Back to News

323 UK Businesses Hit by Ransomware in 12 Months — 26 Attacks Per Month, £270k Average Loss: What Every UK SME Without Managed IT Support Must Do Now

323 UK Businesses Hit by Ransomware in 12 Months — 26 Attacks Per Month, £270k Average Loss: What Every UK SME Without Managed IT Support Must Do Now

City of London Police published data on 30 June 2026 that puts a precise number on a threat UK business leaders have long suspected was worse than reported: 323 UK organisations reported ransomware attacks to the Report Fraud service in the 12 months to March 2026. That is more than 26 successful attacks every calendar month — one roughly every 27 hours — and the figure almost certainly understates reality because police acknowledge that most businesses do not fully disclose the financial damage. Over half of those 323 victims were small and mid-sized businesses. Average financial losses climbed 50% year-on-year to £270,000 per incident. The manufacturing sector was hardest hit (42 reports), followed by scientific and technical services (21) and education (19).

The data lands against a broader backdrop that is equally stark. Commvault’s research found 93% of UK businesses experienced a business-critical cyber incident in the past year. Vodafone’s Securing Success report found 32% of UK SMEs have no cybersecurity protections whatsoever. The Association of British Insurers recorded a 230% year-on-year increase in cyber insurance payouts. Parliament is actively debating a ransomware payment ban for public sector bodies, a mandatory pre-payment notification regime for the private sector, and compulsory 72-hour incident reporting for businesses above £25 million turnover. For UK SMEs, 13 July 2026 is a moment to assess where they actually stand — not where their last IT audit said they stood.

323
UK ransomware victims reported to police (Apr 2025–Mar 2026)
£270k
Average financial loss per ransomware incident (up 50% YoY)
50%+
Of reported victims were SMEs — the majority
32%
UK SMEs with zero cybersecurity protections in place

What the City of London Police Data Actually Reveals

The Report Fraud data covers the 12-month period from April 2025 to March 2026. Report Fraud — formerly Action Fraud — is the UK’s centralised cybercrime and fraud reporting service, operated by City of London Police under the National Police Chiefs’ Council mandate as the lead force for economic crime and cybercrime. The 323 figure represents confirmed corporate ransomware reports: organisations that not only suffered an attack but actively engaged the reporting process. Security professionals across the industry agree the true figure is substantially higher.

Chief Superintendent Amanda Wolf, head of Report Fraud operations, framed the findings with particular clarity: “We encourage businesses to be proactive – through regular data backups, strong access controls, keeping systems up to date, and following National Cyber Security Centre guidance. These can all significantly reduce the risk and impact of an attack.” The emphasis on proactive defence rather than reactive response is deliberate. Report Fraud’s own data shows that the businesses most severely damaged by ransomware share a common characteristic: they had no managed IT function capable of maintaining the defensive baseline Chief Superintendent Wolf describes.

Talion CEO Kevin Knight reinforced the damage picture: “Attackers will rarely return data in full, and it can often be returned in a format that completely differs from its original form. This means organisations still have a lot of work to decrypt the data, understand what is missing and rebuild systems. This is a massive job and it’s rarely something that can be done quickly.” Knight added the critical caveat that decryption keys do not always work — meaning organisations that do pay a demand can still face full data loss. The 50% year-on-year increase in average losses to £270,000 reflects this: the financial exposure does not end when the ransom demand arrives, it begins there.

Closed Door principal Cyber Essentials assessor Timon Johnson offered the most practically useful framing: “Ransomware can be damaging, but it’s no longer an existential problem when companies adopt proper practices, like maintaining regular and thorough backups, implementing proper access controls, keeping data in cold-storage, and so on.” Johnson’s point is important: ransomware is not inevitable, and its consequences are not uncontrollable. The Report Fraud data makes the gap between “proper practices” and “current SME baseline” visible in a way that no hypothetical risk assessment can.

The under-reporting problem makes 323 a floor, not a ceiling

City of London Police explicitly acknowledged that the £270,000 average loss figure is likely an underestimate because many businesses do not fully disclose their financial damage when reporting to Report Fraud. The same logic applies to the victim count: reporting a ransomware attack requires significant management decision, legal review, and reputational exposure. Most SME victims do not report at all. Industry researchers consistently estimate that reported ransomware represents between 10% and 20% of actual incidents. If the 10% estimate holds for the UK’s April 2025–March 2026 period, the real attack count approaches 3,000 UK businesses in a single year — more than 57 per week.

A 12-Month Timeline: How the UK Ransomware Landscape Evolved

April 2025 — Report Fraud window opens
The 12-month measurement period begins. UK ransomware groups are active across manufacturing, professional services, and education. The NCSC’s annual threat assessment identifies ransomware as the most significant cybercrime threat to UK businesses for the fourth consecutive year.
January 2025 — UK government consultation closes
The Home Office closes its ransomware legislative consultation, having received responses on three proposals: a targeted payment ban for public sector bodies and CNI operators, a private-sector pre-payment notification regime, and mandatory 72-hour incident reporting for businesses above £25m turnover.
February 2026 — UK government signals legislative direction
The government publishes its consultation response, confirming it will proceed with developing the targeted payment ban in collaboration with industry. The pre-payment notification and mandatory reporting regimes are confirmed as policy direction. No Royal Assent date is set.
March 2026 — Report Fraud period ends; attack volume stabilises
The 12-month counting window closes. 323 reports have been received. Average losses are £270,000. Manufacturing accounts for the plurality of sector-identified victims. The data is compiled for publication.
April 2026 — Cyber Essentials v3.3 (Danzell) launches
IASME launches the updated Danzell question set on 27 April 2026. For the first time, Cyber Essentials includes automatic-fail triggers, stricter MFA requirements, and a broadened 14-day patching window definition that covers cloud services. CE certification becomes a more direct ransomware mitigation signal for insurers and supply chains.
21 June 2026 — Cyber Security and Resilience Bill enters House of Lords
The Bill — which extends mandatory cyber duties to managed service providers and digital supply chains — passes all Commons stages and enters the Lords. MSP accountability provisions move the compliance burden closer to the businesses that UK SMEs rely on for IT services.
30 June 2026 — City of London Police publishes Report Fraud ransomware data
Infosecurity Magazine reports the 323-victim, 26+/month, £270k average loss findings. Chief Superintendent Amanda Wolf calls for proactive defences. Kevin Knight (Talion) warns against ransom payment. Timon Johnson (Closed Door) frames prevention as achievable through standard managed IT practices.
13 July 2026 — Today: payment ban legislation advancing in Lords
As the Cyber Security and Resilience Bill progresses through the House of Lords, ransomware payment ban provisions are under active discussion. UK SMEs without managed IT support are at the centre of the policy debate: they are the most common victims and the least likely to have the defensive infrastructure that would make the legislative framework meaningful in practice.

Sector Breakdown: Which UK Industries Are Hit Hardest

Of the 323 victims who reported to Report Fraud, not all confirmed their industry sector — police noted this explicitly. Of those who did confirm their sector, manufacturing dominated with 42 reports, followed by scientific and technical services (21) and education (19). The distribution matters for UK SMEs because it challenges the assumption that ransomware primarily targets large enterprise organisations or public sector bodies. Manufacturing at 42 reports covers the full spectrum from FTSE-listed producers to mid-market component suppliers and specialist fabricators with 20 to 200 employees. Scientific and technical services at 21 includes consultancies, testing laboratories, and engineering firms that are the backbone of UK SME professional services.

Manufacturing
42 reports
Scientific & Technical Services
21 reports
Education
19 reports
Financial & Insurance
~14 est.
Healthcare & Social Care
~11 est.
Retail & Wholesale
~9 est.
Other / Undisclosed
~207 unreported

The education sector at 19 reports confirms a pattern observed by the NCSC since 2022: schools, colleges, and universities are persistent ransomware targets because they hold sensitive personal data, operate on constrained IT budgets, rely heavily on legacy systems, and often have minimal IT support capacity relative to their network size and user count. The combination of data sensitivity and defensive weakness is precisely what ransomware operators seek.

The financial and insurance sector, healthcare, and retail figures are estimates based on the broader Report Fraud dataset distribution patterns; City of London Police did not publish a complete sector breakdown for all 323 victims. The “Other / Undisclosed” category represents the majority of victims who did not confirm their sector in their report. This is significant: if manufacturing, scientific services, and education together account for 82 confirmed victims, the remaining 241 reported victims come from across the UK economy — from legal services to logistics, hospitality to construction.

The Financial Exposure: What £270,000 Actually Covers

The £270,000 average financial loss figure requires careful interpretation. It is an average across all 323 reported victims, covering businesses of vastly different sizes. The actual distribution is almost certainly bimodal: a cluster of smaller businesses with losses in the £50,000–£150,000 range (covering recovery, lost productivity, and emergency IT costs) and a cluster of larger or more complex victims where losses exceed £500,000 and may extend into millions when production downtime and supply chain disruption are included. The 50% year-on-year increase from the prior period suggests that either the severity of individual attacks is increasing, or a larger proportion of complex, high-value targets are being successfully compromised — or both.

50%
Year-on-year increase in average ransomware financial losses (to £270,000 per incident)

A typical ransomware incident at a UK SME involves several distinct cost categories that accumulate rapidly. Direct ransom payment is only one element — and increasingly one that victims avoid. The Databarracks Data Health Check 2025 found only 17% of UK ransomware victims paid the ransom, down from 27% in 2024 and 44% in 2023. This is encouraging, but the shift away from payment does not reduce the total cost of an incident; it redistributes it. Organisations that recover from backups face costs in system rebuild, data verification, forensic investigation, regulatory notification, and legal review that can easily match or exceed a ransom payment in absolute terms — while avoiding the reputational and legal exposure of funding criminal activity.

Business SizeTypical Ransom DemandRecovery Cost (no payment)Total Incident Cost (est.)Weeks of Disruption
Micro (1–9 employees)£15,000–£50,000£20,000–£60,000£35,000–£110,0002–4 weeks
Small (10–49 employees)£50,000–£200,000£40,000–£120,000£90,000–£320,0003–6 weeks
Medium (50–249 employees)£150,000–£750,000£100,000–£400,000£250,000–£1.15m4–10 weeks
Large SME (250–499 employees)£500,000–£2m+£250,000–£800,000£750,000–£2.8m+6–16 weeks

The table above draws on the Report Fraud data alongside Vodafone’s Securing Success report (which found UK SMEs losing £3.4 billion annually to inadequate cybersecurity), the ABI’s cyber insurance claims data, and the NCSC’s incident cost guidance. The figures are representative ranges, not guarantees. The critical observation is that even at the micro-business level, a ransomware incident typically costs more than one year of comprehensive managed IT support. At the small business level of 10 to 49 employees — the core UK SME bracket most heavily represented in the Report Fraud data — a single incident costs between 3 and 10 years of proactive IT support investment. This is the business case for IT Support that no board presentation needs to manufacture: the City of London Police have made it in operational data.

The Proactive vs. Reactive IT Support Divide

The Report Fraud data implicitly maps to a specific gap in UK SME IT management: the absence of proactive managed IT support. Chief Superintendent Wolf’s four-point defence framework — regular data backups, strong access controls, keeping systems up to date, following NCSC guidance — is precisely the service scope of a managed IT support contract. Businesses that have this in place are not immune to ransomware, but they face materially different outcomes when an attack occurs. Their recovery time is measured in days rather than weeks. Their data loss is bounded by backup retention periods rather than complete. Their financial exposure is covered or substantially reduced by cyber insurance that rewards demonstrable security posture.

Reactive IT posture

What most SMEs targeted in the Report Fraud data were running

  • No continuous endpoint monitoring — malware executes undetected for days or weeks
  • Irregular or untested backups — restoration fails or is incomplete at the moment of crisis
  • Patching is manual, ad-hoc, or outsourced to a break-fix provider without SLA
  • Access controls are permissive; admin credentials are shared or reused
  • No incident response plan; first call after encryption is to a generic IT helpdesk
  • Cyber insurance either absent or invalidated by non-compliance with policy conditions
  • Average financial loss: £270,000 (and rising 50% per year)

Proactive managed IT support posture

Where Cloudswitched’s IT Support service takes you

  • 24/7 managed endpoint monitoring with automated alerting on suspicious behaviour
  • Managed antivirus with EDR integration; threats quarantined before lateral movement
  • Patch management on a defined schedule; critical patches deployed within the CE v3.3 14-day window
  • Access control reviews as part of scheduled maintenance; MFA enforced across all accounts
  • Documented incident response runbook; dedicated account manager as first escalation point
  • Security posture that satisfies Cyber Essentials v3.3 and supports cyber insurance applications
  • Cost: from £15–£50 per user per month, depending on support level

The Ransomware Payment Ban: What UK Legislation Means for SMEs

The UK government’s ransomware legislative agenda has three distinct components, each with different implications for SMEs. Understanding the distinctions matters because conflating them leads to compliance errors and missed obligations.

The first component is the targeted payment ban for public sector bodies and critical national infrastructure operators. This would make it illegal for NHS trusts, local authorities, government departments, utilities, and essential services to pay a ransomware demand. SMEs are not directly in scope of this element, but they are affected indirectly: public sector supply chain vendors will face intensified due diligence requirements from buyers who can no longer bail themselves out with a ransom payment and must instead prove their supply chain is secure.

The second component is the pre-payment notification regime for the private sector. Under proposals being developed following the consultation, private sector businesses that intend to pay a ransom would be required to notify the government before doing so. This is not a ban — it is a mandatory process. The government’s objective is to gain visibility into the scale of UK ransomware payments (currently almost entirely hidden from public data), to provide businesses with access to law enforcement intelligence that may indicate whether paying will actually result in data return, and to begin building a record that could inform future payment ban decisions. For SMEs, this means any decision to pay a ransom becomes a formal government interaction — with all the reputational, legal, and insurance implications that entails.

The third component is mandatory 72-hour incident reporting for organisations above £25 million annual turnover. This threshold captures the upper end of SMEs and the full medium enterprise category. Organisations in scope must report a ransomware attack to the government within 72 hours of becoming aware of it — parallel to but separate from ICO breach notification requirements under UK GDPR. The reporting obligation exists whether or not the organisation intends to pay, and whether or not data has been exfiltrated. The 72-hour clock starts from the moment the organisation becomes aware of the attack, not from the moment of encryption.

ICO notification obligations already apply to most ransomware incidents

Regardless of the new legislative proposals, UK GDPR already requires organisations to notify the Information Commissioner’s Office within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms. A ransomware attack that encrypts or exfiltrates personal data almost always meets this threshold. The ICO’s guidance is clear: encryption of personal data counts as a loss of availability and integrity, which constitutes a notifiable breach even if no data leaves the organisation. Most UK SMEs that suffer a ransomware attack are already legally obligated to notify the ICO — the proposed new legislation adds a parallel government notification on top of existing GDPR duties.

Where UK SME Defences Actually Stand Today

The Report Fraud data can only be properly interpreted alongside an honest assessment of current UK SME defensive capability. The combined picture from Vodafone, Commvault, Databarracks, and the NCSC’s own Annual Review creates a forensically clear picture of the gap between where SMEs think they are and where they actually are.

UK SME ransomware readiness: where the gaps are largest
Zero cybersecurity protections in place (32% of UK SMEs)High Risk
No cybersecurity training received by employees (52% of SME staff)High Risk
Less than £100/year invested in cybersecurity (38% of SMEs)High Risk
Remote workers targeted by cybercriminals (19% of UK remote staff)High Risk
Cyber insurance in place with adequate ransomware coveragePartial
Tested backup and recovery capability (72% have air-gapped backups but fewer test recovery)Partial
Patching within Cyber Essentials v3.3 14-day critical windowPartial
MFA enforced across all accounts (not just email)Often absent

The 32% figure for SMEs with no cybersecurity protections at all is the most alarming single data point in the Vodafone report. “No cybersecurity protections” means no managed antivirus, no endpoint monitoring, no firewall configuration, no patching programme, no access controls — essentially a network operated on the assumption that it will never be targeted. The Report Fraud data suggests that assumption is being tested 323 times per year in the UK alone, with SMEs accounting for the majority of victims.

The 52% figure for employees who have received no cybersecurity training is directly connected to ransomware entry vectors. Phishing emails remain the most common initial access method for ransomware operators — confirmed by Infosecurity Magazine’s analysis of Report Fraud’s wider cybercrime dataset. An employee who has never been trained to identify a phishing email is an open door. A managed IT support service that includes scheduled security awareness training — even at basic level — closes that door in a way that no technical control alone can replicate.

The Ransomware Payment Behaviour Shift: What It Means

The movement in UK ransomware payment rates is one of the more encouraging data points in an otherwise difficult landscape. Databarracks’ Data Health Check 2025 recorded only 17% of UK ransomware victims paying the ransom — down from 27% in 2024 and 44% in 2023. That is a dramatic shift in two years. Twenty-four percent of UK organisations now have a formal policy never to pay a ransom, double the figure from 2023. UK organisations are more than three times more likely to recover from backups than to pay the ransom.

83%
UK ransomware victims who did NOT pay the ransom (2025–2026)

The 83% non-payment rate reflects two converging trends: improving backup capability (72% of UK organisations now have air-gapped backups, and 59% have immutable backups, per Databarracks) and growing awareness that payment does not guarantee recovery (Kevin Knight’s observation that decryption keys do not always work is borne out by insurance claims data). However, the non-payment trend should not be read as an indicator that the problem is improving overall. The 50% increase in average financial losses despite fewer payment events tells a different story: organisations are recovering from backups, but the recovery process itself is expensive, time-consuming, and disruptive in ways the ransom payment figure never fully captured.

The implication for managed IT support is specific. Backup capability alone — even immutable, air-gapped backup capability — is a recovery tool, not a prevention tool. A business that recovers from backups after a ransomware attack still faces forensic investigation costs, system rebuild time, regulatory notification obligations, reputational exposure, and potential data exfiltration liability (many ransomware operators now exfiltrate data before encrypting, meaning even a successful backup restore does not address the data exposure). Prevention — through endpoint monitoring, patch management, access control enforcement, and managed antivirus — remains the most cost-effective position. The Report Fraud data confirms that prevention is also where UK SMEs are most consistently underinvested.

Connecting the Data to Cloudswitched IT Support

The four defensive practices Chief Superintendent Wolf named in her Report Fraud commentary — regular data backups, strong access controls, keeping systems up to date, following NCSC guidance — map directly to the eight components of Cloudswitched’s managed IT support service:

01 Monitoring — continuous visibility across endpoints, servers, and network devices, with automated alerting on anomalous behaviour consistent with ransomware pre-staging or active encryption. Many UK SMEs have no monitoring at all; the Report Fraud data shows what the absence of monitoring costs in operational terms.

02 Managed Anti-Virus — centrally managed, always-current endpoint protection with EDR (endpoint detection and response) integration. Consumer-grade antivirus products installed manually and updated intermittently are not equivalent. Modern ransomware operators specifically test their payloads against the most common consumer antivirus products before deployment.

03 Patch Management — scheduled, documented patch deployment that ensures all endpoints and servers receive critical security updates within the 14-day window mandated by Cyber Essentials v3.3. The Patch Apocalypse article in this series documented how the volume of critical patches in 2026 has overwhelmed manual patch management for UK SMEs. A managed patching programme converts this volume problem into a managed workflow.

04 Scheduled Maintenance — regular structured review of system health, hardware lifecycle, licence compliance, and configuration drift. Ransomware operators actively scan for systems running unsupported software (the NCSC’s patch-wave warning from May 2026 identified this explicitly). Scheduled maintenance keeps the attack surface from silently expanding between reactive incidents.

05 Remote Support — an available helpdesk operated by qualified engineers, accessible 8:30am to 6:00pm UK time on Assurance and Ultimate packages, with Level 1 desktop support and Level 2 server, network, and cloud support. When a suspected ransomware event begins — often signalled by users reporting slow file access or unusual network activity — the first 30 minutes of response determine whether the encryption spreads to the full estate or is contained to a single endpoint.

06 Onsite Support — engineers available at the client’s premises for situations where remote resolution is insufficient. Ransomware containment and recovery often requires physical access: network isolation, hardware inspection, evidence preservation, and system rebuild activities that cannot be conducted remotely.

07 Dedicated Account Manager — a named individual who knows the client’s IT environment, has reviewed the risk profile, and serves as the escalation point when an incident occurs. The absence of a dedicated account manager means that the first point of contact in a crisis is a generic helpdesk — with no context, no pre-incident knowledge, and no authority to make rapid containment decisions.

08 Vendor Management — coordination of relationships with hardware suppliers, software vendors, ISPs, and cloud providers on behalf of the client. In a ransomware incident, vendor management determines how quickly replacement hardware is sourced, how rapidly cloud environments are reconfigured, and whether ISPs can assist with network-level containment. Without a managed IT relationship, these conversations happen in crisis conditions with no established contact.

The City of London Police data does not name a single victim whose managed IT support service prevented an attack or minimised its impact. It does not need to: the 323 victims who did report, the majority of whom were SMEs, represent the cost of the alternative. The 17% who paid an average demand implicitly in a range consistent with £270,000 in total losses — plus recovery costs on top — were almost certainly operating without the defensive baseline that a managed IT support service delivers as its standard output.

Is your IT support posture where it needs to be?

Cloudswitched’s managed IT support service delivers the exact defensive baseline Chief Superintendent Wolf described: regular backups, access controls, up-to-date systems, and NCSC-aligned practices — from £15 per user per month with no long-term lock-in.

Talk to us about Managed IT Support

At-a-Glance: Key Facts on UK Ransomware and IT Support

MetricFigureSource
UK ransomware victims reported to Report Fraud (Apr 2025–Mar 2026)323City of London Police
Monthly attack frequency (reported)26+City of London Police
Share of victims that were SMEsOver 50%City of London Police
Average financial loss per incident£270,000City of London Police / Report Fraud
Year-on-year increase in average losses50%City of London Police / Report Fraud
Hardest-hit sector (confirmed reports)Manufacturing (42)City of London Police
UK businesses experiencing a critical cyber incident93%Commvault
UK SMEs with zero cybersecurity protections32%Vodafone Securing Success
UK ransomware victims who paid the ransom17%Databarracks 2025
UK organisations with air-gapped backups72%Databarracks 2025
UK cyber insurance payouts (2024)£197 millionAssociation of British Insurers
Year-on-year increase in UK cyber insurance payouts230%Association of British Insurers
Annual UK SME losses from inadequate cybersecurity£3.4 billionVodafone Securing Success
Cloudswitched IT Support: Essentials package from£15/user/monthCloudswitched
Cloudswitched IT Support: Ultimate package from£50/user/monthCloudswitched

For further context on the threat landscape informing this data, the following articles in the Cloudswitched news series address related dimensions of the risk environment UK SMEs are navigating in July 2026: the Patch Apocalypse and AI-driven CVE surge documented how the volume of critical patches has overwhelmed manual patch management; the FortiBleed campaign showed how compromised credentials from perimeter devices translate into follow-on ransomware attacks; the Scattered Spider TfL conviction analysis demonstrated how social engineering — a primary ransomware entry vector — works against organisations of any size; and the Cyber Security Breaches Survey 2026 established the 612,000-business breach baseline against which the Report Fraud ransomware data sits. Together, these articles form the complete picture of what managed IT support is defending against in 2026.

Frequently Asked Questions

What does the City of London Police’s Report Fraud ransomware data actually measure?
Report Fraud (formerly Action Fraud) is the UK’s centralised cybercrime and fraud reporting service, operated by City of London Police under the National Police Chiefs’ Council mandate as the national lead force for economic crime and cybercrime. The 323 figure represents corporate organisations that voluntarily contacted Report Fraud to report a ransomware attack in the 12 months from April 2025 to March 2026. The figure is a floor rather than a ceiling: police acknowledged explicitly that many businesses do not fully disclose their losses, and industry research consistently estimates that formal reporting represents 10% to 20% of actual incidents. Report Fraud data is useful because it captures confirmed, investigated cases rather than survey-based estimates, but it systematically undercounts the true volume of attacks.
Why has the average financial loss risen 50% to £270,000 if fewer victims are paying the ransom?
This is the central paradox in the 2025–2026 UK ransomware data. The 17% payment rate (down from 44% in 2023) shows businesses are recovering from backups rather than paying. However, backup-based recovery is itself expensive: forensic investigation to confirm the infection vector and scope, system rebuild (which cannot reuse the compromised environment), data integrity verification, legal review, ICO notification obligations, regulatory engagement, staff downtime, and potential customer notification all contribute to the total cost of an incident even when no ransom is paid. Additionally, modern ransomware operators often exfiltrate data before encrypting — meaning the encryption event and its recovery cost are separate from the data exposure liability. The 50% increase in average losses therefore reflects the true cost of an incident including recovery, rather than just the ransom payment component that earlier statistics captured.
Will the UK ransomware payment ban make ransomware attacks on SMEs less likely?
The targeted payment ban, in its current proposed form, applies to public sector bodies and critical national infrastructure operators — not to SMEs. The theory of deterrence is that removing payments from the most attractive large targets (NHS, government, utilities) reduces the financial incentive for ransomware operators and redirects criminal activity away from the UK public sector. However, it does not directly reduce the risk to private sector SMEs. The pre-payment notification regime for the private sector adds a procedural layer to any ransom payment decision but does not prevent payment. The 72-hour mandatory reporting obligation (for businesses above £25m turnover) improves government visibility into the scale of the problem but also does not reduce attack frequency. For UK SMEs, the legislation changes the compliance and legal context of a ransomware incident but does not substitute for the defensive measures that prevent attacks in the first place.
Why is manufacturing the hardest-hit sector in the Report Fraud data?
Manufacturing organisations present a particularly attractive profile for ransomware operators: they hold a combination of valuable operational data (production schedules, customer orders, supply chain relationships, proprietary designs) and operational technology (OT) systems whose disruption causes immediate, measurable financial loss in terms of production downtime. A ransomware attack that encrypts a manufacturer’s scheduling and order management systems does not just destroy data — it stops the production line. The pressure to restore operations quickly creates strong financial incentive to pay, which historically translated into higher payment rates and therefore higher expected returns for attackers. Manufacturing also tends to run a mix of modern IT and legacy OT systems with long update cycles and often limited separation between business and operational networks, creating larger attack surfaces than equivalent-sized organisations in pure services sectors.
What does Cyber Essentials v3.3 (Danzell) require that specifically reduces ransomware risk?
Cyber Essentials v3.3, the Danzell update launched 27 April 2026, strengthened three controls that are directly relevant to ransomware prevention. First, the 14-day patching requirement for critical and high-severity vulnerabilities now explicitly covers cloud services and SaaS applications — not just on-premises endpoints — closing a gap that ransomware operators actively exploited via unpatched cloud-connected systems. Second, MFA requirements are now mandatory for all internet-facing services, including remote access solutions, webmail, and cloud storage — removing the credential theft pathway that underpins many ransomware intrusions. Third, the user access control requirements now require organisations to demonstrate active management of privileged accounts, specifically the removal of default admin credentials and the enforcement of least-privilege principles. A Cyber Essentials v3.3 certificate is therefore a meaningful, independently verified signal that the three most common ransomware entry vectors (unpatched systems, stolen credentials, excessive privilege) are being actively managed.
How does managed IT support differ from simply having antivirus software installed?
Antivirus software is one component of a managed security posture. Modern endpoint protection with EDR (endpoint detection and response) is significantly more capable than traditional signature-based antivirus, but even EDR is not a substitute for the operational context that managed IT support provides. Managed IT support includes continuous monitoring of the entire estate (not just endpoint software), patch management across all devices and operating systems, access control review and enforcement, vendor relationship management, and a documented incident response capability. When a suspicious event is detected, managed IT support provides an engineer who understands the client’s specific environment — their network topology, their backup schedule, their critical systems — and can make containment decisions in minutes rather than hours. Antivirus software alerts; managed IT support acts.
What should a UK SME do immediately if it suspects a ransomware attack is in progress?
The immediate priority is network isolation: disconnect affected machines from the network (unplug the network cable; turn off Wi-Fi) without turning them off, since powered-down machines lose volatile memory evidence that can help identify the attack vector. Contact your managed IT support provider immediately — or, if you do not have one, contact the NCSC’s incident reporting line and engage a qualified incident response firm. Do not attempt to clean or restore systems yourself before forensic evidence has been preserved. Do not pay the ransom without legal advice, notification to your cyber insurer, and — under the proposed new legislation — government notification. Report the incident to Report Fraud (reportfraud.police.uk) and notify the ICO within 72 hours if personal data is involved. Preserve all system logs, ransom notes, and communications for forensic investigation.
How does a managed IT support contract affect cyber insurance premiums and coverage?
UK cyber insurers have materially tightened their underwriting criteria since 2022, when ransomware claims caused a 230% surge in payouts (per the ABI). Most cyber insurance policies now include specific security requirements as conditions of cover — not just at application but as ongoing obligations. Common requirements include: MFA on all remote access and email; documented patch management with evidence of compliance within defined windows; tested backup and recovery procedures; endpoint protection with EDR; and a named individual responsible for cybersecurity. A managed IT support contract from a qualified provider creates the documented evidence trail that satisfies these requirements. Organisations without managed IT support frequently discover that their cyber policy does not respond to a claim because they cannot demonstrate compliance with the policy’s security conditions at the time of the incident.
What is the mandatory 72-hour reporting obligation under the proposed UK ransomware legislation?
The proposed mandatory ransomware incident reporting obligation would require organisations above £25 million annual turnover to notify the government within 72 hours of becoming aware of a ransomware attack. This is separate from, and in addition to, the existing ICO notification requirement under UK GDPR (which also has a 72-hour clock but applies to personal data breaches rather than all ransomware incidents). The government’s objective is to build a real-time picture of ransomware activity in the UK economy — since Report Fraud data captures only a fraction of actual incidents — and to provide law enforcement with the intelligence needed to disrupt ransomware operations proactively. For businesses in scope, the 72-hour clock starts from the moment of awareness, not from the moment of encryption, meaning organisations need an incident response process that begins notification procedures immediately upon detection rather than after containment.
Is the 323 figure likely to be higher or lower in the next 12-month reporting period?
The structural indicators all point to a higher figure. The volume of ransomware attacks globally has increased year-on-year since 2020, with 2025 being particularly active. UK-specific factors include the continuing deployment of the Cyber Security and Resilience Bill (which, when enacted, will require mandatory reporting from a larger number of organisations, increasing the visible count even if actual attack rates stabilise), the growing maturity of ransomware-as-a-service (RaaS) platforms that enable lower-skilled attackers to deploy sophisticated payloads, and the documented gap in UK SME cybersecurity investment. The 50% increase in average losses year-on-year suggests that individual attacks are becoming more damaging even as the payment rate falls — which is consistent with operators selecting more valuable targets and investing more in lateral movement and data exfiltration before triggering the encryption event. The 323 figure for 2025–2026 is most likely a way-point, not a peak.

Don’t wait for a Report Fraud notification number

Cloudswitched’s managed IT support delivers the monitoring, patching, access controls, and dedicated account management that the City of London Police data shows UK SMEs need most — from £15 per user per month with no long-term lock-in.

Get Managed IT Support
Tags:IT SupportCyber SecurityRansomware
CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.

CloudSwitched Service

Managed IT Support

Proactive monitoring, helpdesk and on-site support for London businesses

Learn More

Technology Stack

Powered by industry-leading technologies including SolarWinds, Cloudflare, BitDefender, AWS, Microsoft Azure, and Cisco Meraki to deliver secure, scalable, and reliable IT solutions.

SolarWinds
Cloudflare
BitDefender
AWS
Hono
Opus
Office 365
Microsoft
Cisco Meraki
Microsoft Azure

Latest Articles

18
  • Cloud Networking

How to Set Up Meraki for Healthcare Environments

18 Mar, 2026

Read more
19
  • Cloud Backup

The Complete Backup Checklist for Small Businesses

19 Mar, 2026

Read more
11
  • Azure Cloud

Azure Backup vs Third-Party Backup: Which Should You Use?

11 Mar, 2026

Read more

Enquiry Received!

Thank you for getting in touch. A member of our team will review your enquiry and get back to you within 24 hours.