In the high-stakes world of cybercrime, a single phone call can signal the beginning of a corporate crisis. For a business under digital siege, the first few minutes are often the most critical in determining its fate.
The Critical First Response
When an alert reaches the cybersecurity firm S-RM, headquartered on Whitechapel High Street in east London, the clock starts ticking immediately. The compromised organisation may have only a brief window to protect itself from catastrophic data loss or operational shutdown. Experts describe this phase as "stopping the bleeding" – a frantic effort to contain the damage before it spreads.
S-RM, which recently assisted a major retail client recover from an attack by the notorious hacking group Scattered Spider, has built a reputation as a discreet, word-of-mouth success in security circles. Its senior team, often multilingual with minimal online footprints, hint at backgrounds in corporate or government intelligence.
The firm now boasts the UK's largest cyber-incident response team, with a global first-responder service of roughly 150 experts. Its clients range from those on retainer and victims referred by insurers, to desperate "walk-ins" who find the firm through an urgent online search as their systems collapse.
Ted Cowell, director of S-RM's cyber business arm, illustrates the intensity with a recent case. A 30-minute Teams call with a retailer (understood by the Guardian not to be Marks & Spencer or the Co-op, both attacked in 2025) rapidly escalated into "a 24-hour call with a rotating cast of experts."
"On average we're getting back to clients within six minutes," Cowell states. "Which is critical because often the first hours of a cyber incident can be the biggest chance window to determine the outcome of a case and its impact. What can start as a network intrusion can then metastasise into a full-blown malware or ransomware scenario."
The Ethical Dilemma: To Pay or Not to Pay?
Cowell, a Cambridge-educated Russian speaker, emphasises that a swift, effective response during the attacker's "reconnaissance" period can dramatically alter the outcome. Criminals need time after initial access to identify the most valuable data. This delay allows experts to potentially prevent the most damaging actions: "exfiltration" (data theft) and encryption (being locked out of systems).
"Sometimes we can stop it from going boom," Cowell says, referencing the successful containment of malware for the Scattered Spider victim.
Yet, as cybercrime proliferates, so do ethical challenges. S-RM and its peers face criticism for their role in "extortion support," which involves advising on, and sometimes conducting, ransom negotiations. Cowell is keen to distance the firm from accusations of feeding organised crime.
"We're instructed by the policyholder, by the insured," he clarifies. "Our ambition is to guide 'no payment' decisions wherever and whenever possible." He notes a growing trend of businesses refusing to pay.
The firm's role, he explains, is to facilitate strategic thinking for panicked clients. "We just offer the template of a crisis, how things play out based on our experience." A fundamental question posed to boardrooms is: "Why should we pay these criminals?" Cowell's team educates executives that ransomware is an organised criminal enterprise.
Paradoxically, he notes that more "established" ransomware groups often honour settlements to maintain their "brand" credibility, deleting stolen data or providing decryption keys. S-RM builds profiles on these groups, detailing their reliability, negotiation patterns, and even sanctions concerns.
The Shifting Landscape of Cyber Defence
Sanctions, however, are a complex game of "whack-a-mole," Cowell admits. State-linked threat actors often simply disband and reform under new names. The risk of indirectly funding hostile states remains a serious consideration for victim firms.
Ultimately, the decision to pay rests with the business, based on its unique circumstances. As corporate ethics evolve against funding crime, restoration and recovery services are becoming a larger market segment. The priority is increasingly to restore operations swiftly, with forensic analysis taking a back seat.
The UK's official response has also transformed. Cowell praises the National Cyber Security Centre (NCSC), stating it has "hugely transformed" in recent years to match its Nordic counterparts. It now proactively warns potential victims based on intelligence, playing a "more robust role" in facilitating information sharing—a shift evident during the Scattered Spider attacks.
In this shadow war, the battle is fought not just in code, but in boardrooms and negotiation channels, where every minute counts and every decision carries immense weight.
