The NCSC's Ransomware Warning Should Worry Every SME, Not Just Big Business

A Warning Aimed at the Boardroom, Not the Server Room

Richard Horne, CEO of the National Cyber Security Centre (NCSC), recently issued one of the clearest warnings to come from the agency in years: ransomware preparedness can no longer sit solely with the IT department. It has to be a boardroom priority, treated with the same seriousness as financial risk or health and safety.

His test for business leaders is deceptively simple. Could your organisation keep operating if your critical IT systems were unavailable for four weeks? Not four hours. Not four days. Four weeks.

For most SMEs we speak to, the honest answer is no — but that’s not actually the question that matters most. The real question is whether you’re actively mitigating that risk, and whether you have genuine confidence in your backups and your ability to restore.

“It’s Just IT” Is the Most Expensive Sentence in Business

We hear it often. IT gets filed away as a cost centre — something to minimise, defer, or negotiate down at renewal time. Cybersecurity, in particular, tends to be the first line trimmed when budgets tighten, because the return on investment isn’t visible until something goes wrong.

That mindset is understandable. It’s also the exact gap ransomware groups are built to exploit.

A four-week outage isn’t an abstract scenario for an SME. It’s payroll missed, suppliers unpaid, customer commitments broken, and — for many businesses — the difference between trading through a crisis and not trading again. The NCSC isn’t warning about inconvenience. It’s warning about survival.

The Real Test Isn’t Survival Time — It’s Restore Confidence

Horne’s four-week figure is a useful gut check, but fixating on the number misses the point. The question that actually matters is simpler: if ransomware hit today, do you trust your backups enough to bet the business on them? Ask yourself:

• Have you actually tested a full restore from backup in the last 12 months — not just confirmed the backup job ran?

• Are your backups isolated from the network they protect, so the same attack can’t encrypt them too?

• Do you know how long a real restore would actually take, end to end?

• Does anyone outside IT know the recovery plan exists and how to trigger it?

• Is risk mitigation something you review regularly, or a box ticked once and forgotten?

If you’re hesitating on more than one of those, preparedness isn’t a future project — it’s an overdue one.

Paying the Ransom Doesn’t Make the Problem Go Away

One of the more sobering details in the NCSC’s warning is the reminder that ransomware today is rarely just encryption. Most attacks are double extortion: data is stolen and threatened with publication, on top of systems being locked down.

Horne points to evidence from Operation Cronos, the law enforcement operation that dismantled the LockBit ransomware group, which found stolen victim data still sitting on criminal infrastructure even after ransoms had been paid. Paying doesn’t guarantee deletion. It doesn’t guarantee restoration. It guarantees the criminals get paid.

The NCSC’s framing is clear: resilience plans have to work without relying on a ransom payment as the recovery strategy.

What Real Resilience Looks Like for an SME

None of this requires an enterprise security budget. It requires a shift from reactive spending to planned resilience. In practice, that means:

• Backups that are tested, not just scheduled — a backup you’ve never restored from is a guess, not a plan

• An incident response plan that’s written down, with someone outside IT able to follow it

• Leadership involvement in cyber risk, even if that’s just the owner or a director reviewing it quarterly

• A multi-year view of cyber investment, rather than a single annual spend agreed under pressure

• Faster patching, especially as the NCSC flags AI-driven exploitation of known vulnerabilities is accelerating

Most of this is process and discipline before it’s technology spend. That’s good news for SMEs — it means preparedness is achievable without an enterprise budget, but it does mean someone has to own it.

Treat the Warning as the Opportunity It Is

The NCSC’s message isn’t designed to scare businesses into inaction — it’s designed to move ransomware preparedness out of the “we’ll get to it” pile. For SMEs, that’s the opportunity here. The businesses that treat this as a planning exercise now, rather than a recovery exercise later, are the ones still trading on the other side of an incident.

If you’re not confident in your backups — not just that they exist, but that they’ve been tested and would genuinely restore — that’s worth a conversation with whoever manages your IT, internal or outsourced, before it becomes a conversation with a ransomware negotiator.