Military precision can protect SMBs (small and medium businesses), says Tom Exelby, pictured, Head of Cyber Security, at the cyber firm Red Helix.
Cyber criminals have made small and medium-sized businesses (SMBs) one of their prime targets. A survey of 2,000 SMBs in the UK and US by Microsoft in September 2024, for example, found cyber criminals have attacked one-in-three firms, with the cost of investigation and recovery after an attack anything between £60,000 and £3m. Ransomware is undoubtedly one of the most severe challenges for SMBs. It might just be a type of malware, but it is the intended threat of extortion, system down time and data theft that makes it potentially so devastating for SMBs.
Escalating costs and evolving threats
Costs associated with ransom payments, remediation, recovery and reputational damage continue rising. Downtime alone can devastate organisations, as seen when ransomware hit chilled‑food logistics firm Peter Green Chilled, halting order processing and leaving fresh stock at risk of spoiling. While transport operations partially recovered within a few days, small producers faced losses of up to £100,000. One of the biggest dangers for SMBs is underestimating the deviousness of ransomware criminals. While almost all the SMBs surveyed by Microsoft agreed cyber security is critical, only 42 per cent identified ransomware specifically as a major challenge.
SMBs must revitalise their defences if they want to be secure. Lacking time and expertise, they now face ransomware gangs employing new techniques, including generative AI to increase speed and accuracy. IBM’s 2024 X-Force Threat Intelligence Report also highlights growing credential-based threats, often precursors to ransomware, while CrowdStrike’s 2025 Global Threat Report claims that the time it takes attackers to move through a target’s network once they have gained entry has crashed from 48 minutes to 51 seconds.
These developments accompany changes in the ransomware underworld, where barriers to entry have been lowered through ransomware-as-a-service, pulling ever-smaller businesses into the criminals’ orbit. Cyber criminals target SMBs strategically, calculating ransom demands based on the victim’s revenues and even checking insurance coverage, so static perimeter defences no longer suffice.
Despite the risks, however, many SMBs still practise poor cyber hygiene, failing to do the basics such as regularly changing passwords, implementing multi-factor authentication and consistently applying security patches. Even security awareness training is frequently neglected, which is extremely dangerous given that the human factor is prevalent in cyber breaches. To counter these threats, small businesses should adopt more of a military mindset. One key element of that is a focus on building resilience, so they can defend themselves and also rapidly respond and recover from an attack.
Achieving effective resilience in light of growing threats requires military precision, with a detailed and rehearsed incident response plan addressing the key tenets of containment, eradication and recovery. Planning for a ransomware attack must include mapping of data and an understanding of its sensitivity, so that, if the worst happens, customers and third parties can be informed without delay. Equally, for business continuity, organisations must focus on securing backups as ransomware attacks frequently commence with encryption of backups before moving on to other main targets.
SMB cyber security and defence-in-depth
The three watchwords here are defend, respond and recover, requiring a multi-layered ecosystem of tools that will kick in at different stages of an attack. This is another opportunity for SMBs to learn from the military sector and adopt a layered defence-in-depth approach. Monitoring of endpoints is part of this, but approaches must align with risk-management protocols that fit the business and its requirements. This requires expertise to know which alerts matter and how to act on them.
Fortunately, behavioural analysis can identify the telltale signs of a ransomware intrusion and stop it in its tracks. Spotting this behaviour is possible due to the predictable pathway ransomware attacks need to take through a digital system to achieve their aim. Given the speed with which ransomware can move through systems, SMBs must also segment their networks through user permissions. This will slow lateral movement and increase the likelihood of detection. Multi-factor authentication can be used to accompany all this, creating a significant barrier for attackers attempting to use compromised credentials.
Readiness for AI-powered threats
SMBs need to act now because AI is improving the effectiveness of ransomware, especially in the initial techniques that precede an attack. To illustrate this point, large language models enable criminals to craft more convincing emails and identify organisations that are lax about patching particular vulnerabilities.
Criminals are also deploying AI to accelerate scanning for weaknesses once they are in an organisation’s environments. They scan data to gauge what is most important to a firm, examine insurance certificates to assess size and coverage, and determine the likelihood of payouts. The speed of these operations makes detection difficult without specialist tools and external expertise.
There are lessons here for businesses from the military approach to risk-management, tying together people, processes and technology. SMBs need intelligence about what their enemies (the ransomware gangs) are doing and how other organisations have been breached. Integrating that intelligence into defences, patching vulnerabilities swiftly and prioritising resources on the most important threats will make an attack extremely difficult.
SMBs can further learn from the military emphasis on regular drills and exercises. The ability to recover quickly from a ransomware attack depends largely on preparation and the development of documented processes that people know how to follow should a breach occur. Thorough analysis of each drill’s effectiveness, followed by rapid adaptation, ensures continuous improvement.
The dangers of ransomware are unlikely to recede, given its profitability and increased sophistication, the specialisation of the gangs involved and the low likelihood of them being caught. Nonetheless, basic cyber hygiene combined with multi‑layered defence – supported by third‑party expertise where required – can still give SMBs confidence that they can protect themselves against this enduring menace.
