If you’ve skimmed recent headlines, you might have seen something surprising: ransomware payouts are on the decline. According to Aon’s 2024 Cyber Resilience Report, the average ransom paid by companies fell to just 28% of the initial demand in 2023, down from 43% in 2022. On the surface, that sounds like good news. Less money to the bad guys? We’ll take it.

But here’s the catch: ransomware attacks themselves haven’t slowed down. They’re evolving. And for small businesses, the risks remain high, even if the ransom number doesn’t.

The Cost Is Still Coming from Somewhere

Lower payouts don’t mean fewer claims. In fact, cyber claims are up, especially among small and midsized businesses. Aon’s report shows a significant uptick in cyber insurance claims from this group, driven by business email compromise, data theft, and of course, ransomware.

Why the disconnect? In many cases, organizations are refusing to pay ransoms or negotiating them down, often due to better preparedness, stronger backups, or legal/regulatory pressure. But that doesn’t eliminate the cost. Downtime, data recovery, incident response, and customer notification costs can easily stack up, regardless of whether a ransom is paid.

The Ransom Isn’t the Only Threat

Cybercriminals are getting creative. More are using “double extortion”: stealing data and threatening to leak it if the ransom isn’t paid. Others are exploiting vulnerabilities faster and more quietly, often sitting in networks for weeks before triggering an attack. Small businesses without the tools or visibility to detect this kind of activity are at higher risk, regardless of how low the final ransom demand is.

So What Should Small Businesses Do?

Here’s the real takeaway: lower average ransomware payouts are a sign that resilience is possible, but only with the right preparation.

At OrbitalFire, we’ve seen firsthand how smaller businesses can punch above their weight by focusing on practical, proactive cybersecurity. Here are some of the things making the biggest difference:

• Backups that Actually Work – Offline, tested, and restorable.
• 24/7 Intrusion and Threat Detection – Complete visibility to and detection of intrusions, anomalies, compromise, and other potential threats.
• Incident Response Planning – So your team knows what to do before things go sideways.
• Phishing Testing – Improved cybersecurity behaviors to reduced phishing risk.
• Awareness Training – Because phishing is still the #1 way attackers get in.
• Vulnerability Management – Identify and patch before attackers exploit known weaknesses.

Bottom Line: Hope Is Not a Strategy

The decline in ransom payouts is encouraging, but it’s not a green light to relax. If anything, it’s a sign that businesses who prepare can avoid the worst outcomes. But for those who haven’t? The costs are just hiding elsewhere.

Cybercriminals don’t care about your size, they care about your gaps. Let’s close them.

Need help building a more resilient cybersecurity program?
Contact OrbitalFire to learn how we help small businesses prepare for (and prevent) ransomware and other attacks.