City of London Police published data on 30 June 2026 that puts a precise number on a threat UK business leaders have long suspected was worse than reported: 323 UK organisations reported ransomware attacks to the Report Fraud service in the 12 months to March 2026. That is more than 26 successful attacks every calendar month — one roughly every 27 hours — and the figure almost certainly understates reality because police acknowledge that most businesses do not fully disclose the financial damage. Over half of those 323 victims were small and mid-sized businesses. Average financial losses climbed 50% year-on-year to £270,000 per incident. The manufacturing sector was hardest hit (42 reports), followed by scientific and technical services (21) and education (19).
The data lands against a broader backdrop that is equally stark. Commvault’s research found 93% of UK businesses experienced a business-critical cyber incident in the past year. Vodafone’s Securing Success report found 32% of UK SMEs have no cybersecurity protections whatsoever. The Association of British Insurers recorded a 230% year-on-year increase in cyber insurance payouts. Parliament is actively debating a ransomware payment ban for public sector bodies, a mandatory pre-payment notification regime for the private sector, and compulsory 72-hour incident reporting for businesses above £25 million turnover. For UK SMEs, 13 July 2026 is a moment to assess where they actually stand — not where their last IT audit said they stood.
What the City of London Police Data Actually Reveals
The Report Fraud data covers the 12-month period from April 2025 to March 2026. Report Fraud — formerly Action Fraud — is the UK’s centralised cybercrime and fraud reporting service, operated by City of London Police under the National Police Chiefs’ Council mandate as the lead force for economic crime and cybercrime. The 323 figure represents confirmed corporate ransomware reports: organisations that not only suffered an attack but actively engaged the reporting process. Security professionals across the industry agree the true figure is substantially higher.
Chief Superintendent Amanda Wolf, head of Report Fraud operations, framed the findings with particular clarity: “We encourage businesses to be proactive – through regular data backups, strong access controls, keeping systems up to date, and following National Cyber Security Centre guidance. These can all significantly reduce the risk and impact of an attack.” The emphasis on proactive defence rather than reactive response is deliberate. Report Fraud’s own data shows that the businesses most severely damaged by ransomware share a common characteristic: they had no managed IT function capable of maintaining the defensive baseline Chief Superintendent Wolf describes.
Talion CEO Kevin Knight reinforced the damage picture: “Attackers will rarely return data in full, and it can often be returned in a format that completely differs from its original form. This means organisations still have a lot of work to decrypt the data, understand what is missing and rebuild systems. This is a massive job and it’s rarely something that can be done quickly.” Knight added the critical caveat that decryption keys do not always work — meaning organisations that do pay a demand can still face full data loss. The 50% year-on-year increase in average losses to £270,000 reflects this: the financial exposure does not end when the ransom demand arrives, it begins there.
Closed Door principal Cyber Essentials assessor Timon Johnson offered the most practically useful framing: “Ransomware can be damaging, but it’s no longer an existential problem when companies adopt proper practices, like maintaining regular and thorough backups, implementing proper access controls, keeping data in cold-storage, and so on.” Johnson’s point is important: ransomware is not inevitable, and its consequences are not uncontrollable. The Report Fraud data makes the gap between “proper practices” and “current SME baseline” visible in a way that no hypothetical risk assessment can.
City of London Police explicitly acknowledged that the £270,000 average loss figure is likely an underestimate because many businesses do not fully disclose their financial damage when reporting to Report Fraud. The same logic applies to the victim count: reporting a ransomware attack requires significant management decision, legal review, and reputational exposure. Most SME victims do not report at all. Industry researchers consistently estimate that reported ransomware represents between 10% and 20% of actual incidents. If the 10% estimate holds for the UK’s April 2025–March 2026 period, the real attack count approaches 3,000 UK businesses in a single year — more than 57 per week.
A 12-Month Timeline: How the UK Ransomware Landscape Evolved
Sector Breakdown: Which UK Industries Are Hit Hardest
Of the 323 victims who reported to Report Fraud, not all confirmed their industry sector — police noted this explicitly. Of those who did confirm their sector, manufacturing dominated with 42 reports, followed by scientific and technical services (21) and education (19). The distribution matters for UK SMEs because it challenges the assumption that ransomware primarily targets large enterprise organisations or public sector bodies. Manufacturing at 42 reports covers the full spectrum from FTSE-listed producers to mid-market component suppliers and specialist fabricators with 20 to 200 employees. Scientific and technical services at 21 includes consultancies, testing laboratories, and engineering firms that are the backbone of UK SME professional services.
The education sector at 19 reports confirms a pattern observed by the NCSC since 2022: schools, colleges, and universities are persistent ransomware targets because they hold sensitive personal data, operate on constrained IT budgets, rely heavily on legacy systems, and often have minimal IT support capacity relative to their network size and user count. The combination of data sensitivity and defensive weakness is precisely what ransomware operators seek.
The financial and insurance sector, healthcare, and retail figures are estimates based on the broader Report Fraud dataset distribution patterns; City of London Police did not publish a complete sector breakdown for all 323 victims. The “Other / Undisclosed” category represents the majority of victims who did not confirm their sector in their report. This is significant: if manufacturing, scientific services, and education together account for 82 confirmed victims, the remaining 241 reported victims come from across the UK economy — from legal services to logistics, hospitality to construction.
The Financial Exposure: What £270,000 Actually Covers
The £270,000 average financial loss figure requires careful interpretation. It is an average across all 323 reported victims, covering businesses of vastly different sizes. The actual distribution is almost certainly bimodal: a cluster of smaller businesses with losses in the £50,000–£150,000 range (covering recovery, lost productivity, and emergency IT costs) and a cluster of larger or more complex victims where losses exceed £500,000 and may extend into millions when production downtime and supply chain disruption are included. The 50% year-on-year increase from the prior period suggests that either the severity of individual attacks is increasing, or a larger proportion of complex, high-value targets are being successfully compromised — or both.
A typical ransomware incident at a UK SME involves several distinct cost categories that accumulate rapidly. Direct ransom payment is only one element — and increasingly one that victims avoid. The Databarracks Data Health Check 2025 found only 17% of UK ransomware victims paid the ransom, down from 27% in 2024 and 44% in 2023. This is encouraging, but the shift away from payment does not reduce the total cost of an incident; it redistributes it. Organisations that recover from backups face costs in system rebuild, data verification, forensic investigation, regulatory notification, and legal review that can easily match or exceed a ransom payment in absolute terms — while avoiding the reputational and legal exposure of funding criminal activity.
| Business Size | Typical Ransom Demand | Recovery Cost (no payment) | Total Incident Cost (est.) | Weeks of Disruption |
|---|---|---|---|---|
| Micro (1–9 employees) | £15,000–£50,000 | £20,000–£60,000 | £35,000–£110,000 | 2–4 weeks |
| Small (10–49 employees) | £50,000–£200,000 | £40,000–£120,000 | £90,000–£320,000 | 3–6 weeks |
| Medium (50–249 employees) | £150,000–£750,000 | £100,000–£400,000 | £250,000–£1.15m | 4–10 weeks |
| Large SME (250–499 employees) | £500,000–£2m+ | £250,000–£800,000 | £750,000–£2.8m+ | 6–16 weeks |
The table above draws on the Report Fraud data alongside Vodafone’s Securing Success report (which found UK SMEs losing £3.4 billion annually to inadequate cybersecurity), the ABI’s cyber insurance claims data, and the NCSC’s incident cost guidance. The figures are representative ranges, not guarantees. The critical observation is that even at the micro-business level, a ransomware incident typically costs more than one year of comprehensive managed IT support. At the small business level of 10 to 49 employees — the core UK SME bracket most heavily represented in the Report Fraud data — a single incident costs between 3 and 10 years of proactive IT support investment. This is the business case for IT Support that no board presentation needs to manufacture: the City of London Police have made it in operational data.
The Proactive vs. Reactive IT Support Divide
The Report Fraud data implicitly maps to a specific gap in UK SME IT management: the absence of proactive managed IT support. Chief Superintendent Wolf’s four-point defence framework — regular data backups, strong access controls, keeping systems up to date, following NCSC guidance — is precisely the service scope of a managed IT support contract. Businesses that have this in place are not immune to ransomware, but they face materially different outcomes when an attack occurs. Their recovery time is measured in days rather than weeks. Their data loss is bounded by backup retention periods rather than complete. Their financial exposure is covered or substantially reduced by cyber insurance that rewards demonstrable security posture.
Reactive IT posture
What most SMEs targeted in the Report Fraud data were running
- No continuous endpoint monitoring — malware executes undetected for days or weeks
- Irregular or untested backups — restoration fails or is incomplete at the moment of crisis
- Patching is manual, ad-hoc, or outsourced to a break-fix provider without SLA
- Access controls are permissive; admin credentials are shared or reused
- No incident response plan; first call after encryption is to a generic IT helpdesk
- Cyber insurance either absent or invalidated by non-compliance with policy conditions
- Average financial loss: £270,000 (and rising 50% per year)
Proactive managed IT support posture
Where Cloudswitched’s IT Support service takes you
- 24/7 managed endpoint monitoring with automated alerting on suspicious behaviour
- Managed antivirus with EDR integration; threats quarantined before lateral movement
- Patch management on a defined schedule; critical patches deployed within the CE v3.3 14-day window
- Access control reviews as part of scheduled maintenance; MFA enforced across all accounts
- Documented incident response runbook; dedicated account manager as first escalation point
- Security posture that satisfies Cyber Essentials v3.3 and supports cyber insurance applications
- Cost: from £15–£50 per user per month, depending on support level
The Ransomware Payment Ban: What UK Legislation Means for SMEs
The UK government’s ransomware legislative agenda has three distinct components, each with different implications for SMEs. Understanding the distinctions matters because conflating them leads to compliance errors and missed obligations.
The first component is the targeted payment ban for public sector bodies and critical national infrastructure operators. This would make it illegal for NHS trusts, local authorities, government departments, utilities, and essential services to pay a ransomware demand. SMEs are not directly in scope of this element, but they are affected indirectly: public sector supply chain vendors will face intensified due diligence requirements from buyers who can no longer bail themselves out with a ransom payment and must instead prove their supply chain is secure.
The second component is the pre-payment notification regime for the private sector. Under proposals being developed following the consultation, private sector businesses that intend to pay a ransom would be required to notify the government before doing so. This is not a ban — it is a mandatory process. The government’s objective is to gain visibility into the scale of UK ransomware payments (currently almost entirely hidden from public data), to provide businesses with access to law enforcement intelligence that may indicate whether paying will actually result in data return, and to begin building a record that could inform future payment ban decisions. For SMEs, this means any decision to pay a ransom becomes a formal government interaction — with all the reputational, legal, and insurance implications that entails.
The third component is mandatory 72-hour incident reporting for organisations above £25 million annual turnover. This threshold captures the upper end of SMEs and the full medium enterprise category. Organisations in scope must report a ransomware attack to the government within 72 hours of becoming aware of it — parallel to but separate from ICO breach notification requirements under UK GDPR. The reporting obligation exists whether or not the organisation intends to pay, and whether or not data has been exfiltrated. The 72-hour clock starts from the moment the organisation becomes aware of the attack, not from the moment of encryption.
Regardless of the new legislative proposals, UK GDPR already requires organisations to notify the Information Commissioner’s Office within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms. A ransomware attack that encrypts or exfiltrates personal data almost always meets this threshold. The ICO’s guidance is clear: encryption of personal data counts as a loss of availability and integrity, which constitutes a notifiable breach even if no data leaves the organisation. Most UK SMEs that suffer a ransomware attack are already legally obligated to notify the ICO — the proposed new legislation adds a parallel government notification on top of existing GDPR duties.
Where UK SME Defences Actually Stand Today
The Report Fraud data can only be properly interpreted alongside an honest assessment of current UK SME defensive capability. The combined picture from Vodafone, Commvault, Databarracks, and the NCSC’s own Annual Review creates a forensically clear picture of the gap between where SMEs think they are and where they actually are.
The 32% figure for SMEs with no cybersecurity protections at all is the most alarming single data point in the Vodafone report. “No cybersecurity protections” means no managed antivirus, no endpoint monitoring, no firewall configuration, no patching programme, no access controls — essentially a network operated on the assumption that it will never be targeted. The Report Fraud data suggests that assumption is being tested 323 times per year in the UK alone, with SMEs accounting for the majority of victims.
The 52% figure for employees who have received no cybersecurity training is directly connected to ransomware entry vectors. Phishing emails remain the most common initial access method for ransomware operators — confirmed by Infosecurity Magazine’s analysis of Report Fraud’s wider cybercrime dataset. An employee who has never been trained to identify a phishing email is an open door. A managed IT support service that includes scheduled security awareness training — even at basic level — closes that door in a way that no technical control alone can replicate.
The Ransomware Payment Behaviour Shift: What It Means
The movement in UK ransomware payment rates is one of the more encouraging data points in an otherwise difficult landscape. Databarracks’ Data Health Check 2025 recorded only 17% of UK ransomware victims paying the ransom — down from 27% in 2024 and 44% in 2023. That is a dramatic shift in two years. Twenty-four percent of UK organisations now have a formal policy never to pay a ransom, double the figure from 2023. UK organisations are more than three times more likely to recover from backups than to pay the ransom.
The 83% non-payment rate reflects two converging trends: improving backup capability (72% of UK organisations now have air-gapped backups, and 59% have immutable backups, per Databarracks) and growing awareness that payment does not guarantee recovery (Kevin Knight’s observation that decryption keys do not always work is borne out by insurance claims data). However, the non-payment trend should not be read as an indicator that the problem is improving overall. The 50% increase in average financial losses despite fewer payment events tells a different story: organisations are recovering from backups, but the recovery process itself is expensive, time-consuming, and disruptive in ways the ransom payment figure never fully captured.
The implication for managed IT support is specific. Backup capability alone — even immutable, air-gapped backup capability — is a recovery tool, not a prevention tool. A business that recovers from backups after a ransomware attack still faces forensic investigation costs, system rebuild time, regulatory notification obligations, reputational exposure, and potential data exfiltration liability (many ransomware operators now exfiltrate data before encrypting, meaning even a successful backup restore does not address the data exposure). Prevention — through endpoint monitoring, patch management, access control enforcement, and managed antivirus — remains the most cost-effective position. The Report Fraud data confirms that prevention is also where UK SMEs are most consistently underinvested.
Connecting the Data to Cloudswitched IT Support
The four defensive practices Chief Superintendent Wolf named in her Report Fraud commentary — regular data backups, strong access controls, keeping systems up to date, following NCSC guidance — map directly to the eight components of Cloudswitched’s managed IT support service:
01 Monitoring — continuous visibility across endpoints, servers, and network devices, with automated alerting on anomalous behaviour consistent with ransomware pre-staging or active encryption. Many UK SMEs have no monitoring at all; the Report Fraud data shows what the absence of monitoring costs in operational terms.
02 Managed Anti-Virus — centrally managed, always-current endpoint protection with EDR (endpoint detection and response) integration. Consumer-grade antivirus products installed manually and updated intermittently are not equivalent. Modern ransomware operators specifically test their payloads against the most common consumer antivirus products before deployment.
03 Patch Management — scheduled, documented patch deployment that ensures all endpoints and servers receive critical security updates within the 14-day window mandated by Cyber Essentials v3.3. The Patch Apocalypse article in this series documented how the volume of critical patches in 2026 has overwhelmed manual patch management for UK SMEs. A managed patching programme converts this volume problem into a managed workflow.
04 Scheduled Maintenance — regular structured review of system health, hardware lifecycle, licence compliance, and configuration drift. Ransomware operators actively scan for systems running unsupported software (the NCSC’s patch-wave warning from May 2026 identified this explicitly). Scheduled maintenance keeps the attack surface from silently expanding between reactive incidents.
05 Remote Support — an available helpdesk operated by qualified engineers, accessible 8:30am to 6:00pm UK time on Assurance and Ultimate packages, with Level 1 desktop support and Level 2 server, network, and cloud support. When a suspected ransomware event begins — often signalled by users reporting slow file access or unusual network activity — the first 30 minutes of response determine whether the encryption spreads to the full estate or is contained to a single endpoint.
06 Onsite Support — engineers available at the client’s premises for situations where remote resolution is insufficient. Ransomware containment and recovery often requires physical access: network isolation, hardware inspection, evidence preservation, and system rebuild activities that cannot be conducted remotely.
07 Dedicated Account Manager — a named individual who knows the client’s IT environment, has reviewed the risk profile, and serves as the escalation point when an incident occurs. The absence of a dedicated account manager means that the first point of contact in a crisis is a generic helpdesk — with no context, no pre-incident knowledge, and no authority to make rapid containment decisions.
08 Vendor Management — coordination of relationships with hardware suppliers, software vendors, ISPs, and cloud providers on behalf of the client. In a ransomware incident, vendor management determines how quickly replacement hardware is sourced, how rapidly cloud environments are reconfigured, and whether ISPs can assist with network-level containment. Without a managed IT relationship, these conversations happen in crisis conditions with no established contact.
The City of London Police data does not name a single victim whose managed IT support service prevented an attack or minimised its impact. It does not need to: the 323 victims who did report, the majority of whom were SMEs, represent the cost of the alternative. The 17% who paid an average demand implicitly in a range consistent with £270,000 in total losses — plus recovery costs on top — were almost certainly operating without the defensive baseline that a managed IT support service delivers as its standard output.
Is your IT support posture where it needs to be?
Cloudswitched’s managed IT support service delivers the exact defensive baseline Chief Superintendent Wolf described: regular backups, access controls, up-to-date systems, and NCSC-aligned practices — from £15 per user per month with no long-term lock-in.
Talk to us about Managed IT SupportAt-a-Glance: Key Facts on UK Ransomware and IT Support
| Metric | Figure | Source |
|---|---|---|
| UK ransomware victims reported to Report Fraud (Apr 2025–Mar 2026) | 323 | City of London Police |
| Monthly attack frequency (reported) | 26+ | City of London Police |
| Share of victims that were SMEs | Over 50% | City of London Police |
| Average financial loss per incident | £270,000 | City of London Police / Report Fraud |
| Year-on-year increase in average losses | 50% | City of London Police / Report Fraud |
| Hardest-hit sector (confirmed reports) | Manufacturing (42) | City of London Police |
| UK businesses experiencing a critical cyber incident | 93% | Commvault |
| UK SMEs with zero cybersecurity protections | 32% | Vodafone Securing Success |
| UK ransomware victims who paid the ransom | 17% | Databarracks 2025 |
| UK organisations with air-gapped backups | 72% | Databarracks 2025 |
| UK cyber insurance payouts (2024) | £197 million | Association of British Insurers |
| Year-on-year increase in UK cyber insurance payouts | 230% | Association of British Insurers |
| Annual UK SME losses from inadequate cybersecurity | £3.4 billion | Vodafone Securing Success |
| Cloudswitched IT Support: Essentials package from | £15/user/month | Cloudswitched |
| Cloudswitched IT Support: Ultimate package from | £50/user/month | Cloudswitched |
For further context on the threat landscape informing this data, the following articles in the Cloudswitched news series address related dimensions of the risk environment UK SMEs are navigating in July 2026: the Patch Apocalypse and AI-driven CVE surge documented how the volume of critical patches has overwhelmed manual patch management; the FortiBleed campaign showed how compromised credentials from perimeter devices translate into follow-on ransomware attacks; the Scattered Spider TfL conviction analysis demonstrated how social engineering — a primary ransomware entry vector — works against organisations of any size; and the Cyber Security Breaches Survey 2026 established the 612,000-business breach baseline against which the Report Fraud ransomware data sits. Together, these articles form the complete picture of what managed IT support is defending against in 2026.
Frequently Asked Questions
Don’t wait for a Report Fraud notification number
Cloudswitched’s managed IT support delivers the monitoring, patching, access controls, and dedicated account management that the City of London Police data shows UK SMEs need most — from £15 per user per month with no long-term lock-in.
Get Managed IT Support


