Skip to main content
Inflection Point
Editorial collage with a countdown clock fragmenting into ransomware glyphs, locked server icons and a UK SME backdrop, brand red yellow and cyan accents on black
Cyber Security 16 June 2026 11 min read Verified 16 June 2026

The UK SME ransomware playbook 2026

I

Iain Godding

Owner / Founder / Managing Director

If a UK SME gets hit by ransomware tomorrow, the difference between a 2-day disruption and going out of business is a written playbook, run before the incident, by people who know what to do. Most SMEs don't have one. This post is the implementer's view: what to do in the first 60 minutes (detect, contain, preserve evidence), the first 24 hours (notify, scope, communicate, recovery start), and the first 30 days (full recovery, post-incident review, insurance and regulatory steps). Plus the honest position on the question every owner will ask within an hour of the first encrypted file: do you pay?

The 2026 UK ransomware reality

Ransomware against UK SMEs is no longer a 2020-era story about hospitals and councils. It's a daily B2B reality that the National Cyber Security Centre, the ABI and Cifas are all measuring upward in 2026.

A few anchors:

  • The 2025 Jaguar Land Rover incident, a major UK manufacturer with thousands of suppliers attached, is the headline reminder that ransomware now disrupts entire supply chains, not just direct victims. SMEs in the JLR supplier chain were locked out of their own systems because JLR's connection requirements changed overnight.
  • Insurance data from the ABI shows insurer-paid cyber recovery claims rose materially in 2024 and 2025. The exclusion language on ransom payments specifically is tightening every year, in part because of the UK sanctions regime (more below).
  • Cifas Fraudscape 2026 attributes a growing share of UK identity fraud to data exfiltrated during ransomware events that were never publicly disclosed. The breach you don't see makes the news 18 months later as a credit card fraud on your customers' accounts.

Most SMEs we work with assume ransomware is a "big company problem". The data says otherwise. Mid-market UK SMEs are the sweet spot for ransomware operators: enough cash flow to pay, not enough security maturity to stop the attack, no in-house incident response team to coordinate a response, and a customer base that creates urgency.

The good news is that ransomware response is more or less the same shape every time. Which means a UK SME with a written playbook, tested annually, recovers in a fraction of the time and at a fraction of the cost of one without.

The first 60 minutes

Most ransomware incidents are detected by a user reporting "my files have weird extensions" or by an endpoint security tool firing alerts. The clock starts the moment someone in the business notices.

What to do, in order:

  1. Confirm it's actually ransomware and not a false positive. A single user with one encrypted file might be a corrupted disk, a misconfigured backup tool, or an actual incident. Verify on at least two devices before escalating to full incident response. Time to make this call: 10 minutes maximum.
  2. Isolate the affected hosts from the network. Not by powering them off. Unplug the network cable or disable Wi-Fi via the OS. Powering off destroys evidence in memory that the forensic team will need. If isolation involves disconnecting a whole site, do it: the cost of a 4-hour disconnection is materially less than the cost of letting encryption spread.
  3. Disable affected identities. If a user account has been compromised, that account is now an attacker tool. Disable in Microsoft Entra ID / Active Directory, revoke all active sessions, and rotate the password and tokens. Do this for the user who reported, the user whose device is involved, and any service accounts the device authenticated against in the last 24 hours.
  4. Preserve evidence. Don't delete anything. Don't reformat anything. The forensic team needs the original encrypted files, the ransom note, memory dumps if possible, and the device logs. We have watched two SMEs render their own incident un-investigable by tidying up before the IR team arrived.
  5. Alert the response chain. Your IT provider's emergency line. Your cyber insurance broker. The named technical lead for incident response. If you don't know who these people are at 7pm on a Friday, you have a playbook problem you should fix this week.

Most SMEs we audit before incident-response engagement have either nobody on-call after 6pm, or a single person whose laptop is the only access path to the disaster-recovery system. Both are the same failure mode.

The first 24 hours

Once containment is in place, the response shifts to scope, notification and the start of recovery.

Scope: what's actually encrypted? What was exfiltrated before encryption (the classic "double extortion" model where attackers steal data and threaten public release in addition to encrypting it)? Which systems are clean? Which user accounts have been compromised? This is forensic work and usually takes 4 to 12 hours for a typical SME environment.

Notification: this is where SMEs make the most expensive mistakes.

  • *The ICO 72-hour rule starts at the moment of awareness, not the moment of confirmation.* If you suspect at 9am Tuesday that a breach has occurred and personal data may be affected, the clock starts at 9am Tuesday. You have until 9am Friday to notify the ICO. We've watched two SMEs miss this because they assumed the clock started when the forensic team confirmed the breach scope. It doesn't. The ICO will fine you for the late notification separately from any data-loss penalty.
  • Action Fraud (https://www.actionfraud.police.uk) is the UK's national reporting centre for fraud and cyber crime. Report ransomware here. This triggers National Crime Agency awareness and, for major incidents, NCSC involvement.
  • NCSC's Early Warning service (free for organisations registered with them) provides indicators of compromise from real attacks. If you're already enrolled, they'll have visibility on your incident's pattern. If you're not, enrol your business this week.
  • Your insurer. Cyber insurance policies require notification within a defined window (typically 48-72 hours of awareness). Miss it and the claim is voidable. The insurer will often dictate which forensic and recovery vendors you can use, which means choosing your insurer with care matters more than most SMEs realise.

Communication: what you tell staff, clients, suppliers and (if relevant) the press matters as much as the technical response. Two principles:

  • Don't speculate. If you don't know whether data was exfiltrated, say so. Speculating in writing creates legal exposure.
  • Do communicate quickly. Silence breeds rumour. A short, factual update sent every 12 hours during the first 72 hours is the right cadence.

Draft holding statements before the incident. We help clients write them as part of the playbook so the team isn't trying to think clearly under pressure.

Recovery start: by the end of hour 24, the recovery operation should be running. Restore from your offline / immutable backups, in order of business criticality. Identify clean snapshots from before the compromise. Stage the recovery in an isolated network until validated.

If you don't have offline / immutable backups, the recovery looks materially different and the conversation about whether to pay becomes a lot more urgent. See section 5.

The first 30 days

Most of recovery is the second half of the response. The first 72 hours is dramatic; the next 27 days is methodical.

Days 1-7: full recovery. Restore the rest of the environment in priority order. Validate each restored system is clean (not just functional) before reconnecting. Rotate every credential that touched the affected systems. Most SMEs underestimate this: every API key, every service-account password, every shared admin credential. Every one.

Days 7-14: post-incident review. This is the only part of the response that prevents a repeat. What was the entry point? Was a control missing, or was a control present but bypassed? Was there visibility we could have had but didn't? Were our backups what we thought they were? Was the playbook followed? What needs to change?

The post-incident review is the part SMEs skip and the part that determines whether the next ransomware incident lands or doesn't.

Days 14-30: insurance, regulatory, supplier. File the formal insurance claim with the loss adjuster's report. Close the ICO notification with the final breach summary. Notify affected individuals if their personal data was exfiltrated (the ICO will tell you who and how). Renegotiate contracts where suppliers' SLA terms were missed. Update your client-facing security statement.

For SMEs in regulated sectors (financial services, healthcare, legal, certain professional services), there are sector-specific reporting obligations on top of GDPR. The FCA, the ICO, NHS England's Data Security Standard team and the SRA all have their own forms and timelines. Your playbook should list these by name for your sector.

The pay / don't-pay decision

Every owner will ask this within an hour of seeing the ransom note. The honest answer is shaped by four things.

The UK government position. NCSC, the National Crime Agency and the Home Office are unambiguous: don't pay. Payment funds the criminal economy that produced the attack, signals to operators that UK SMEs pay (which increases targeting), and may put the payer in breach of UK sanctions law if the recipient ends up being a sanctioned entity (and many ransomware groups are sanctioned via OFAC and the UK's own OFSI). The Office of Financial Sanctions Implementation can fine the payer separately from any other regulatory action.

The insurance position. UK cyber insurance increasingly excludes ransom payments specifically, or covers payments only with prior insurer consent following a sanctions check. Some policies cover the recovery cost but not the ransom. Read the policy. Don't assume.

The technical reality. Even when paid, decryption keys work imperfectly. Industry data suggests around 60-70% of paid ransoms result in full data recovery; the rest are partial or fail entirely. Some operators have a track record of demanding a second payment after the first.

The business reality. Some SMEs face genuine existential pressure. If the alternative is administration, the calculus changes. We understand the human pressure. We still recommend against payment, for the four reasons above.

Our own position. We have never paid a ransom on behalf of a client. Not as an ethical stance: we hold the position empirically. The prevention work we do (Cyber Essentials Plus, immutable backups, EDR, segmentation, the playbook itself) means our clients have not faced the existential pay-or-die call. The argument that "you'd pay if it was your own business" doesn't hold when the prevention investment makes the call unnecessary.

The prevention layer

Ransomware response is real but the goal is not to use the playbook. The goal is to never need it. The prevention controls that move the needle, in priority order:

  • Backups with the 3-2-1 rule and an immutable copy. Three copies of every important data set. Two different storage media. One off-site. Plus an immutable copy the ransomware can't encrypt because it's write-once-read-many storage. This is the single highest-ROI control. Without it, your worst day becomes your last day.
  • Multi-factor authentication on every account that touches email, cloud or remote access. The same rule that fails most Cyber Essentials Plus first-time submissions also stops a meaningful share of ransomware incidents at the credential-stuffing stage.
  • Endpoint detection and response (EDR/MDR/XDR). Antivirus catches yesterday's malware. EDR catches behaviour patterns. For a typical SME the managed-MDR option (EDR + 24/7 monitoring by a SOC) is the right tier.
  • Patching within 14 days for critical and high-severity vulnerabilities. Most ransomware entry points are known CVEs the victim hadn't patched.
  • Network segmentation. When ransomware lands, segmentation contains it. Without it, one infected laptop becomes the whole environment encrypted.
  • A documented, tested playbook. Tested means tabletop-exercised at least annually with the named response chain in the room.

Cyber Essentials Plus is the floor. We covered the implementer view on CE+ in our guide to Cyber Essentials Plus 2026. The ceiling above CE+ is the list above. Most SMEs we work with bridge this gap over 6 to 12 months.

Bottom line

Two questions to ask your IT team tonight: where are our backups, and how would we restore if we were locked out of the laptop with the credentials?

If both questions get clear, current, tested answers, you have a playbook. If either gets a shrug, you have an improvisation. Improvisation is what costs UK SMEs the business when ransomware lands. The fix is not expensive. It just needs to be in place before, not after.

About this article

Sources:

Companion post: Cyber Essentials Plus 2026: a UK SME implementer's guide, the prevention layer this post depends on.

About Inflection Point

Inflection Point is a UK managed-IT and cyber-security firm. 200+ active clients across the UK, 16+ years EOS-run, founder-led with 25 years industry experience. ISO 27001 certified, Cyber Essentials Plus, Microsoft Solutions Partner, rated 4.9/5 across 150+ Trustpilot reviews. We deliver prevention (CE+, EDR, immutable backups, segmentation) and incident response for UK SMEs across professional services, financial services, healthcare and tech. Under-15-minute remote response, 1-hour on-site SLA. From £39 per user per month for managed IT.

If you don't have a written, tested ransomware playbook, book a 30-minute discovery call. We will tell you what's in scope, what your backups actually do under attack, and how to fix the most expensive failure modes before they bite. No sales pitch.

Iain Godding is the founder of Inflection Point. He has 25 years of UK IT and cyber-security industry experience.

Frequently Asked Questions

Should a UK SME pay a ransomware demand?

The UK government position is clear: don't pay. NCSC, the National Crime Agency and the Home Office are unambiguous because payment funds the criminal economy, increases targeting of UK SMEs, and may put the payer in breach of UK sanctions law if the recipient is a sanctioned entity (many ransomware groups are sanctioned via OFAC and the UK's OFSI). Even when paid, around 60-70% of paid ransoms result in full data recovery. UK cyber insurance increasingly excludes ransom payments or requires insurer consent following a sanctions check. We have never paid a ransom on behalf of a client because the prevention work we do means our clients have not faced the existential pay-or-die call.

Who do I need to notify if my UK business is hit by ransomware?

Five notifications, in order of urgency. (1) Your IT provider's emergency line and your cyber insurance broker, immediately. (2) Action Fraud (the UK's national reporting centre for fraud and cyber crime). (3) The ICO within 72 hours of awareness if personal data may be affected; the clock starts at awareness, not at confirmation. (4) Affected individuals if the ICO directs you to notify them. (5) Sector-specific regulators (FCA, SRA, NHS England DSP team) if you are in a regulated sector. Notify your insurer within the policy's defined window (typically 48-72 hours) or risk voiding the claim.

How long does ransomware recovery take for a UK SME?

For an SME with offline immutable backups, a documented playbook and a 24/7 incident response chain, the operational disruption is typically 2-5 days and full recovery within 14-21 days. For an SME without those controls, the disruption is typically 2-6 weeks and full recovery 30-90 days, with a meaningful share of businesses not recovering at all. The single biggest determinant of recovery time is whether you have immutable backups the ransomware could not encrypt. The second is whether your team knows what to do in the first 60 minutes.

Does our cyber insurance cover the ransom payment?

Increasingly, no. UK cyber insurance policies in 2026 either exclude ransom payments specifically, cover the payment only with insurer consent following a sanctions check, or cover the recovery cost (forensics, restoration, legal advice, business interruption) but not the ransom itself. Read the policy. Don't assume. Even where ransom is technically covered, the insurer's sanctions check process can take long enough that the recovery is faster by not paying. Recovery cost coverage is the part of the policy that matters most for a typical UK SME.

Sources

  1. NCSC. Ransomware guidance for organisations . (2026)
  2. NCSC. UK Government position on ransomware payments . (2026)
  3. Information Commissioner's Office. Personal data breach notification guidance . (2026)
  4. Action Fraud (City of London Police). Action Fraud: reporting cyber crime . (2026)
  5. HM Treasury. Office of Financial Sanctions Implementation . (2026)
  6. Cifas. Fraudscape 2026: fraud cases hit record highs . (2026)
  7. Association of British Insurers. Fraudulent insurance claims continue to top £1 billion . (2025)
  8. Inflection Point. Cyber Essentials Plus 2026: a UK SME implementer's guide . (2026)

Topics

Cyber Security Cyber Security Services Backup And Recovery Services Managed It Support

Share this article

Share on X Share on LinkedIn
IG

Written by

Iain Godding

Owner / Founder / Managing Director

Iain has over 25 years’ experience delivering large-scale technology programmes across public and private sectors. As our MD he brings this enterprise-grade IT expertise to SMEs in the South West in a way that’s accessible, scalable, and commercially valuable. A champion of innovation, he’s at the forefront of applying AI and automation to help clients streamline operations, improve decision-making, and unlock new value. Iain has built a culture that prioritises innovation, service excellence, and long-term client partnerships, helping businesses of all sizes achieve more with technology. Outside work, Iain advises growing businesses as a board member and non-executive director.

View all posts by Iain

You might also like

More articles in this category

Editorial collage with a magnifying glass examining a Cyber Essentials Plus shield, fragments of UK SME devices and audit checklists, brand red yellow and cyan accents on black Cyber Security

Cyber Essentials Plus 2026: a UK SME implementer's guide

Cyber Essentials Plus is now the price of doing business with the UK public sector, most professional-services tenders, and an increasing share of B2B insurance applications. Cyber Essentials is a self-assessment. Cyber Essentials Plus is an external audit, and that's where most UK SMEs fail on first attempt. This post is the implementer's view: what CE+ actually costs in 2026 (between £1,000 and £8,000 to certify the first time, depending on the size of the remediation project that gets you there), how long it actually takes (8 to 16 weeks the first time, 2 to 4 weeks for the annual renewal), and the seven things assessors will hammer on. From a firm that holds CE+ and runs the certification annually for dozens of UK SME clients.

I

Iain Godding

16 Jun 2026

Editorial collage showing AI model dials, prompt cards and document fragments around a Microsoft Copilot Chat interface, brand red yellow and cyan accents on black Microsoft 365

5 Microsoft Copilot tips most UK SMEs aren't using, and the compliance question Microsoft's PM didn't have to answer

Mike Tholfsen, a senior Microsoft 365 PM, just published a tour of five Copilot Chat features most people miss: the model picker, Pages, the Researcher agent, Notebooks and the Prompt Gallery. All five are real productivity wins. None of them are obvious from the default Copilot screen. This is the implementer's view from someone who deploys Copilot for a living: how to use each, and the compliance, data-scoping and governance question that needs to be asked before the team comes to rely on them. Pairs with our [post on the 5 Copilot agents most UK SMEs aren't using](/resources/blog/microsoft-copilot-chat-agents-sme-governance/) from yesterday.

I

Iain Godding

13 Jun 2026

View all articles
Get Expert Help

Ready to transform your IT?

Our team of experts is here to help you navigate technology decisions and find solutions that drive real business value.

Book a consultation Explore more articles