It’s Cheaper to Be Defensive: Why Waiting for a Breach Is the Most Expensive Mistake You’ll Ever Make
“75 percent of UK businesses say they’d break the law to pay off a ransomware gang. Not because they’re desperate. Because they did nothing to prevent it.”
Let’s not pretend this is a surprise. That PR Newswire headline might sound shocking, but it’s just putting a spotlight on something that’s been festering in plain sight for years.
This is what happens when companies refuse to take security seriously. This is what happens when leadership prioritises marketing budgets over firewall upgrades, and when the board still sees cybersecurity as a nice-to-have line item rather than the foundation of survival.
Because here’s the hard truth. If three out of four businesses say they would rather pay off criminals than face the reality of their own failures, we are no longer talking about isolated bad luck. We’re talking about wilful negligence disguised as pragmatism.
The British Business Playbook: Ignore It Until It Explodes
Let’s picture the typical setup. You walk into the average UK business and you’re greeted by a half-dead printer, a tired old server humming in a dusty cupboard, and a Wi-Fi password taped to a filing cabinet in reception. The person in charge of IT is either the office manager, someone who used to be “good with computers,” or a third-party MSP that hasn't done a proper audit since Brexit was still theoretical.
There’s no MFA in sight. Passwords are reused more than tea bags in a student flat. Remote access? Still rocking basic RDP with no protection. And backups? You’ll be lucky if someone’s been rotating a USB stick that last worked properly in 2019.
Then the email lands. A fake invoice, a poisoned link, a cleverly disguised PDF. One click and the business is locked. Literally. Files encrypted, systems offline, and the team staring at a screen that says pay up or lose everything.
This is when panic sets in. When the CEO finally asks the questions they should have asked two years ago. When someone tries to call the MSP, only to find out they’re closed on Fridays. When the board meets to discuss how to quietly send a Bitcoin payment and hope the press doesn't find out.
That moment is not a tragedy. It’s a consequence.
"Three quarters of UK firms would break the law to fix what they could have prevented for under a grand."
The Research Is Brutal and It Should Be
According to Censuswide, the figures are dire. Eighty-two percent of UK business leaders would pay a ransom if they got hit. Seventy-five percent would pay even if it became illegal. Almost half wouldn’t tell the authorities at all.
This is not just poor risk management. It’s a complete abdication of responsibility.
And it gets worse. Nearly seventy percent of those leaders believe paying a ransom is cheaper than recovering without paying. That’s not just wrong. It’s financial nonsense. These are the same people who think cyber insurance will fix everything, until the claims team starts asking for the audit logs they never collected.
Let’s be honest. This isn’t about costs. It’s about cowardice. Because spending on prevention requires accountability. Paying the ransom is just writing a cheque to avoid embarrassment.
Paying the Ransom Isn’t a Solution. It’s a Signal
When you pay, you’re not fixing the problem. You’re advertising your vulnerability. You’re telling the entire cybercriminal ecosystem that your business is profitable, unprepared, and willing to deal.
The decryption key you get? If you get one at all, it might work. It might not. It might restore ninety percent of your data and corrupt the rest. It might leave behind malware so they can come back next quarter. It might not arrive at all.
And the data? It’s gone. Whether you pay or not, your files are on some server in Eastern Europe being packaged up for sale. Client contracts. Payroll data. Emails. Credentials. Leaked. Ransomed again. Sold to the highest bidder. Pick your poison.
Meanwhile, you’re still offline. Your backups are either useless or infected. Your team is in chaos. Your insurance provider is asking difficult questions. And your clients are starting to ask whether they can trust you with their data ever again.
Still Think Cybersecurity Is Expensive?
No. What’s expensive is being down for two weeks. What’s expensive is losing contracts, dealing with regulators, and watching your brand get dragged through the news cycle. What’s expensive is rebuilding your systems from scratch because your backups were garbage.
Let’s put some numbers on it. Cyber Essentials, the UK government’s baseline standard for security, costs less than a grand. Decent backups cost less than your daily coffee habit. Proper endpoint protection with 24-hour monitoring is cheaper than the snack budget in most break rooms.
You’re not saving money by skipping security. You’re deferring cost.
"Cybersecurity is only expensive when you ignore it."
When the invoice finally lands, it won’t be optional. And it won’t be cheap.
Cybersecurity Isn’t an IT Problem. It’s a Business One
Stop passing the buck. If you’re a business leader, the responsibility for protecting the company rests with you. Not the helpdesk guy. Not the MSP’s junior engineer. You.
If you couldn’t operate your business tomorrow because of a ransomware attack, and your only plan is to pay criminals and pray, then you have failed as a leader. If your board has never asked about incident response, if you haven’t tested your backup strategy this year, and if you’re relying on hope instead of planning, you are gambling with your company’s future.
And make no mistake, the government is losing patience. There is growing pressure to outlaw ransomware payments entirely. That means soon, your only legal option will be the one you refused to invest in prevention.
"If you're not budgeting for cybersecurity, you're budgeting for extortion."
So What Does Prevention Actually Mean?
It means having working, tested, offsite backups that can’t be tampered with. It means enforcing MFA across all your critical systems and admin accounts. It means deploying proper threat detection, not some outdated antivirus that hasn’t caught anything since 2016.
It means training your staff regularly because someone in your team will click the wrong thing eventually. It means having a written, rehearsed incident response plan that doesn’t start with "Google the ransom note."
It means knowing what’s on your network, who’s accessing it, and what’s normal. It means reviewing your logs, patching your systems, and having someone you trust who can guide you when something doesn’t look right.
And it means doing all of this now, not the day after the breach.
"You had hundreds of chances. Every day. You chose to do nothing."
This Isn’t About Fear. It’s About Maths
You can prepare now or you can pay later. That’s the real equation. The idea that it’s cheaper to just deal with it when it happens has been disproven by every major breach in the last five years.
Ask any company that’s had to rebuild from ransomware whether they wish they’d spent more on prevention. Ask the ones that didn’t survive if they’d do it differently.
Seventy-five percent of UK businesses are so unprepared they’re openly willing to break the law rather than face the consequences of their choices. That’s not a cyber crisis. That’s a business leadership crisis.
You don’t have to be one of them. But you do have to decide.
Because cybersecurity isn’t just about protecting your files. It’s about protecting your business, your people, and your future.
And if you're not defending it, you’re just waiting for someone to take it from you.
