By paying ransomware, organisations are leaving themselves open to repeat attacks and long-term business disruption, according to Lloyd Timcke, regional director for Africa and Israel at cybersecurity firm Rubrik.
At a cybersecurity event in Johannesburg last week, the company said attackers are increasingly exploiting identity systems such as Active Directory and cloud identity providers, allowing them to shut down entire businesses rather than only encrypting files.
“Traditionally, organisations have focused on protecting data on-premises, but the environment has fundamentally changed,” Timcke told TechCentral in an interview. “Now you have cloud, applications, identity and unstructured data all converging. If you don’t protect that, you put your reputation and revenue at risk.
“It’s the way organisations are being exploited,” he added, referring to identity-based ransomware. “They can’t take away the data; they can’t take away the ability to access the data. So, they just have to exploit your access to that data in the form of ransomware.”
Data presented at the event showed that identity systems are one of the most exploited attack vectors, with 90% of organisations experiencing an identity-related security incident in the past 12 months. Some 50% were attacked using an identity management system like Active Directory.
That increase comes despite global efforts to curb cybercrime. Rubrik data showed that cybersecurity spending has risen about 180% over the past decade, while ransomware victims increased by more than 120%.
Repeat attacks
One concerning development is businesses paying ransom demands to restore operations quickly, a move that often backfires. “Around 60% of organisations attacked have repeat attacks within six months; where you pay a ransom, they’re attacked somewhere else within six months, often by the same or related threat groups,” Timcke said.
Ransomware is increasingly no longer confined to IT departments. High-profile attacks on retailers and manufacturers worldwide have shut down production lines, emptied store shelves and disrupted supply chains for weeks or months.
Read: Atonomous AI agents emerge as the next major cybersecurity risk
Timcke pointed to recent attacks on Marks & Spencer, where ransomware forced the company to halt online orders, disrupted in-store and contactless payments, and exposed some customer data.
“The reputational damage was massive, the revenue damage was massive and the shareholder impact was massive,” he said. “This isn’t a textbook example; it affects customers like us directly now.”
Slides shown during the Rubrik event listed major companies hit by cyberattacks, including Jaguar Land Rover, Harrods, the Co-op Group, M&S, Adidas, Victoria’s Secret and The North Face.
Cybersecurity is now being taken to board-level oversight, Timcke said. “This is no longer an IT problem. It is a business problem.”
Companies making headway treat cyber risk like any other business risk, passing decision-making to chief risk or operating officers rather than leaving it to technology teams alone.
This shift is driving adoption of an “assume breach” strategy, where organisations act as if a cyberattack will happen and focus on recovering quickly rather than only trying to stop attacks.
Mark Grant, go-to-market lead for Europe, the Middle East and Africa at Rubrik, also advised companies not to yield to extortion.
He cited Colonial Pipeline, which paid several million dollars to attackers but still faced legal and regulatory problems for months. The American oil pipeline system that originates in Texas and carries gasoline and jet fuel to other parts of the US suffered a ransomware attack in 2021. It impacted the computerised equipment managing the pipeline.
“If you pay, expect potential data corruption, potential litigation, legal costs and a high potential of repeat attacks,” warned Grant. – © 2026 NewsCentral Media
Get breaking news from TechCentral on WhatsApp. Sign up here.