// TALKING POINT //

Alana Muir, Head of Cyber at Hiscox, explains why preparation matters more than payment.

The report is based on a survey of 5,750 businesses across seven countries. UK insights are based on 1,000 respondents responsible for the cybersecurity strategy within their organisation.

Alana Muir, Head of Cyber at Hiscox

Ransomware remains a significant threat across the SME landscape, impacting both insured and uninsured businesses. Among those affected, 80 % paid a ransom in an attempt to recover or protect critical data.

Nearly a third( 31 %) of SMEs who paid a ransom were subsequently asked for additional payment, according to Hiscox’ s research, exposing businesses to repeat extortion and prolonged disruption.

While 60 % achieved full or partial data recovery, the process was rarely straightforward. More than two-fifths( 41 %) of businesses were given a recovery key but still had to rebuild their systems, as unlocking data does not automatically restore networks to safe working order.

In addition, 27 % of those who paid a ransom demand later experienced another attack, though not necessarily by the same perpetrator, suggesting that payment does not reliably prevent future targeting.

Larger SMEs faced more repeated incidents. Companies with 50 – 249 employees experienced an average of seven attacks in a 12-month period, compared to businesses with fewer than 10 employees, who have experienced an average of four.

As organisations grow, adopt new technologies or expand digital services, exposure can increase rapidly if cyber controls and insurance arrangements are not reviewed alongside operational change.

Across all types of cyber incidents, one-third( 33 %) of affected firms incurred fines significant enough to damage their financial health. Meanwhile, 30 % reported lower business performance indicators following an attack, and 29 % experienced greater difficulty attracting new clients.

These findings demonstrate how a ransomware incident can quickly escalate beyond IT disruption into a wider business continuity challenge, affecting revenue, operations and long-term reputation.

What follows is practical guidance for SMEs on how to approach ransomware risk before, during and after an attack:

Before an attack: Prepare and protect

Install reputable security software across all devices, enforce strong password management with multi-factor authentication, keep systems updated and ensure regular secure data backups are tested. Restrict access to sensitive information so employees only have the permissions necessary for their role.

During an attack: Respond carefully

If an incident occurs, avoid reacting impulsively. Understand what your cyber insurance covers before making any critical response decisions. Seek specialist advice and follow a structured incident response plan. Even with a recovery key, rebuilding systems may still be necessary, so measured decision-making is critical.

After an attack: Review and evolve

Recovery is not the end of the story. Businesses should analyse what happened, update controls and reassess access permissions – especially where AI tools are involved. Regular review is one of the most effective ways to prevent repeat targeting. �

18 Intelligent SME. tech