Hiscox has reported that 27% of UK small and medium-sized businesses faced a ransomware attack over a 12-month period, and that those that paid attackers often suffered further disruption.
Its Cyber Readiness Report found that 80% of affected SMEs paid a ransom in an effort to recover or protect critical data. Of those that paid, 31% were later asked for more money, while 27% suffered another attack, though not necessarily by the same perpetrator.
The findings add to evidence that paying a ransom does not provide a clean resolution for many businesses. Among organisations that received a recovery key, 41% still had to rebuild their systems, indicating that restored access to data did not necessarily return networks to normal operation.
The report is based on a survey of 5,750 businesses across seven countries, including 1,000 UK respondents responsible for cyber security strategy in their organisations. It is the ninth edition of the study.
Business Impact
Ransomware was presented as part of a broader commercial problem rather than a narrow technology issue. Across all types of cyber incidents, one-third of affected firms incurred fines large enough to damage their financial health, while 30% reported weaker business performance indicators and 29% said attacks had made it harder to attract new clients.
“These findings demonstrate how a ransomware incident can quickly escalate beyond IT disruption into a wider business continuity challenge, affecting revenue, operations and long-term reputation,” said Alana Muir, Head of Cyber at Hiscox.
The research also found support for greater disclosure around ransom payments. More than two-thirds of businesses, or 71%, said ransom payment costs should be disclosed.
“Ransomware is evolving because it works. As long as attackers see financial return, the model will continue to adapt, with repeat payment demands, sustained disruption and businesses being targeted more than once.
“What starts as a technical breach can quickly become a prolonged commercial challenge. That’s why ransomware must be treated as a business continuity issue, not simply an IT problem,” Muir said.
Sector Exposure
Exposure was not uniform across the SME market. Larger SMEs experienced more repeat incidents, with businesses employing 50 to 249 staff averaging seven attacks in a year, compared with four for firms with fewer than ten employees.
Among organisations that had experienced at least one cyber attack, nonprofits recorded the highest average number of incidents at 7.72 over 12 months. Energy followed at 7.12, with travel and leisure at 6.20, financial services at 5.93 and pharmaceutical businesses at 5.84. At the lower end, the chemicals sector recorded about three incidents a year on average.
“As organisations grow, adopt new technologies or expand digital services, exposure can increase rapidly if cyber controls and insurance arrangements are not reviewed alongside operational change,” Muir said.
Response Steps
Hiscox also outlined practical advice for SMEs before, during and after an attack. The guidance focused on preparation measures including installing security software, using strong password management with multi-factor authentication, keeping systems updated, testing secure data backups and restricting staff access to sensitive information.
“Given the report’s findings around repeat targeting and system rebuilds, the most effective ransomware response starts long before an incident.
“Install reputable security software across all devices, enforce strong password management with multi-factor authentication, keep systems updated, and ensure regular secure data backups are tested. Restrict access to sensitive information so employees have only the permissions necessary for their role.
“These steps reduce risk and strengthen overall resilience,” Muir said.
On incident response, the insurer warned against rushed decisions on payment and urged businesses to understand their insurance cover and seek specialist advice.
“If an incident occurs, avoid reacting impulsively.
“Understand what your cyber insurance covers before making any critical response decisions. Seek specialist advice and follow a structured incident response plan. Even with a recovery key, rebuilding systems may still be necessary, so measured decision-making is critical,” Muir said.
The final stage of the advice focused on post-incident review, particularly reassessing vulnerabilities and permissions as businesses adopt more AI tools.
“Recovery is not the end of the story.
“Businesses should analyse what happened, update controls, and reassess access permissions, especially where AI tools are involved.
“Regular review is one of the most effective ways to prevent repeat targeting,” Muir said.
“As ransomware tactics continue to evolve, SMEs cannot afford to stand still. Preparation, transparency and ongoing investment in cyber resilience make the difference between short-term disruption and lasting damage,” Muir said.
Click Here For The Original Source.
