Ransomware is no longer a problem reserved for large multinationals. In 2026, Belgian SMEs have become the primary target of criminal groups: less protected and often without a response plan, they offer a quick return on investment. The average ransom demanded from a Belgian SME now reaches €45,000, and 60% of affected businesses shut down within six months.
This guide explains concretely how an attack unfolds, what it really costs, and the eight measures that reduce the risk by more than 90%, without turning your SME into a military fortress.
Ransomware: understanding the threat targeting your SME
A ransomware is malicious software that encrypts all your data, client files, accounting, emails, backups, and then demands a cryptocurrency payment to restore access. In Belgium, the average amount demanded from an SME now reaches €45,000, often much more when attackers detect revenue above €2 million.
Entry points are always the same:
- A phishing email opened by a rushed employee
- A reused password found on the dark web
- A poorly secured remote connection (RDP, VPN without MFA)
- Out-of-date software exploiting a known vulnerability
The typical attack doesn’t last a few minutes. Attackers are in your network on average 11 days before triggering encryption, enough time to identify your backups, delete them, and maximize pressure.
The real impact of a ransomware attack on a Belgian SME
When you ask an executive whether they can survive three weeks without system access, the answer is almost always no. Yet that’s exactly what happens after an attack:
- 60% of SMEs hit by ransomware close within the six months following
- €187,000 average total cost (ransom + business interruption + recovery)
- 21 days of operational recovery, in the best case
- 32% of businesses paying the ransom never recover their data
- 80% of attacks succeed due to a single human error
Beyond the numbers, there are quieter realities: clients moved to competitors during downtime, contracts lost because of undelivered work, IT team burnout, GDPR procedure triggered by the DPA, local press coverage that damages reputation for years. A cyberattack never comes down to just the ransom, it breaks the company from the inside.
To also understand your legal obligations after an incident, read our guide on GDPR and cyberattack.
The 8 ransomware protection measures that actually make the difference
The good news: the vast majority of attacks fail against a properly prepared SME. Here are the eight measures that, combined, reduce risk by more than 90%.
1. Immutable backups following the 3-2-1 rule
Backup remains the ultimate defense. Apply the 3-2-1 rule:
- 3 copies of your data
- 2 different media types (local disk + cloud)
- 1 offsite copy, immutable (one that nobody, not even an admin, can delete)
Without immutable backups, attackers encrypt your backups before triggering the ransom. Test restoration every quarter, a backup you can’t restore is not a backup.
2. Continuous employee training
80% of attacks go through human error. Annual training is no longer enough. Put in place:
- Monthly phishing simulations
- A simple one-click process to report suspicious emails
- A security briefing during every onboarding
- Short reminders after every wave of high-profile attacks
3. Updates and vulnerability management
Ransomware massively exploits flaws known for months. Install security patches within 14 days of release for critical systems. For the rest, don’t exceed 30 days.
4. EDR rather than classic antivirus
A free antivirus detects what’s already known. An EDR (Endpoint Detection and Response) detects abnormal behavior, data exfiltration, massive encryption, lateral movement, before the attack fully triggers.
5. Multi-factor authentication (MFA) everywhere
Enable MFA on all privileged accounts: email, banking, VPN, admin tools, business applications. A stolen password without MFA is an open door. With MFA, it’s an incident avoided.
6. Network segmentation
An infected workstation must not be able to reach your accounting server. Isolate your critical systems in separate network segments, with strict communication rules. This measure alone turns a catastrophe into a contained incident.
7. Documented and tested incident response plan
The worst time to discover you don’t have a plan is during the attack. Document in advance:
- Who to call (CERT.be, your cyber broker, your lawyer)
- How to isolate systems without blindly unplugging everything
- Who communicates internally and to clients
- How to restore and in what order
Test this plan at least once a year with a simulation exercise.
8. Continuous cyber monitoring and cyber insurance
No protection is foolproof. An external continuous monitoring identifies weak points visible from the internet (forgotten ports, expired certificates, leaked credentials) before an attacker exploits them; cyber insurance absorbs the cost when an attack gets through anyway. Learn why cybersecurity monitoring has become essential.
What to do in the first 4 hours of a ransomware attack
The decisions of the first four hours determine the rest. Most executives do the opposite of what’s needed, out of panic.
The right reflexes:
- Isolate, don’t shut down. Disconnect infected machines from the network (unplugged cable, Wi-Fi off), but don’t shut them down, you’d lose evidence essential for investigation and recovery.
- Don’t pay immediately. Payment guarantees nothing: one third of companies that pay don’t recover their data. It can also violate international sanctions if the criminal group is listed.
- Call your cyber broker first. An active cyber policy triggers a single 24/7 emergency number: negotiators, forensics, lawyers, communicators are mobilized within hours.
- Notify the DPA within 72 hours if personal data is compromised. It’s a GDPR obligation, not an option.
- File a complaint with the police and report the incident to CERT.be.
Every hour of improvisation costs several thousand euros. A prepared response plan saves weeks of recovery.
Cyber insurance: a financial AND operational shield
A good SME cyber insurance isn’t limited to reimbursing a ransom. From the alert, it mobilizes a team that an SME could never assemble alone:
- Specialized negotiators to lower the ransom or avoid payment
- Forensic team to identify the breach and secure systems
- GDPR lawyers to handle notification to the DPA and limit fines
- Crisis communicators to protect reputation
- Financial coverage for business interruption, recovery costs and third-party liability
The cost of cyber insurance remains marginal compared to the cost of an incident. For the average Belgian SME, that means a small fraction of the exposure of a serious incident. See our full analysis of the cost of cyber insurance in Belgium and the checklist for choosing the right coverage.
Frequently asked questions about ransomware protection
Should you pay the ransom?
Belgian and European authorities strongly advise against payment. It funds criminal groups, doesn’t guarantee data recovery, and may violate sanctions regimes. Always go through professional negotiators via your cyber insurance before making any decision.
Is my antivirus enough against ransomware?
No. Modern ransomware bypasses classic antivirus within minutes. Serious protection combines EDR, MFA, immutable backups, network segmentation and team training.
How long does recovery take after an attack?
With tested backups and a response plan: 3 to 5 days. Without preparation: 3 to 6 weeks, when recovery is possible at all. 40% of SMEs without backups permanently lose part of their data.
Is my company too small to be a target?
It’s the opposite. Criminal groups automate their attacks and prefer poorly protected targets. A 10-person SME can pay €15,000 much faster than a listed group that involves lawyers, the board and crisis communication.
Does cyber insurance cover the ransom?
Most Belgian cyber policies cover the ransom under conditions, after validation by approved negotiators. Above all they cover the costs that are much more expensive: recovery, business interruption, GDPR notification, civil liability.
In summary: preparation costs 100 times less than an incident
Protection against ransomware rests on three inseparable pillars: technical prevention (backups, EDR, MFA), human preparation (training, response plan) and financial coverage (cyber insurance). None is enough alone.
The time to prepare is not when the ransom message appears. It’s now, while everything is working.