On 22 April 2026, the UK's National Cyber Security Centre issued a stark warning: state-aligned cyber attacks have become so industrialised that targeting small and medium-sized businesses is now economically viable for attackers. The "we're too small to be a target" assumption is no longer just wrong — it's dangerous.
If you run IT for an SMB, or you're a director who signs off on IT spend, this matters to you directly. Here's what's changed, what it means for your backup strategy, and what you actually need to do about it.
The 'Too Small to Target' Myth Is Dead
State-backed threat groups used to focus on large enterprises, critical infrastructure, and government. The effort required to compromise smaller businesses simply wasn't worth it.
That's changed. Attack toolkits are now largely automated. Vulnerability scanning, credential stuffing, phishing campaigns — all of it runs at scale with minimal human involvement. Attackers can sweep thousands of UK businesses simultaneously, picking off whoever hasn't patched a known vulnerability or has MFA disabled on a key system.
The NCSC's warning is clear: SMBs are in scope. Not as collateral damage, but as deliberate targets.
Ransomware Goes After Your Backups First
This is the part many IT managers still haven't fully absorbed: modern ransomware is specifically designed to find and encrypt your backups before it touches anything else.
Attackers know that businesses recover from backups. So they destroy that option first. If your backup solution is connected to the same network, uses the same credentials, or is accessible from a compromised endpoint, it's not protected — it's just another target.
This is why cyber insurers have shifted their requirements. Immutable backups — copies of data that cannot be altered, deleted, or encrypted, even by someone with admin access — are now a condition of cover at most reputable insurers. Air-gapped backups, where the backup copy is physically or logically isolated from your production environment, are increasingly required for higher-value policies.
Untested backups are treated just as harshly. If you can't demonstrate that your backups actually restore correctly, insurers can and do reject claims. Saying "we had backups" is not the same as proving they worked.
Cyber Essentials v3.3 Tightens the Screws
From 27 April 2026, the updated Cyber Essentials v3.3 standard is in effect. The changes are worth paying attention to even if certification isn't on your immediate agenda, because they reflect exactly what insurers and procurement teams are now demanding.
The key updates include tighter MFA requirements across more account types, a stricter 14-day window for applying patches to internet-facing systems, and an expanded scope that brings cloud services and remote access more firmly into the assessment. These aren't arbitrary changes — they close the gaps that attackers consistently exploit.
If you're renewing cyber insurance this year, expect your insurer to ask questions that map directly onto these controls. Failing to meet them won't just affect your renewal price — it may affect whether you can get cover at all.
The Numbers Make the Case
57% of UK organisations hit by ransomware now recover by restoring from backups rather than paying the ransom. That's the right outcome. But it only works if the backups are there, clean, and restorable.
The businesses that pay ransoms — or lose data entirely — are almost always in one of two positions: they didn't have adequate backups, or their backups were compromised in the attack. Neither is acceptable when the alternative is straightforward to implement.
What You Actually Need in Place
To be clear about what "adequate backup" means in this context:
- Immutability: Backups that cannot be overwritten or deleted by malware or a compromised admin account.
- Air-gapping: At least one copy of your data that is isolated from your primary environment.
- Regular testing: Restoration tests, not just backup jobs completing without errors. You need to know the data comes back correctly.
- Offsite or cloud copies: On-site-only backups don't protect you against physical incidents alongside cyber events.
- Retention that makes sense: Ransomware can lie dormant. If your backup window is 7 days and the attacker has been inside for 10, you may be restoring already-compromised data.
None of this is exotic or enterprise-only. Managed backup services exist specifically to handle this for businesses that don't have the internal resource to do it properly themselves.
IronFell's managed backup service gives UK SMBs immutable, tested, offsite backup without the complexity of managing it yourself. If you're not certain your current setup would actually protect you, it's worth finding out before you need it.
Talk to IronFell about protecting your business data — no jargon, no hard sell.