There's a persistent myth in the small business world that cybercriminals aren't interested in you. That hackers are only chasing banks, hospitals, and multinationals. It's a comforting thought — and it's completely wrong.
The reality is that small and medium-sized businesses are increasingly the primary target for ransomware attacks, not the accidental victims. This isn't random. It's deliberate strategy. Attackers have done the maths, and smaller businesses are where the returns are most predictable.
Here's why — and more importantly, what you can do about it.
The Numbers Are Hard to Ignore
Last year, 43% of UK businesses reported experiencing some form of cyberattack or breach, according to the government's Cyber Security Breaches Survey 2025. That's roughly 612,000 businesses. Across the EU, research by Howden found that 49% of businesses in Germany, France, Italy, and Spain reported at least one attack between 2020 and 2025.
Ransomware attacks against UK businesses doubled year-on-year, from under 0.5% of businesses in 2024 to 1% in 2025 — an estimated 19,000 UK businesses hit in a single year. Across the EU, ENISA's 2025 Threat Landscape report found that ransomware accounted for 81% of all cybercrime incidents targeting European organisations.
These aren't enterprise businesses making headlines. The vast majority of those affected are small and medium-sized firms — the kind running on tight margins, without a dedicated IT team, and with no real plan for what happens when systems go down.
Why Attackers Specifically Target Smaller Businesses
This isn't about small businesses being unlucky. It's about them being strategically attractive. The UK government's own research puts it plainly: cybercriminals target smaller businesses because their attacks are less likely to be detected before ransomware can be deployed or data stolen.
There are four specific reasons smaller businesses end up in the crosshairs.
1. Weaker defences, same valuable data
A small accountancy firm, legal practice, or healthcare provider holds exactly the same kind of data that attackers want — client records, financial information, personal data — as a much larger organisation. The difference is that the larger organisation has a security team, monitoring tools, and incident response procedures. The smaller one often has none of these. Attackers can achieve the same outcome with a fraction of the effort.
2. Ransomware-as-a-Service has lowered the bar
A decade ago, launching a sophisticated ransomware attack required genuine technical skill. That's no longer true. Today, criminal groups operate Ransomware-as-a-Service (RaaS) platforms — subscription models that allow low-skill attackers to deploy professional-grade ransomware against targets of their choosing, for a cut of any ransom paid. ENISA's 2025 report describes this as a "professionalised and resilient criminal ecosystem" that has specifically lowered barriers to entry for attackers. Small businesses, which previously fell below the radar of skilled criminals, are now within easy reach of anyone with a laptop and a grudge.
3. Smaller businesses are more likely to pay
When a small business loses access to its systems, it typically can't absorb a week of downtime the way a larger organisation might. There's no IT recovery team, no redundant infrastructure, no war chest to fund a lengthy recovery. Attackers know this. A small business facing an average of 24 days of downtime following a ransomware attack — the current global average, according to Sophos research — is under enormous pressure to pay quickly just to survive. The average cost of recovering from a ransomware attack, excluding any ransom payment, now sits at around $1.53 million globally. For a small business, even a fraction of that figure can be existential.
4. Attacks go undetected for longer
The average time from initial intrusion to ransomware execution is now just five days. But many small businesses don't have the monitoring in place to detect unusual activity in that window. By the time anything is noticed, the damage is already done. In some cases, attackers spend weeks inside a network — stealing data, mapping systems, and identifying backups to destroy — before triggering the ransomware. Without visibility into what's happening on your network, you won't know until it's too late.
What Does a Ransomware Attack Actually Cost a Small Business?
Most small business owners think of a ransomware attack in terms of the ransom demand — a number they might be able to pay and move on from. The reality is considerably more complicated.
For UK organisations, the average total cost of ransomware recovery reached $2.58 million in 2025, up from $2.07 million the previous year. Median recovery costs for UK businesses — even excluding larger firms that skew the average — exceed £200,000, according to security firm Solace Cyber. For many small businesses, that figure alone would be terminal.
The costs break down across system restoration, forensic investigation, legal and regulatory obligations, business interruption, and reputational damage. In the UK, SMEs are already losing an estimated £3.4 billion a year to inadequate cybersecurity. The average attack costs £3,398 for small businesses and £5,001 for those with 50 or more employees.
And that's before you factor in GDPR. Under UK and EU data protection law, a ransomware attack that involves personal data — which most do — triggers mandatory reporting obligations. Failure to notify the ICO (or your national data protection authority in the EU) within 72 hours can result in fines on top of everything else. The regulatory clock starts ticking the moment you become aware of a breach, not the moment you've recovered from it.
There's also the question of what happens if you pay the ransom. Globally, only 67% of businesses that paid a ransom in 2025 successfully recovered their data. That means roughly one in three paid and still didn't get their systems back. Paying is not a recovery strategy.
The "It Won't Happen to Us" Problem
The most dangerous thing about ransomware isn't the attack itself — it's the assumption that it won't happen. The UK government's own research found that only 19% of businesses provide staff training around cybersecurity. Just 40% have two-factor authentication deployed. Only 15% have a formal incident response plan in place.
That last figure is particularly stark. If an attack happened tomorrow, 85% of UK small businesses would be improvising their response in real time — while systems are down, data may be leaking, and the 72-hour GDPR reporting clock is already running.
Across the EU, the picture is similar. ENISA's analysis of nearly 4,900 incidents found that the most common initial access methods — phishing emails, unpatched vulnerabilities, and compromised credentials — are all things that basic security controls would prevent or significantly mitigate.
What Actually Reduces Your Risk
The good news is that the controls that make the biggest difference aren't expensive or complicated. The businesses that recover quickly from ransomware — or avoid it entirely — tend to have a handful of things in common.
- Multi-factor authentication (MFA) on everything. It stops the majority of credential-based attacks before they start. Not just on email — on every system your business uses.
- Tested backups stored offline or offsite. Attackers routinely target backup systems first. If your backups are connected to the same network, they'll encrypt those too. Backups stored separately — and tested regularly — are what allow recovery without paying.
- Patching and updates applied consistently. Most ransomware exploits vulnerabilities that already have patches available. Keeping software up to date closes those doors before attackers can walk through them.
- Staff awareness. Phishing is behind 85% of UK business breaches. One person clicking one link is often all it takes. Regular, practical training — not a once-a-year compliance tick-box — makes a measurable difference.
- An incident response plan. Knowing in advance who does what when something goes wrong dramatically reduces the chaos and cost of recovery. It doesn't need to be a 50-page document. It needs to exist and be understood by the people who'll need it.
For businesses that are growing or managing remote teams, it's also worth understanding the principle of zero trust security — the idea that no user, device, or connection should be trusted by default, even inside your own network. In practice for small businesses, zero trust isn't a single product you buy — it's an approach built from the controls above: MFA, least-privilege access (giving people only the access they actually need), and monitoring. The NCSC and ENISA both reference zero trust principles as part of a modern security baseline, and UK cyber insurers are increasingly rewarding businesses that can demonstrate these controls with lower premiums.
Howden's research found that improved adoption of basic cyber hygiene reduces the average cost of attacks by 87%. That's not a marginal gain — it's transformative. For a company with average revenues of €62 million, this translated to €4 million in savings over five years. Scale that down to a small business and the proportional impact is the same.
Where to Start
If you're not sure where your business stands on any of these, the most useful thing you can do right now is get an honest picture of your current exposure. Not a vague sense that "we probably need to do something about security" — an actual assessment of what's in place, what isn't, and what the priority should be.
Our free RisQ Cyber Risk Assessment runs through the key areas in around three minutes and gives you a scored breakdown with a prioritised action plan. No technical knowledge required, no sign-up.
If you'd prefer to have someone work through it with you — particularly if you're considering your insurance position or have regulatory obligations under GDPR or NIS2 — our IT Health Check service covers exactly this ground, in plain English, without the enterprise price tag.
Find Out Where You Stand
Our free RisQ assessment gives you a personalised cyber risk score across 8 categories — with a clear action plan. Takes 3 minutes. No sign-up required.
Start Free Assessment → Talk to Us