In our latest series of blogs from our Interim CEO, Jon Holden, find out why ransomwhere isn’t a cyber problem…
Ransomware isn’t a cyber problem… It’s what happens when growth outpaces resilience.
I’ve lost count of how many times I’ve heard this sentence:
“We knew cyber was important… we just didn’t think it would be us.”
It usually arrives in the “Golden Hour”—the first sixty minutes after the screen goes red.
- After the local servers have been encrypted.
- After the realisation hits that your cloud backups were connected to the same domain.
- After the realisation that your “Business Continuity Plan” is a PDF sitting on a drive you can no longer access.
Ransomware has become so normalised that we’ve almost stopped reacting—until it hits home, and increasingly, “home” is the UK mid-market.
The SME “Sweet Spot”: Why Growth is Your Vulnerability
Attackers don’t target SMEs because they are “weak”; they target them because they are efficient. To scale, SMEs often prioritise “frictionless” workflows. Unfortunately, in security, friction is a feature, not a bug.
Most mid-market organisations suffer from Technical Debt accumulated during rapid growth:
- The “Admin” Trap: Many SMEs have legacy accounts where every user has “Local Admin” rights because it “makes things easier for IT.” This is a motorway for ransomware.
- The Interconnected Supply Chain: You might be secure, but is the small accounting firm you use secure? Or the HVAC contractor with remote access to your building? Attackers use “island hopping” to enter through the weakest link.
- The Shadow IT Explosion: Since 2020, the average SME uses 40+ SaaS tools. If just one of these—an old marketing tool or a forgotten project board—is breached, it provides the foothold for a full-scale ransom event.
The Real Cost: Why the “Ransom” is a Distraction
Insurance often covers the ransom, but no policy covers the opportunity cost. While your systems are down for three weeks, your competitors are winning your tenders. Your staff, unable to work, are scrolling LinkedIn. The damage isn’t just financial; it’s reputational erosion. For an SME, data loss isn’t the biggest threat—it’s Time to Recovery (TTR). * Large Enterprise: Can survive 14 days of downtime through sheer capital.
- Mid-Market: Often hits a “liquidity cliff” after day 5.
The 4 Pillars of “Hardened” Resilience
If we are going to add “meat” to the strategy, we have to look at the unglamorous fundamentals that actually stop a total wipeout:
1. The 3-2-1-1 Backup Rule
Standard backups aren’t enough. Ransomware specifically hunts for backup files to delete them first. You need:
- 3 copies of data, on 2 different media, 1 offsite, and 1 Immutable/Air-gapped (meaning it cannot be deleted or changed even with admin credentials).
2. Micro-Segmentation (Stopping the “East-West” Spread)
Most SME networks are “flat”—like a house with no internal doors. Once a thief gets in the front window, they have the keys to every room. Segmentation puts up internal firewalls so that an infection in HR doesn’t reach the production floor.
3. Identity: The New Perimeter
The “Firewall” is dead because your data is everywhere (Teams, Dropbox, Email). Your security is now defined by Identity. * MFA is the bare minimum: If it’s not Phishing-resistant MFA (like hardware keys), it’s bypassable.
- Conditional Access: “You can only log in if you are on a company laptop, located in the UK, at 9 AM.”
4. The Tabletop Exercise: Muscle Memory
If your first time looking at your “Response Playbook” is during a live attack, you’ve already lost. A tabletop exercise isn’t a boring meeting; it’s a simulation where you ask:
- “Who has the authority to shut down the entire network?” * “How do we pay staff if the payroll system is encrypted?” * “Do we have a ‘Burn Bag’ of emergency contact numbers printed on paper?”
Why This Matters to CyberNorth
At CyberNorth, we don’t fix this by selling you another “Black Box” tool, we fix it by building an ecosystem of resilience.
The UK’s regional growth depends on SMEs being “hard targets.” When we share threat intelligence across our community, we make the cost of attack higher for the criminal. We move the conversation from “How do I buy security?” to “How do I lead a resilient business?”
A Final Question for the Boardroom
The real question for SME and mid-market leaders isn’t: “Are we a target?” It’s this: “If we had to wipe every laptop and server in the building today, how many days until we are back serving customers—and do we have the cash to survive that gap?”
If you don’t know the number, it’s time to start building the bones.
By Jon Holden, Interim CEO at CyberNorth.