Ransomware appeared in 88% of breaches at small and medium businesses last year, almost four times the rate seen at large enterprises, according to Verizon’s 2025 Data Breach Investigations Report. According to Verizon, the same report pegs the median ransom payment at $115,000. Layer in £1,600 as the average cost of the most disruptive UK breach in the past 12 months, per the UK Cyber Security Breaches Survey 2025.
According to FBI IC3, total cybercrime losses reached $16.6 billion in 2024, a 33% increase from 2023. The seven steps below map to NIST CSF 2.0, name real costs, and assume no dedicated security team.
Key Takeaways
- 88% of SMB breaches involve ransomware versus 39% at large enterprises, per the Verizon 2025 DBIR.
- 43% of UK businesses reported a cyber breach or attack in the past 12 months, with phishing cited by 85% as the main disruption, per the UK Cyber Security Breaches Survey 2025.
- Multi-factor authentication reduces account compromise risk by 99.22% across the population studied, per Microsoft 2024 research.
- Cyber Essentials requires patching critical and high-risk vulnerabilities within 14 days of disclosure under its updated Willow question set.
- CISA endorses the 3-2-1 backup rule: three copies, two media types, one offsite, with at least seven days of rollback capability.
- Business email compromise drained $2.77 billion from US businesses in 2024 across 21,442 incidents, per the FBI IC3 annual report.
Before You Start: What You Need
Pull together three things before working through the steps: an asset inventory (laptops, phones, servers, cloud and SaaS, with named owners), admin access to your email platform and line-of-business apps, and a small budget line for tools and training. US firms aligning to NIST CSF 2.0 can start with free guidance from the NIST Small Business Quick-Start Guide and the draft NIST IR 7621r2 published on 1 May 2025.
Step 1: Inventory Your Digital Assets
The NIST Cybersecurity Framework 2.0 organises cybersecurity outcomes into six Functions: Govern, Identify, Protect, Detect, Respond, and Recover, and the Identify Function starts with knowing what you own. You cannot defend assets you have not catalogued, and most SMB breach investigations begin with a forgotten laptop, a stale cloud trial, or a former employee’s still-active login.
Build a single spreadsheet with five columns: asset name, type (endpoint, server, SaaS, mobile, network), owner, sensitivity (public, internal, confidential, regulated), and status (active, retired, unknown). Walk through the office, the cloud admin consoles, and the company credit card statements. Credit card statements catch shadow IT faster than asking staff what they use, because surprise SaaS subscriptions show up there even when no one mentions them.
Tag each asset against the data it touches; customer payment data, employee national insurance or social security identifiers, and protected health information sit at the top of the priority list. Verizon’s 2025 DBIR identifies credential abuse at 22% and exploitation of vulnerabilities at 20% as the leading initial attack vectors against SMBs, both of which start from an asset the defender often forgot existed.
Smaller firms often skip this step, then rebuild the inventory under pressure during an incident, which is why SQ Magazine treats it as the most underrated control.
Cost reality: a spreadsheet costs nothing; automated asset discovery tools (Lansweeper, NinjaOne) start in the low double-digits per endpoint per year. Most SMBs with under fifty staff begin with the spreadsheet, in line with NIST’s Small Business Quick-Start Guide guidance to scale gradually.
An asset list without trained eyes watching it is a parts catalogue, not a defence, which is why CISA’s small business guidance pairs the inventory step with employee awareness training.
Step 2: Train Employees to Spot Phishing
Phishing was cited by 85% of affected UK businesses as the main source of disruption, according to DSIT’s UK Cyber Security Breaches Survey 2025. Business email compromise alone drained $2.77 billion from US businesses across 21,442 incidents in 2024, per the FBI IC3 Internet Crime Report. Training is not a tick-box exercise; it is the highest-return control most SMBs ignore.
Run quarterly simulated phishing tests with a vendor such as KnowBe4, Hoxhunt, or Cofense. The pattern that works:
Send a baseline phishing simulation in week one, enrol clickers in micro-training the moment they click, repeat monthly with rotating themes (invoice scams, MFA fatigue prompts, voice-cloning callbacks), and track click rate, report rate, and time-to-report.
The FBI’s 2024 report names Akira, LockBit, RansomHub, FOG, and PLAY as the five most active ransomware groups. Phishing emails and stolen credentials remain common initial access vectors across ransomware activity broadly, which is why staff training pays back quickly.
Tell staff what to do when they spot something. A two-button rule works: a “Report Phishing” button in the email client, and a single Slack or Teams channel where IT confirms within an hour during business hours. Voice-based scams have grown in parallel with email phishing; the SQ Magazine voice phishing statistics hub tracks the latest vishing trends and SMB exposure.
Cost reality: KnowBe4 and similar SAT vendors price at low double-digits per user per year. Microsoft Defender for Office 365 Plan 2 bundles Attack Simulation Training. A small firm should budget a modest annual training line.
Step 3: Lock Down Access with MFA and Least Privilege
Multi-factor authentication reduces account compromise risk by 99.22% across the population studied, and by 98.56% in cases where the password has already leaked. More than 99.9% of compromised accounts lack MFA, and over 99.99% of MFA-enabled accounts remained secure during Microsoft’s investigation period. These figures, drawn from Microsoft’s MFA effectiveness research, describe risk reduction across the studied population, not a guarantee, with more than 99.9% of compromised accounts lacking MFA and over 99.99% of MFA-enabled accounts unaffected. These numbers describe risk reduction, not a guarantee, and the gap between “MFA on most accounts” and “MFA on every account” is where SMB breaches still happen.
Apply MFA in this order:
- Email accounts (Microsoft 365 / Google Workspace) for every user, no exceptions
- Cloud admin consoles (AWS, Azure, GCP, the domain registrar)
- Banking, payroll, and accounting tools
- Remote access (VPN, RDP gateways, Jump hosts)
- Customer-facing tools (CRM, support desk, e-commerce admin)
Prefer authenticator apps or hardware keys over SMS. SIM-swapping makes SMS the weakest factor, and Cyber Essentials Willow explicitly recommends app-based or hardware MFA for cloud services.
Layer least-privilege access on top: ask whether each user role, if compromised today, would expose anything outside that user’s daily work. Trim the answer down. Quarterly access reviews catch ex-employee accounts and lateral-privilege creep before attackers do.
More than 99.9% of compromised accounts don’t have MFA
By the numbers: According to Microsoft’s 2024 MFA effectiveness research, multi-factor authentication reduces account compromise risk by 99.22% across the studied population and by 98.56% in cases where credentials have already leaked. The data argues for treating MFA as a baseline rather than a premium control, applied to every account from day one.
Cost reality: MFA is included free in Microsoft 365 Business Standard and Google Workspace Business Standard. Hardware tokens add a one-off per-user fee. Privileged access tools such as JumpCloud or 1Password Business charge a per-user monthly fee.
Strong logins still get bypassed when the software underneath has a known hole.
Step 4: Patch Software Within 14 Days
The UK’s Cyber Essentials scheme requires organisations to patch critical and high-risk vulnerabilities within 14 days of disclosure, with the updated Willow question set effective from 28 April 2025. Verizon’s 2025 DBIR reports that exploitation of vulnerabilities accounts for 20% of initial breach vectors and that vulnerability exploitation surged 34% year over year.
Set up automatic updates wherever the operating system or application supports it:
- Windows: Windows Update for Business, configured for automatic install during off-hours
- macOS: System Settings, General, Software Update, automatic install enabled
- iOS / Android: device management policy enforcing automatic OS updates
- Browsers: Chrome, Edge, Firefox, Safari all auto-update by default; verify staff have not disabled it
- Third-party apps: tools such as PatchMyPC, Chocolatey, or Intune Win32 app deployment
Critical and high-risk patches should land within the 14-day window. Server patches need a maintenance window and a rollback plan; application patches for line-of-business systems often require vendor coordination. Track every system that misses the window in a small remediation log, with the reason and the planned date. Third-party involvement in breaches doubled to 30% in the 2025 DBIR through third-party relationships, which makes the same 14-day SLA worth applying to third-party tools you depend on.
The 14-day window is a baseline, not a stretch goal. Firms that treat it as a hard SLA also expose gaps in their inventory, because you cannot patch what you have not catalogued.
Cost reality: built-in OS update tools are free. Microsoft Intune is bundled with Microsoft 365 Business Premium. Standalone patch managers (Action1, NinjaOne, Atera) charge a small per-endpoint monthly fee.
Step 5: Deploy Endpoint Protection and Network Segmentation
Verizon’s 2025 DBIR finds that ransomware appears in 88% of SMB breaches compared with 39% at large enterprises. Endpoint Detection and Response (EDR) and basic network segmentation close most of that gap.
Replace consumer antivirus with a business-grade EDR product. Microsoft Defender for Business, CrowdStrike Falcon Go, SentinelOne Singularity Core, and Sophos Intercept X are the four most common SMB choices. EDR helps reduce ransomware blast radius by detecting suspicious process behaviour, isolating the affected device, and rolling back changes where supported.
Segment your network into at least three zones:
- User devices: laptops, desktops, BYOD phones
- Servers and infrastructure: file servers, domain controllers, on-prem applications
- Guest and IoT: visitor Wi-Fi, printers, smart cameras, point-of-sale terminals
Block lateral traffic between zones by default. Most SMBs run a single flat network where a compromised printer can reach the accounting server. Even a £200 business firewall (UniFi, Firewalla, Meraki Go) configured with three VLANs raises the cost of a ransomware incident significantly. FBI IC3 data for 2024 records 3,156 ransomware complaints, up 9% year over year, with critical infrastructure repeatedly cited as the most pervasive target.
The FBI’s 2024 IC3 Report names Akira, LockBit, RansomHub, FOG, and PLAY as the five most active ransomware groups, with ransomware complaints rising 9% year over year to 3,156.
Pair EDR with centralised log collection. Microsoft Sentinel, Datadog, or a managed SOC service can flag anomalies across endpoints, identity, and network in one place. For frequency and vector breakdowns by attack type, see the cybersecurity attacks statistics pillar.
Cost reality: Microsoft Defender for Business and CrowdStrike Falcon Go price as monthly per-user or annual per-device fees aimed at SMBs. A small managed SOC retainer adds a few hundred to a few thousand pounds per month.
Step 6: Build the 3-2-1 Backup System
CISA endorses the 3-2-1 backup rule for SMBs: three copies of data, on two different media types, with one copy stored offsite, and recommends that backups run automatically, are tested regularly, and support rollback of at least seven days. With ransomware in 88% of SMB breaches and a median ransom of $115,000, per the Verizon 2025 DBIR, working backups are the difference between a bad week and the end of the business.
Concrete 3-2-1 setup for a small office:
- Production data (the live copy on laptops, servers, or SaaS)
- Local backup (NAS such as Synology, run daily, encrypted at rest)
- Cloud backup (Backblaze B2, Wasabi, or Azure Backup, run daily, retained 90 days)
Test restores once a month. A backup that has never been restored is a hypothesis, not a recovery plan. Pick one file and one full system every quarter, time the restore, and write down the result. Many SMBs discover their cloud backup was never actually running until they try to restore from it.
Protect backups against ransomware specifically. Immutable storage (Backblaze Object Lock, AWS S3 Object Lock, Azure immutable blob) means an attacker who gets domain admin still cannot delete the backup. Offline backups, such as a rotated external drive stored in a safe, sit one step further out of reach. CISA’s StopRansomware guide treats both as best practices for the off-site copy.
CISA also recommends physical security, encryption, and offline copies as layered protections for backup data, since ransomware crews now actively target backup repositories before triggering encryption.
Cost reality: a small Synology NAS plus drives covers the local copy. Backblaze B2 prices per GB monthly for the cloud copy. Microsoft 365 backup add-ons (AvePoint, Veeam, Druva) add a per-user monthly fee, and they are essential because native M365 retention is not a backup.
Key finding: According to the Verizon 2025 DBIR, ransomware appears in 88% of SMB breaches and the median ransom payment last year was $115,000. The 3-2-1 backup configuration endorsed by CISA, with at least one immutable or offline copy, is the most reliable way to refuse that payment and recover on the defender’s timeline.
Backups answer the question “can we recover?”, but they do not answer “what do we do in the first hour?”
Step 7: Write a One-Page Incident Response Plan
The UK Cyber Security Breaches Survey 2025 puts the average cost of the most disruptive breach at £1,600 per business. Fast, practiced incident response helps keep that number from rising into six figures. A one-page plan beats a 30-page document no one reads.
Cover six items on that page:
- Trigger: who declares an incident, and what counts (encrypted files, data exfiltration alert, suspected BEC, lost laptop with company data)
- Containment: first three actions (disconnect affected device from network, disable affected user account, preserve logs)
- Contacts: phone numbers for the IT lead, MSP, cyber insurance carrier, legal counsel, and the relevant regulator (ICO for UK, FTC for US)
- Communications: who talks to staff, customers, and the press, and who does not
- Recovery: which systems get restored first, in what order
- Lessons: a short post-incident review within the first fortnight
CISA released Cybersecurity Performance Goals 2.0 on 11 December 2025, adding a Govern function and four new goals targeting third-party risk and zero-trust principles, both of which directly affect incident response planning for SMBs.
Drill the plan twice a year. A 60-minute tabletop exercise where someone reads a scenario aloud and the team walks through the response is enough to surface the gaps. Most teams discover their cyber insurance hotline number is wrong, or that the only person who knows the firewall password is on holiday.
Across SQ Magazine’s coverage, the firms that recover fastest from ransomware are the ones that have run a tabletop exercise more than once. Practice compounds; documentation alone does not.
Cost reality: a one-page IR plan template is free from CISA and NCSC. SMB cyber insurance typically runs from a few hundred to a few thousand pounds per year and includes round-the-clock incident response. UK firms with a turnover under £20 million that complete Cyber Essentials certification automatically receive IASME-arranged cyber liability insurance. The SMB hiring gap is documented in the SQ Magazine cybersecurity job statistics hub.
Compliance Frameworks Compared: NIST, ISO 27001, Cyber Essentials
Three frameworks dominate SMB cybersecurity certification, and the right choice depends on geography, customer requirements, and budget.
| Framework | Best For | Cost (Small Business) | Time to Certify | Recertification |
| NIST CSF 2.0 | US firms, voluntary maturity baseline | Free guidance (NIST SP 1300) | Self-paced | Self-attested |
| Cyber Essentials | UK firms, government supply chain | £300 to £500 (self-assessment), £1,500 to £3,000 (Plus audit) | 4 to 12 weeks | Annual |
| ISO 27001 | Global enterprise customers, regulated sectors | $14,000 to $50,000 first year for under-50 staff | 6 to 12 months | Triennial with annual surveillance |
Sources: NIST, NCSC, ISO/IEC 27001 publication; SMB cost ranges from public certifying-body schedules.
UK firms with a turnover under £20 million that achieve full Cyber Essentials certification automatically receive cyber liability insurance arranged by IASME, including 24/7 incident response covering technical, legal, and crisis management. NIST published draft NIST IR 7621r2 on 1 May 2025, targeting cybersecurity fundamentals for non-employer firms in non-technical language. IBM’s 2025 Cost of a Data Breach Report puts the global average breach cost at $4.44 million, down 9% from $4.88 million the prior year, while noting that about 13% of studied firms experienced an AI-related breach.
Most SMBs under 50 staff start with NIST CSF 2.0 or Cyber Essentials, then graduate to ISO 27001 only when a major customer demands it.
Read the small business cybersecurity statistics hub for the SMB-specific breach cost benchmark pillar for wider threat data.
Common Pitfalls SMBs Make
Five patterns repeat across post-incident reviews:
- MFA on the CEO only. A junior employee’s email is a phishing launchpad too. MFA must apply to every account, not just the visible ones.
- Backups never tested. Restore drills reveal broken jobs, expired credentials, and missing files. Skipping the drill turns a backup into wishful thinking.
- No off-boarding workflow. Ex-employees with active credentials are responsible for a meaningful share of insider-related incidents. A 24-hour off-boarding SLA closes that window.
- Antivirus where EDR is needed. Consumer-grade antivirus software does not detect modern ransomware behaviour. Business EDR is now table stakes.
- A 30-page incident plan no one has read. Length is not preparedness. A one-page plan that has been drilled twice beats a binder no one opens.
For deeper reading on remote and hybrid workforces, the remote work cybersecurity statistics hub covers VPN, shadow IT, and home-office attack patterns.
Frequently Asked Questions (FAQs)
A focused team can implement these seven steps at a baseline level inside roughly a quarter, with quarterly drills and ongoing patching afterwards. Cyber Essentials self-assessment lands within weeks; ISO 27001 takes several months.
Enable multi-factor authentication on every account, run a baseline phishing simulation, and switch on automatic patching. Microsoft research shows MFA reduces account compromise risk by 99.22% across the population studied, with more than 99.9% of compromised accounts lacking MFA and over 99.99% of MFA-enabled accounts remaining secure.
Yes. The Verizon 2025 DBIR reports ransomware in 88% of SMB breaches versus 39% at large enterprises. The UK Cyber Security Breaches Survey 2025 found 43% of UK businesses experienced a breach or attack in the past 12 months. SMBs are targeted more often, not less, because layered defences are weaker.
Most UK SMBs start with Cyber Essentials, which has a self-assessment route and a hands-on Plus audit option. ISO 27001 becomes worthwhile when enterprise customers or international contracts require it, or when the business handles regulated data at scale.
Disconnect affected devices from the network without powering them off, preserve logs, contact your cyber insurance hotline, and notify the relevant authority. UK firms report to Action Fraud and the ICO when personal data is involved. US firms report to the FBI’s IC3 portal and CISA. Do not pay the ransom before consulting law enforcement, because payment does not guarantee recovery and may breach sanctions law.
Conclusion
Small and medium businesses face a different cyber attack pattern than large enterprises, with ransomware in 88% of SMB breaches versus 39% at the top end, per Verizon’s 2025 DBIR. The seven steps in this plan, anchored to NIST CSF 2.0’s six Functions, address the controls that close that gap: asset inventory, phishing training, MFA and least privilege, 14-day patching, EDR with segmentation, 3-2-1 backups, and a one-page incident response plan.
Combined with the £1,600 average cost of the most disruptive UK breach in the past 12 months, per the 2025 UK Cyber Security Breaches Survey, the economics tilt firmly toward prevention. SMBs that run the tabletop exercise twice a year, test backups monthly, and maintain MFA on every account recover from incidents in days rather than weeks, even without a full-time security team.
