According to the 2025 Hiscox Cyber Readiness Report, which surveyed nearly 6,000 firms across multiple countries, 59% of businesses reported being hit by a cyber attack in the past year. For many smaller organizations, the consequences were severe ranging from financial penalties and reputational damage to operational shutdowns and employee burnout.
The report paints a stark picture: cyber attacks are no longer rare, isolated incidents. They are now a routine operational risk, affecting businesses across industries and geographies.
“Cybercriminals are now much more focused on stealing sensitive business data. Once stolen, they demand payment pricing threats based on reputational damage,” said Eddie Lamb, Global Head of Cyber at Hiscox.
This shift from stealing personal data to extorting companies over their own confidential information such as contracts, executive emails, and financial records marks a dangerous new phase in the evolution of cybercrime.
Ransomware Payments Offer Little Assurance
Ransomware remains the single most devastating cyber threat for small and mid-sized firms. The report found that 27% of respondents had experienced a ransomware incident in the past year. Alarmingly, 80% of those victims admitted to paying a ransom, yet only 60% succeeded in recovering their data — either partially or fully.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Nearly a third were asked to pay additional ransoms even after complying with initial demands, underscoring how unpredictable and risky such negotiations can be.
Experts warn that paying attackers rarely guarantees data restoration and, in many cases, encourages further extortion. Calls for greater transparency are growing louder, with 71% of respondents saying organizations should be legally required to disclose ransom payments and amounts.
“The findings show that ransom payments create little certainty and may embolden cybercriminals to escalate their campaigns,” the report notes.
AI: A Double-Edged Sword in Cyber Defense
While artificial intelligence (AI) is seen as a powerful tool for automation and security, it is also creating new attack surfaces. The report revealed that over half of respondents (52%) had suffered incidents linked to AI-related vulnerabilities, including deepfakes, data leaks from AI tools, and exploits in third-party integrations.
Despite these risks, 65% of companies still view AI as an opportunity rather than a threat using it for faster detection, incident response, and predictive threat modeling.
However, analysts caution that businesses may not fully understand the scope of AI-driven vulnerabilities, especially as attackers use the same technologies to automate phishing, impersonation, and reconnaissance.
Firms Strengthen Cyber Defenses, But No System Is Foolproof
In response to growing threats, businesses are significantly increasing cybersecurity budgets and adopting layered defense strategies. These include:
- Ransomware protection and automated malware removal tools.
- Comprehensive antivirus systems integrated with firewalls and intrusion detection.
- Password managers and secure backup solutions to safeguard data recovery.
- Regular staff training to improve cyber hygiene and awareness.
Such measures are helping firms mitigate risks, but Hiscox warns that no system can guarantee complete protection in an environment where cybercriminals continuously adapt their tactics.
For smaller firms often lacking dedicated security teams a single breach can cause disproportionate damage, from customer trust erosion to long-term financial instability.
