Ransomware: why SMEs have become prime targets
71% of SMEs were targeted by ransomware attacks in 2022. That’s a figure we often bring up at CreativMinds when a business leader tells us, “We’re too small to interest hackers.”
Except that’s not true. SMEs are very attractive targets for cybercriminals — precisely because they’re smaller.
What we see in the field
At CreativMinds, we’ve been supporting SMEs with their IT security for several years. And we’ve seen the nature of attacks evolve. In the beginning, clients mostly came to us with “classic” viruses, spam, or the occasional infected workstation that needed cleaning. Today, the calls are different — more serious, more urgent.
A ransomware attack, in simple terms, is malicious software that infiltrates your system, encrypts your data, and demands a ransom to restore access. The mechanism is straightforward. The consequences, however, can bring a business to its knees.
We supported a distribution company whose operations were paralyzed for five days after an employee clicked a link in a phishing email. Five days without being able to invoice, deliver, or even access their customer list. The total cost — lost revenue, system recovery, time spent — exceeded 100,000 Swiss francs.
Another case: an accounting firm hit in the middle of tax season. All client files encrypted. At that point, it’s no longer just about money — it’s about reputation and trust.
Why SMEs, specifically?
It may seem counterintuitive. You’d expect hackers to target large corporations, where the money is. But large organizations also have dedicated IT teams, significant cybersecurity budgets, and well-established response processes.
SMEs, on the other hand, often combine several vulnerabilities. Software that isn’t always up to date — because “it works, so we don’t touch it.” Little to no employee training on cyber risks. Incomplete or unreliable backups, if they exist at all. No incident response plan. And above all, a persistent belief: “it only happens to others.”
Cybercriminals are well aware of these weaknesses. For them, an SME quietly paying 20,000 francs is often more profitable than a large company that brings in lawyers, alerts authorities, and drags things out for months.
It’s also a matter of scale. Ransomware attacks are now largely automated. Attackers cast a wide net, sending thousands of phishing emails and waiting to see who takes the bait. SMEs, being less protected, fall for it more often.
The most common entry points
In the vast majority of cases we’ve handled, the attack starts with an email. A link clicked too quickly. An attachment opened out of habit — an invoice, a reminder, a document that appears to come from a known supplier.
It’s rarely sophisticated. It’s often incredibly effective.
Ransomware frequently exploits known vulnerabilities — ones that have already been patched by software vendors. WannaCry, for example, used a Windows vulnerability for which Microsoft had released a fix two months before the massive 2017 outbreak. But how many organizations had actually applied the update?
We’ve seen SMEs running versions of Windows that had been unsupported for three years. Not out of negligence — simply because no one was really in charge, and “everything was working.”
Other common entry points include poorly secured remote access (RDP with weak passwords), pirated software downloaded to save on licensing costs, or USB drives picked up from who knows where.
What really makes the difference
We won’t repeat the usual “top 10 cybersecurity best practices” you see everywhere. What matters is what we observe in companies that handle attacks better — or avoid them altogether.
They have someone in charge. Not necessarily a full-time cybersecurity expert — few SMEs can afford that. But someone whose responsibility it is to ensure updates are applied, backups are working, and teams remain vigilant. It could be an external provider, a part-time IT manager, or even a trained employee dedicating a few hours a week to the topic.
They test their backups. Having backups is one thing. Knowing you can actually restore your data is another. We’ve seen too many companies discover during a crisis that their backups were incomplete, corrupted, or stored on a server that was itself encrypted by the attack. A backup that’s never been tested isn’t a backup — it’s a hope.
They train their teams regularly. A yearly awareness session is better than nothing. But phishing techniques evolve quickly. Employees forget, or get caught off guard by a slightly more convincing email. Short, frequent reminders — a monthly email, alerts about new scams, phishing simulations — make a real difference. With some of our clients, the click rate on simulated phishing emails dropped from 40% to under 5% within a year.
They have a plan. Not a 50-page document sitting in a drawer. Just a clear procedure: who does what if an attack is detected? Who do you call? Where are the backups? Who decides to disconnect the network? In the middle of a crisis, that’s not the time to figure it out.
If it happens anyway
Because despite all precautions, it can.
And in that case, the first few hours are critical.
First: isolate. Physically disconnect infected machines from the network. Turn off Wi-Fi, unplug Ethernet cables. The goal is to prevent the ransomware from spreading to other devices and servers. Every minute counts.
Next: don’t panic. Easier said than done, we know. But decisions made under pressure are rarely the right ones. Take the time to document what you’re seeing — screenshots of the ransom message, a list of affected machines, timestamps. This information will be valuable later.
Notify the right people. Your IT provider, if you have one. The relevant authorities — in Switzerland, the National Cyber Security Centre (NCSC) can provide guidance. Your insurer, if you have cyber coverage. And internally, the people who need to know — without causing unnecessary panic.
Don’t automatically pay the ransom. We understand the temptation. When your entire business is down, paying can seem like the fastest solution. But there’s no guarantee you’ll recover your data. Some ransomware is poorly coded, and decryption doesn’t work. In other cases, attackers come back months later, knowing you’re willing to pay. And every ransom paid fuels the development of new attacks.
What stands out after all these years
It’s not so much the technical sophistication of the attacks. Most exploit basic weaknesses: a careless click, a weak password, a delayed update.
What stands out is the persistent gap between the reality of the threat and how many SME leaders perceive it. The idea that cybersecurity is an IT issue. A cost center. Something to deal with “when we have time.”
Except when the attack hits, time is exactly what you don’t have. And the cost of a week of downtime far exceeds that of a reasonable security strategy.
Cybersecurity isn’t a technical issue. It’s a business continuity issue. It’s about protecting your clients, your data, your reputation — and sometimes, your survival.
The companies that understand this aren’t necessarily the ones spending the most. They’re the ones that recognize security is everyone’s responsibility — from leadership approving investments to the sales assistant handling dozens of emails a day.
It’s not something you buy as a miracle software solution. It’s something you build, step by step, through awareness, discipline in the basics, and a bit of humility in the face of threats that evolve faster than our habits.
