The Cure

The Lie That’s Killing You

There’s a phrase still uttered in boardrooms across the UK, right before everything falls apart:

“Cybersecurity? That’s IT’s problem.”

It isn’t. It never was.

Ransomware is what happens when you spend five years ignoring reality, when governance is just a word on a strategy slide, and when security is buried in the ‘Ops’ section of the board agenda and discussed only after someone's inbox gets popped.

What businesses survive ransomware? They don’t just buy tools. They lead. They plan. They take cyber risk seriously at the top. And they understand one fundamental truth:

Cybersecurity is a leadership issue.

From Symptoms to Systemic Change

If you’ve read Parts 1 and 2, you already know the anatomy of the breach: the click, the MSP failure, the misconfigured firewall, and the missing logs.

But that’s not what nearly killed the business. What was the paralysis in the boardroom, the endless confusion about who was responsible, the untested incident plan that everyone assumed someone else had written, the backups no one knew how to restore, and the absence of an accountable decision maker when every second counted?

Most ransomware victims never truly recover—not because the tech can't be fixed, but because the business was never designed to survive.

The CEO Who Finally Asked the Right Question

Three weeks after their business was hit, a managing director sat in a debrief with his leadership team. The IT partner was gone. The rebuild had begun. The costs were mounting. The room was still raw with shame and confusion.

He leaned forward and asked, “Why didn’t I know any of this?”

And the answer, unspoken but deafening, was this:

• Because no one told you.

• Because no one was made to.

• Because no one owned it.

• Because you assumed that IT would deal with it, that cyber was something that lived in server rooms, with acronyms and reports you never had to read.

But those days are over. The threat landscape changed. You didn’t.

Governance Isn’t Optional Anymore

Every business has governance. Some of it’s good. Most of it’s just structure and noise. But when it comes to cybersecurity, you need more than policies.

You need ownership.

Someone at board level must own the risk. That person must understand what Cyber Essentials requires. They must know whether the business has MFA. They must understand how the backups work, how the incident response plan is triggered, and who gets called when everything burns.

You wouldn’t accept financial governance that said, “We think our accounts are sort of accurate.”

So why is “we think IT has it covered” still acceptable?

What Real Cyber Resilience Looks Like

Resilient businesses don’t trust blindly. They verify.

They know their assets, have mapped out risk, rehearsed incident response, tested backups, not just run them, and locked down access. They log and monitor, and when something fails, they know who to call and what to do.

Their boards don’t wait to be told what’s wrong. They ask.

They challenge.

They own the problem.

And when a threat does hit, they don’t flail. They respond.

A Short, Sharp List of What Matters

You don’t need 47 tools. You don’t need AI.

You need to focus. Here’s what moves the needle:

• You need visibility. You can’t secure what you can’t see.

• You need MFA. Everywhere. Always.

• You need patching. Not once a quarter. Every week. As a habit, not an event.

• You need EDR with rollback. Antivirus isn’t enough. Not in 2025.

• You need backups. Offline, tested, and separate from your production environment.

• You need monitoring. Real eyes on real logs.

• You need to know your RTO, RPO, and max downtime.

• You need someone who’s actually in charge and fully empowered to act.

And you need to stop pretending that being small makes you safe.

Accountability Is the Cure

Any business's most dangerous cybersecurity assumption is that “someone else has it sorted.”

No one will care more about protecting your company than you, and certainly not your MSP, vendor, or cyber insurance provider.

You are the one who has to lead.

You don’t need to know how to configure a firewall, but you damn well need to ask if one has been installed.

You don’t need to write PowerShell scripts. But you need to know what happens when a system goes offline.

You don’t need to fear ransomware.

But you must respect what enables it.

What Surviving Looks Like

Some businesses walk away from ransomware.

They recover in hours, not days. They don’t pay. They don’t panic. They lose data, but not reputation. They lose time, but not trust. They face regulators, but they’re prepared.

Why?

Because they rehearsed it.

They had a plan. They had leadership. They had oversight. They had buy-in from every department.

They had a culture where security wasn’t someone else’s problem.

And that’s the cure.

This Is the Part Where You Change

If you’ve made it to the end of this trilogy and still think ransomware is just about IT, I wish you luck.

But if you’ve realised that it’s about ownership, governance, and responsibility,you’re already ahead of most of your competitors.

Start now.

Bring cybersecurity into the boardroom.

Assign it. Fund it. Test it. Own it.

And next time a red screen tries to take your business offline, it won’t win.

Because you’ll already know what to do.