as simple as it might seem. 

“I do think that cyber insurance is an important control for organisations to have. I don't think, however, that it is reasonable to have cyber insurance and nothing else,” argues Caroline Wong. But why is that? 

Cyber insurance differs from other types of insurance 

Whether health insurance, car insurance or home insurance, most insurance types have something in common: questionnaires. The results of these questionnaires determine your rates. 

What makes cyber security different from these insurance types is that it's changing so quickly. “In 2023, the average ransomware payment was 400,000 dollars, and in the first half of 2024, the average was already 2 million dollars”, says Caroline Wong. Insurance providers must keep their own businesses profitable. This is why they strictly define the security controls and evidence that must be provided to ensure a claim is granted. 

View cyber insurance as a strategic partner 

You shouldn't view cyber insurance as something you buy for your organisation. Instead, view it as a strategic partnership. Know when insurance will and won't pay out. 

With this information in mind, you can make strategic decisions on what you need to cover yourself and take action. Protect your most valuable assets first. Find out what can harm your organisation most—and start there.   




Paying ransom fuels criminal activities  

What would you do if you fell victim to a ransomware attack? If an attacker urges you to pay ransom in exchange for your data or access to your systems, it might seem like a quick solution to the problem. But which consequences does this have? 

Ransomware as a Service 

One of the actors benefitting from the ransom payment is the person creating the ransom. With Ransomware as a Service, these people earn money by deploying the hacking tools. However, they aren't the only ones benefitting from individuals and organisations paying ransom.  

Ethics of other criminal activities  

Ransom payments also finance criminal activities on the dark web, terrorism, trafficking, and other criminal acts you and your organisation wouldn't otherwise want to be associated with. 

"We have choices in terms of where our money goes, and it is our responsibility to think about what happens to our money," says Caroline Wong, while recognising the ethical dilemma you can face if people's lives depend on your systems running.  

Engaging in this sort of transaction encourages more criminal behaviour. Also, nothing prevents an attack from happening again after paying the ransom. Knowing this, it’s never a good idea to pay the ransom. 


How can frameworks like ISO 27001 protect your organisation from ransomware attacks? 

ISO 27001 allows companies to manage risks and operationalise security within their organisation. Therefore, it can also be a puzzle piece in your efforts to protect your organisation from ransomware. 

A transparent starting point 

Your security team is busy and does its best to protect your organisation from threats. But how do you know that you’re focusing on the right topics? “This is one of the things about security that makes it so complicated. It seems as though there is an infinite and endless list of things to do,” explains Caroline Wong. 

Especially with a limited budget, it can be challenging to decide which priorities to focus on. Using a framework like ISO 27001 helps you explain to stakeholders why you chose certain investments and security controls. 

Focus on what's important 

When implementing the ISO 27001 guidelines, you should focus on what's most important to your organisation. Think about your most critical operations and assets first. If they were otherwise unavailable due to threats like a ransomware attack, they're the ones you should start thinking about. It's impossible to secure every asset in a day. So, look at the critical revenue streams and assets and focus on protecting them first.  

Security is more than a certification  

While the ISO 27001 certification is a comprehensive and straightforward starting point for operationalising your security efforts and showing your engagement to customers, it shouldn't be the end goal. 

The principles stated in the framework need to be deeply embedded into your company's culture and daily operations. To ensure your company's long-term success, you need to go beyond certifications. Securing your organisation is an ongoing task that protects your information assets against the latest threats. 



Frequently Asked Questions

Why is cyber insurance not enough? 

Cyber insurance doesn't prevent attacks. Attackers adapt quickly, making insurance a reactive measure. Without defences, insurance claims may fail. Use insurance as a strategic tool, not a sole solution. Invest in proactive security to protect critical assets and reduce reliance on insurance claims. 

Why shouldn't you pay the ransom? 

Paying ransom funds criminal activities and encourages further attacks. It doesn't guarantee data recovery or prevent future incidents. Avoid paying ransom, strengthen your security, and prepare for potential attacks using prevention strategies instead. 

Can ISO 27001 help prevent cyber attacks? 

Yes, ISO 27001 helps manage risks and implement security controls, providing a structured approach to protect your organisation against cyber attacks. It offers a clear starting point for security efforts, allowing you to focus on critical assets and explain security investments to stakeholders. Use it to build a strong security foundation. 

Why is ISO 27001 not enough for security? 

ISO 27001 provides a framework but isn't a complete solution. Security requires ongoing efforts and continuous improvement beyond certification. Embed security practices into your company's culture and daily operations to foster a proactive approach. Continuously adapt to new threats to ensure the long-term protection of your information assets. 

About the author

Kyle Tackley Kyle Tackley
Kyle Tackley

Senior Principal - Global Corporate - InfoSec

Kyle is a Senior Principal at DataGuard and talks all things Information and Cybersecurity. With over 12 years experience in IT, Privacy and Information Security roles, he has implemented and operated a multitude of Security frameworks across enterprise businesses. Ensuring world-class service delivery of DataGuard’s Hybrid Information Security and Privacy as a service solutions to customers, and building a dynamic and successful teams are some of Kyle’s top priorities.

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies

100% success in ISO 27001 audits to date



TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk