Ransomware attacks were considered an IT problem in the past, but they’re increasingly a direct threat to customer trust. As enterprises face rising breaches that lock their systems and expose sensitive information, every moment of downtime or data loss affects the customer experience. Protecting customers’ data has become as essential to brand reputation as product quality.
That explains why 58 percent of organizations that suffered ransomware attacks in the past year paid the ransom to get their data back, according to Sophos’ State of Ransomware in Retail report. That was the second highest payment rate in five years. The median ransom demand doubled to $2 million from 2024, while the average payment increased by 5 percent to $1 million.
Retailers especially have had a tough year, as several large brands have suffered high-profile cybersecurity attacks. The threats are growing as attackers are constantly looking to exploit vulnerabilities. As demands for ransom payments reach new highs, enterprises in all sectors need to put in place comprehensive security strategies. Sophos’ research showed 46 percent of attacks began with an unknown security gap.
The nature of ransomware threats is changing, as malicious actors hone in on phishing attacks as a way to gain entry into enterprise systems rather than attacking servers.
“We’re very focused on server security and network security. But in reality, what’s happening is that… over the last two years, 70 percent of ransomware attacks originated with an individual, rather than the server,” online privacy expert Ron Zayas, Founder CEO of Ironwall by Incogni, told CX Today in an interview. “That’s coming from using data to create better phishing attacks that are so good that you’re clicking on them”
These attacks have a direct impact on a company’s reputation and sales. Major casinos and large retailers have seen their performance plunge in the aftermath of breaches, Zayas noted.
“This isn’t theoretical. You’re losing a lot of money when customers perceive that A, you’re asking for too much information. And B, when something happens to you because you’re careless, they’re going to go somewhere else because they understand the threat to them.”
The challenge is escalating as hackers are using AI to create and automate more convincing phishing attacks, Chester Wisniewski, Director, Global Field CISO at security firm Sophos, told CX Today.
“The two most concerning aspects of AI are the higher quality of phishing attacks and the speed with which attacks can be conducted. AI doesn’t necessarily create new threats as much as it allows the existing techniques to be automated and executed more quickly,” Wisniewski said.
“One of the most important factors in defending networks isn’t just prevention, but also how quickly you can detect and breach and respond, ideally, before any data is stolen or encrypted.”
“If AI makes each malicious step easier, defenders will need to monitor 24/7 for breaches and be prepared to react in minutes, not hours, to prevent harm to unprotected data,” Wisniewski said.
Prevention Starts with Preparation
The key to avoiding ransomware attacks is preparedness. “Properly protecting your information and backups insulates you from all types of data theft and ransom attacks,” Wisniewski said.
But this is where many companies are falling down. According to Sophos, 62 percent of retailers that experienced attacks restored their data using backups. That was the lowest rate in four years, indicating that some companies are not generating regular backups that they can restore data from if the worst happens.
“The figures for retail in this year’s survey are very concerning,” Wisniewski said. “The lack of backups makes organisations even more reliant on paying criminals and hoping for the best to regain access to business-critical information.”
Identifying where security weaknesses are and performing reliable backups indicates an organization is taking a proactive approach to data security. “As we all know, an ounce of prevention is worth a pound of cure and this lack of preparedness results in higher incident costs and more loss of sensitive information harming an organizations’ reputation,” Wisniewski said.
As ransomware attacks evolve to target individuals, enterprises need to understand how employee data can be leveraged to launch highly targeted attacks.
“That’s where it’s changed, and companies don’t fully understand even that the vector has changed, or how to protect themselves,” Zayas said.
“It’s the data on your employees that’s killing you, so the way to protect yourself is to remove the amount of data that is available on your employees.”
Enterprises are starting to realize that dark web monitoring tools can act as an early warning system against ransomware and data breaches. When attackers compromise a device, such as an employee’s phone, they often advertise that access on the dark web for anyone willing to pay.
In some cases, leaked credentials or access to infected devices can surface online weeks before a ransomware attack, and monitoring tools can send out alerts that give teams time to prepare.
“It’s a great way for you to jump in front of that, because once it’s in circulation, you’re toast; it’s too late,” Zayas said.
Organizations also need to reconsider the level of detail in the data they hold on customers.
For instance, recent security breaches through the Salesforce platform have succeeded because companies keep extensive customer records in the system, Zayas noted.
“One of the best practices for any company is to decide how much information you really need. Just because you can get more information and enrich it doesn’t mean it makes sense.”
Any interaction with a third party opens up a potential vulnerability. That’s why organizations need to think beyond protecting their servers.
Managing Vendor Risk to Prevent Data Breaches
“Everybody wants to jump on the AI bandwagon, and AI isn’t something that a standard company can do on their own. You have to work with a third party… because of the complexities,” Zayas said. “That becomes a huge attack vector for people going after ransomware.”
Several high-profile security breaches this year, such as Stellantis, Jaguar Land Rover, Harrods and Discord, have involved attacks on their third-party customer data platforms, not the company’s own servers.
Zayas warned:
“If you are a private company and you are sharing information, if you are putting your information to a third party, it’s like the old saying, whoever you sleep with, you’re sleeping with everybody that they ever slept with.”
“When you partner with somebody and you’re transferring data, you have to be much more aware of how you’re identifying that data, because now you’re vulnerable to whatever attack happens to them.”
As enterprises adopt AI tools to streamline data management and enhance decision-making, they often overlook the critical risk created by the fact that AI systems rely on large volumes of data. They are opening up their data and feeding extensive amounts of sensitive information into AI platforms. While these systems are managed by major providers, no organization is immune to breaches, potentially exposing customer data, Zayas said.
“Let’s go back in time a little bit to when there was a lot of cash… People didn’t come to rob your pizza place. They robbed the bank, because that’s where everybody was putting their money.”
Users need to understand that “data is the currency” that is now circulated, and this makes large AI providers and marketers more attractive to attackers than targeting a number of smaller companies, Zayas said. “You’re going to see the breaches being more and more related to the amount of information that’s coming out with AI, the amount of information that’s being enriched, and companies are going to suffer from this.”
Although enterprise teams want to collect as much information as possible to get richer AI outputs, “you need to be a lot smarter about what information you share to be able to get what you need,” Zayas said.
Removing personal information so that individuals are not identifiable will help to protect customers.
“The smart play is learn how to sanitize your data. You don’t have to share 100 pieces of information on one of your customers with an outside company. It’s stupid. Why are you sharing all that customer information when it becomes available?”
“It’ll still give you the same result you have without the customer information being there.” Zayas added.
When signing contracts with third-party providers, buyers should look for vendors based on their data sensitivity and make sure that they include clear privacy clauses and audit rights.
“Third-party risk management is the frontline defence for customer data,” Aben Pagar, Director at legal services firm Konexo, told CX Today. “Due diligence cannot stop at onboarding—continuous monitoring and assurance are vital. Embedding these controls creates a culture of accountability that protects data and strengthens trust.”
In the UK public sector, a proposed ban on organizations making ransom payments will require them to ensure their systems are resilient.
“The ban on ransom payments changes the calculus for procurement,” Pagar said. “Vetting suppliers for robust security and privacy practices is now non-negotiable.”
Keeping Customers Informed When Ransomware Strikes
When enterprises do fall victim to ransomware attacks, communicating with customers as much as possible is essential to provide reassurance that leaders are actively working to recover and safeguard their data.
“Customer communications are key during incidents to inspire confidence that you have capable experts handling the situation. Silence is very dangerous, as people’s imaginations are far worse than what your incident actually looks like,” Wisniewski said.
Although there are certain details that companies may not be able to provide because of legal constraints and law enforcement requests, “being open and sharing what you can goes a long way toward demonstrating your commitment to your customers and their privacy and security,” Wisniewski said.
Ransomware Recovery is a Team Sport
Given the proliferation of attacks, companies need to be prepared to bounce back quickly if a ransomware hit does happen. Testing backups regularly and knowing exactly how to restore systems if things go down are key. Staying on top of vulnerabilities, tightening access controls, and keeping a close eye on who has high-level permissions can make all the difference.
“Regular staff training reduces human error, and a robust incident response plan ensures clarity when seconds count,” Richard Chudzynski, Partner at Konexo, told CX Today.
Response plans must involve all teams. Ransomware and other cyberattacks are no longer just IT problems. Relying solely on IT managers to respond puts enterprises at greater risk because attacks now touch every aspect of the business.
“Resilience is a team sport,” Chudzynski said.
“HR safeguards employee data, procurement manages supplier risk, and business units handle customer information, while IT and cyber teams enforce technical controls. Legal and privacy teams set the regulatory framework, and internal audit validates compliance.”
When each team owns its role, organizations can communicate transparently during a crisis, helping to minimize disruption to the customer experience and reinforce trust, Chudzynski added.
