If you’re running a small or medium business in the UK, you might think cybersecurity is something only big corporations need to worry about. After all, who’s going to target your local plumbing company or family-run café, right? In fact, the government’s latest announcement this week about about banning ransomware payments may fundamentally change your perspective. Small companies are seen as “easy wins” to cyber attackers; a few small ransomware attacks on a collection of small businesses who are more vulnerable than larger ones because they think they won’t get hacked is incredibly appealing and commonplace for a hacker.
The Wake-Up Call We All Needed
The UK government just announced some serious legislation that should have every business owner paying attention. They’re planning to ban all public sector organizations – think NHS hospitals, schools, councils – from paying ransomware demands. Why? Because an estimated $1 billion flowing to ransomware criminals globally in 2023, and these cybercriminals are getting bolder by the day.
You may think that news is irrelevant to you if your business does not work within the public sector. However, if the government is taking such drastic action, it’s because the threat is real, it’s growing, and it’s affecting everyone, not just the big players.
Your Business Is More Connected Than You Think
The fact is, your business probably relies on digital systems more than you realise. Your customer database, your payment systems, your supplier networks, even your basic email – it’s all connected to the wider digital world. And that connection, while brilliant for business, also creates opportunities for cybercriminals.
If we look at the recent attacks on major suppliers that brought down parts of the NHS and Royal Mail. These weren’t direct attacks on hospitals or post offices – they hit suppliers and caused chaos across entire networks. Your business might be small, but if you’re part of any supply chain, you could either be a target or collateral damage. And supply chain cyber attacks are very much on the rise.
The Numbers Don’t Lie
The Crime Survey for England and Wales is estimating that almost a million (952,000) computer misuse offences were committed against individuals in England and Wales in the year ending June 2024. That’s not just big corporations – that includes small businesses, freelancers, and everyday people.
And here’s the kicker – the number of UK victims showing up on ransomware leak sites has doubled since 2022. These criminals aren’t getting pickier; they’re getting greedier and casting wider nets.
What Ransomware Actually Means for Your Business
Jargon aside, ransomware is basically digital kidnapping. Criminals hack into your systems, lock you out of your own files, and demand money to give you back access. They might also threaten to publish your customer data online if you don’t pay up.
Put simply, you could wake up tomorrow and find you can’t access your customer records, your financial data, or even send emails. Your business grinds to a halt. Your customers can’t reach you. Your suppliers don’t get paid. And there’s a message on your screen demanding thousands of pounds to get your life back.
For a small business, this isn’t just an inconvenience. While a large corporation might have backup systems and crisis teams, most SMBs would struggle to survive even a few days of complete system shutdown.
Why Criminals Love Small Businesses
Cybercriminals often prefer targeting smaller businesses. Why? Because you’re less likely to have robust security measures, but you’re still valuable enough to pay a ransom. You’re what they call “low-hanging fruit.”
From the hackers perspective, a hospital might have dedicated IT security teams and backup systems. Your local accounting firm? Probably not. But that accounting firm still has valuable client data and can’t afford to be offline for weeks.
The Government’s New Rules: What They Mean for You
The government’s three-part plan isn’t just about public sector organisations. It’s creating a new landscape that affects everyone:
First, they’re banning payments by public bodies. This means if criminals can’t make money from attacking hospitals and schools, they’ll look elsewhere – potentially at businesses like yours.
Second, they’re creating a prevention regime where the National Crime Agency gets involved before payments are made. This could extend to private businesses in the future.
Third, they’re making incident reporting mandatory. This means we’ll finally have a clear picture of how big this problem really is, and it’s very likely it’s bigger than most of us realise.
The Hidden Costs You Haven’t Considered
Even if you never get attacked, cybercrime is already costing your business money. Higher insurance premiums, increased compliance costs, and the time spent on basic security measures all add up. But here’s the thing – these preventive costs are nothing compared to the cost of an actual attack.
Consider this: the NCSC managed 430 cyber incidents between September 2023 and August 2024, including 13 ransomware incidents which were deemed to be nationally significant. Those are just the big attacks that made national headlines. For every headline attack, there are dozens of smaller businesses dealing with their own cyber nightmares in private.
It’s Not Just About the Money
Yes, ransomware demands can be expensive – often tens of thousands of pounds. But the real cost goes beyond the ransom. There’s the downtime while you rebuild systems, the lost customer trust, the regulatory fines if customer data is compromised, and the long-term damage to your reputation.
There are small businesses in the UK that have closed permanently after cyber attacks, not because of the ransom demand, but because they never recovered their customer base or couldn’t afford the full cost of rebuilding their systems properly.
What Can You Actually Do About It?
The good news is that you don’t need a massive budget to significantly improve your security. The government’s National Cyber Security Centre offers free resources specifically designed for small businesses. Basic measures like regular backups, employee training, and keeping software updated can prevent the majority of attacks.
Start thinking about cybersecurity like you think about locking your house at night. You wouldn’t leave your front door open, so why leave your digital doors unlocked? Simple measures like strong passwords, two-factor authentication, and regular backups are like having good locks and an alarm system.
The Bottom Line
The government’s new stance on ransomware isn’t just policy – it’s a recognition that cyber threats have become a national emergency. By taking such drastic action, it’s because the alternative is much worse.
Your small business might feel insignificant in the grand scheme of things, but you’re part of the fabric that keeps the UK economy running. Every business that improves its cybersecurity makes the whole country more resilient.
The question isn’t whether cyber threats will affect your business – it’s whether you’ll be prepared when they do. In today’s connected world, being cyber secure isn’t just good practice; it’s essential for survival. The time to act isn’t when you’re staring at a ransom demand on your screen – it’s right now, while you still have the luxury of choice.
Don’t wait for the government to mandate cybersecurity for small businesses. Get ahead of the curve, protect your livelihood, and sleep better knowing you’ve done everything you can to keep your business safe in an increasingly dangerous digital world.