The NCSC published an assessment earlier this year that made uncomfortable reading for anyone responsible for cybersecurity at a UK business. AI is now playing a role in roughly 60 percent of sophisticated attacks against UK organisations. The average ransomware demand against UK victims has gone up sharply, year on year. And small and medium businesses — the kind without a dedicated IT security team — are being hit at a rate that should make you take this seriously.

This isn’t abstract. Forty-three percent of UK SMEs reported a cyberattack or breach in the past year. Most of them recovered, eventually, but the cost in downtime, recovery work, and reputational damage was significant even when no ransom was paid.

So what’s actually changed about ransomware, and what can a small business with limited budget and no dedicated security staff do about it?

How AI Has Changed Ransomware Attacks

Traditional ransomware was fairly blunt. Attackers would send mass phishing emails, hope someone clicked, get a foothold in one machine, and then try to spread. It worked often enough to be profitable, but it was noisy, slow, and required a lot of manual work by skilled attackers. That kept the scale somewhat limited.

AI has changed the economics. The research phase — working out who works at an organisation, what systems they use, what their email style looks like, who the decision-makers are — can now be done at scale with AI tools. Phishing emails can be personalised in seconds rather than crafted individually. Once an attacker has a foothold, AI-assisted tools can do network reconnaissance automatically, finding high-value targets like file servers, backups, and finance systems without a human operator monitoring every step.

The practical result is that the kind of targeted, patient attack that used to require a sophisticated gang with skilled operators can now be executed with less expertise and at much greater volume. Small businesses that used to be too small to bother with are increasingly in scope. Your accounts data, your customer records, your access to your own systems — they all have value to someone.

The 144 percent increase in average ransomware demand figures that NCSC has cited reflects partly this change. When attackers can move faster and find the genuinely valuable data before encrypting anything, they have better leverage in negotiations. “We have your financial records and your client list” is a stronger position than “we’ve encrypted your whole network and we’re not sure what’s on it.”

What Makes a Small Business Vulnerable

To be honest, the same things that have always made small businesses vulnerable. Inconsistent patching. Weak or reused passwords. No MFA on email and accounting systems. Backups stored on the same network as everything else, so ransomware encrypts those too. A single person responsible for IT who’s stretched too thin to keep up with everything.

The AI angle doesn’t fundamentally change what the attackers are exploiting. It changes how quickly and cheaply they can exploit it, and how personalised the initial approach looks. An AI-drafted phishing email that reads like a message from your accountant or your broadband provider is harder to spot than a generic “you’ve won a prize” message. That’s why even businesses with reasonable awareness of phishing are still getting caught.

Three Things Worth Prioritising

None of what follows requires a large budget. These are the controls the NCSC consistently identifies as having the highest impact for the cost.

Offline or immutable backups. This is the single most effective protection against ransomware. If your backups are on a network drive that your main computer can write to, ransomware can encrypt them. Backups need to be either physically disconnected (an external drive you unplug after backups complete), stored with a cloud provider that keeps immutable versions (Backblaze, Wasabi, and most reputable cloud backup services do this), or both. The NCSC’s “Exercise in a Box” cyber scenario toolkit, which is free to use, walks through backup testing specifically. If you can’t restore from backup in a realistic drill, your backup isn’t protecting you.

MFA on everything that matters. Email, accounting software, cloud storage, any system your staff can access remotely — all of them need MFA enabled. Not just your email. Microsoft 365, Xero, Sage, QuickBooks, your cloud backups, your domain registrar. Credential theft is often the first step in a ransomware attack, and MFA makes stolen passwords dramatically less useful. Google and Microsoft both allow you to require MFA for all users through the admin consoles, and there’s no good reason not to do it.

Endpoint detection on devices. Standard antivirus is not sufficient against modern ransomware, which is frequently designed to evade signature-based detection. Endpoint detection and response tools look at behaviour rather than signatures — they notice when a process starts encrypting files rapidly and stop it. Microsoft Defender for Business, which is included in Microsoft 365 Business Premium, includes EDR capability. If you’re paying for 365 Business Standard, it’s worth checking whether upgrading to Premium is cost-effective against the protection it adds.

If the Worst Happens

If you do get hit, the NCSC’s guidance is clear: do not pay the ransom if you can avoid it. Payment doesn’t guarantee your data is returned, and it funds further attacks. Call Action Fraud (0300 123 2040) to report it, and check whether the NCSC’s free incident response scheme — which was opened to SMEs in 2026 — offers support your situation qualifies for.

Having legal obligations in mind matters here too. If the attack involves personal data being accessed or exfiltrated, you have a 72-hour window to report to the ICO. That clock starts from when you become aware of the breach, not when you’ve finished investigating it. Make sure someone knows that obligation exists before you need it.

The goal isn’t to make your business impossible to attack. It’s to make you a harder target than the next business on the list, and to limit the damage when something does get through. That’s achievable, and most of it starts with the basics.