Many small business owners still think ransomware attacks only happen to hospitals, global brands, or public infrastructure. In reality, ransomware small business risk is one of the clearest examples of how attackers are consistently targeting organizations with valuable data, limited time, and weaker defenses.
Recent findings from Proton’s Data Breach Observatory show that SMBs are frequently the victims of breaches. They’re also disproportionately represented in the most damaging incidents, including breaches involving high-risk data and large record exposures.
Ransomware is a business continuity, credential security, and data protection problem. The UK government’s Cyber Security Breaches Survey found that 1% of UK businesses identified ransomware incidents in the previous 12 months, up from less than 0.5% in 2024. At national scale, that equates to an estimated 19,000 businesses.
Despite the rise of ransomware, phishing is still the most common type of cyberattack. Attackers most frequently get access to business networks through people, credentials, and routine workflows rather than through large-scale cyberattacks. They can essentially use a phishing attack to then launch a larger ransomware attack if they sense a greater payday.
For a small business, the damage from ransomware can cause significant disruptions to business continuity. Team members lose access to files and can’t continue their work, operations slow or stop, and customers or clients don’t get adequate services. If personal data is compromised, reporting obligations will follow. A practical ransomware strategy for SMBs has to cover both aspects of an attack: prevention and recovery.
How does ransomware work?
Ransomware is a type of malware that prevents you from accessing devices or data, usually by encrypting files, and then demands a payment in exchange for decryption. In many cases, attackers now do more than lock files. They also steal data and threaten to leak it if the ransom is not paid, which turns the incident into both an availability crisis and a potential data breach.
Victims are often instructed to communicate through anonymous email or web pages and to pay in cryptocurrency. For small businesses, that distinction is important because cryptocurrency is anonymous, decentralized, and unregulated by traditional financial institutions: it’s almost impossible to trace payments.
A ransomware event is not always limited to losing access to files. It may also mean that customer information, employee data, financial records, contracts, or login credentials have already been exfiltrated. Ransomware can lead to loss of timely access to personal data and, where backups are not appropriate or available, even permanent loss.
The attack chain is usually more ordinary than you might expect. The easy-to-miss incidents that can lead to a ransomware attack include:
- Phishing links being followed.
- Reused passwords being exposed in a data breach.
- Remote access service left exposed.
- Known vulnerabilities being left unpatched
Once an attacker gets access to a business network, they move laterally, escalate privileges, disable recovery paths where possible, and deploy encryption or extortion where it will hurt most. No single tool or solution can prevent ransomware attacks. Instead, organizations must focus on reducing the number of easy paths into their network.
Why small businesses are disproportionately targeted
Small businesses are attractive ransomware targets for a simple reason: they hold valuable data that isn’t as well-protected as it should be. Proton’s latest observatory findings show that SMBs account for 63% of breaches tracked since January 2025 and more than 352 million leaked records.
They also account for 61% of breaches involving high-risk data, with small businesses alone representing 48% of those critical incidents. Among breaches exposing more than 100,000 records, SMBs account for 60%, and small businesses represent 42%.
Small businesses aren’t careless. In fact, Proton’s SMB Cybersecurity Report 2026 proves that small businesses are trying to improve their cybersecurity. The problem is that their defenses are breaking in real-world conditions. Inconsistent enforcement, human error, shared access habits, and limited internal security capacity are what make small businesses tempting targets.
In Proton’s survey of 3,000 leaders at companies under 250 employees, 39% said incidents stemmed from human error, and 48% said they did not have a password manager in place.
Larger companies may have dedicated response teams, segmented environments, tested backup plans, and external incident support already in place. Smaller ones often have one lean IT function, outsourced support, or no dedicated security expert. When the attack hits, the business is forced to make high-stakes decisions while under operational pressure. That pressure is exactly what ransomware operators count on.
The most common entry points for ransomware in SMBs
After examining the studies carried out in the UK, we know that phishing remains the dominant cybercrime vector for businesses. But why? It’s because phishing is often the first step toward credential theft, account compromise, malware delivery, or remote access abuse.
Weak or reused credentials are another major problem. Small businesses often have shared logins, passwords reused across multiple services, or old accounts that stay active after someone changes roles or leaves. Once attackers obtain one working login, they don’t need to hack into accounts. They can simply sign in.
From there, a poorly protected admin account, an exposed cloud console, or a remote access point without two-factor authentication (2FA) can become the bridge into a broader ransomware incident. Realistically, organizations need to deploy 2FA, least privilege access, and regular permission reviews to reduce how easily stolen credentials can be reused and how far malware can spread.
Unpatched software is another recurring entry point. The NCSC notes that ransomware is increasingly deployed via exposed services such as RDP or unpatched remote access devices, and recommends patching vulnerabilities in remote access and internet-facing systems as soon as they become available. For SMBs, this is where a missed incident quietly becomes an attack surface.
How to protect against ransomware: a layered approach
There is no single control that can prevent ransomware. The most effective approach is layered and practical.
Start with identity management
The data in team members’ accounts needs thorough protection to repel ransomware attacks. Make two-factor authentication mandatory where possible across business-critical accounts, especially email, admin tools, cloud storage, finance platforms, remote access points, and any systems that store customer personal data or other sensitive personally identifiable information (PII).
Improve password hygiene
Attackers don’t always break into accounts. Often, they log in with stolen or reused credentials. Every business account must have a unique, strong password, and shared access should be replaced with managed, secure credential sharing through a business password manager rather than through spreadsheets, chats, or email.
Proton’s own SMB report highlights that even businesses with tools in place still often fall back on insecure password-sharing habits. This is exactly where a secure business password manager like Proton Pass for Business can reduce risk: it helps teams create strong and unique credentials, store them securely, and share access in a controlled, secure way.
Patch management has to be disciplined
Security updates for operating systems, apps, VPNs, remote access tools, and boundary devices should be treated as operational essentials, not optional maintenance. Install security updates as soon as possible and enable automatic updates where feasible.
Robust mail and web protection
Mail filtering, attachment controls, blocking known malicious sites, and safe browsing protections all reduce the likelihood that ransomware is delivered in the first place. Because phishing is so common, these controls are essential.
Address human error
Even when you’ve implemented security measures and a password policy, Security awareness training is still necessary. Training helps staff spot suspicious emails and social engineering attempts, but people will still make mistakes.
Stronger tools or features and access controls should assume that. The NCSC explicitly recommends awareness training, but Proton’s research also points out that training alone does not catch every slip. Good security design reduces the damage when someone does click by making one mistake less likely to become a full-scale incident, whether through 2FA, least-privilege access, stronger email protections, segmented access, or tested backups that support recovery.
Protect recovery before you need it
Backups need to be regular, isolated, and tested. The ICO recommends taking the 3-2-1 approach: three copies, on two different devices, with one stored off-site. The NCSC adds an important operational warning: ransomware may have infiltrated your environment before discovery, so backups should be scanned before restoration, and backup systems themselves should be protected.
The credential connection: why passwords still matter in ransomware defense
It is easy to think of ransomware as malware and forget that passwords play a part in a successful attack. But many ransomware incidents begin with the theft, reuse, or abuse of logins.
That might mean a staff member reusing a password from another service, a former contractor account remaining active, an admin credential being shared among several people, or an exposed remote access point being protected only by a password. Each of those shortcuts expands the attack surface.
This is one reason strong credential management belongs inside any ransomware recovery plan and prevention framework. Unique passwords per service reduce the blast radius of one stolen login. MFA makes that stolen password less useful on its own, while centralized credential storage removes the need for insecure workarounds.
Secure sharing means employees get the access they need through controlled, trackable methods rather than through informal password sharing. Regular review of who has access to what also supports least privilege, which the NCSC recommends as part of limiting lateral movement and spread.
We’ve written extensively about the ransomware threats that SMBs face. Over and over, we see the same thing: attackers are increasingly looking for the businesses that are easier to break, not just the businesses with the biggest names.
What to do if your small business gets hit
1. Contain the incident
If your business is hit, your first priority is containment. Disconnect infected devices from the network, disable compromised accounts if you can identify them, isolate remote access pathways, preserve evidence and avoid wiping systems too quickly if you may need forensic support later.
2. Report the incident
The NCSC advises UK organizations to report incidents and provides dedicated ransomware guidance for response and recovery. Proton’s guide to incident response is also a useful reference for structuring the broader decision-making process around containment, investigation, communications, and recovery.
3. Don’t pay the ransom
The NCSC and UK law enforcement do not encourage, endorse, or condone paying ransom demands. They note there is no guarantee you will regain access, your systems may still be infected, you will be funding criminal groups, and you may be more likely to be targeted again.
The ICO is similarly clear that paying a ransom does not reduce the risk to people and does not safeguard the information. Even if a decryption key is offered, there is no guarantee it will work or that stolen data will not still be leaked.
4. Start recovery
Recovery should focus on slow and secure restoration. That means rebuilding from clean backups, validating that the attack path has been closed, rotating affected credentials, re-enabling access carefully, and documenting what happened. If backups are connected to live systems or have not been tested, this is often where businesses discover a second failure after the first one. A good ransomware recovery plan really starts long before an incident even occurs.
UK reporting obligations: when the ICO may need to be involved
If a ransomware incident affects personal data, this may be a personal data breach under the UK GDPR. The ICO explains that loss of access to personal data can itself be a breach where it creates risk to individuals, and that you must notify the ICO without undue delay and, where feasible, within 72 hours if the breach is likely to result in a risk to people’s rights and freedoms. If the risk is high, affected individuals may also need to be informed without undue delay.
Some organizations still assume that if they restore systems quickly or there is no obvious public leak, reporting is unnecessary. That is not a safe assumption. The ICO’s ransomware guidance explicitly addresses breach notification scenarios and makes clear that the assessment turns on risk to individuals, not just whether stolen files have already surfaced online.
Ransomware is a SMB problem now
Small businesses are being hit by ransom attacks more and more frequently, and when they are hit, the impact can be severe because attackers exploit their weaknesses. Proton’s latest breach data makes that visible: the threat is measurable, growing, and operationally disruptive.
The good news is that the fundamentals can do much of the heavy lifting for any SMB. Measures such as using a business password manager to deploy 2FA and create unique credentials, patching, mail filtering, staff awareness, permission review, tested backups, and incident response planning may not seem flashy on their own, but together they make a meaningful difference. They reduce the chances that a single stolen password, one phishing email, or one exposed remote service escalates into a business-wide outage.
