By Mario Bouchard, M. Adm., CISSP -- InfoSec Sécurité de l'information Inc.

In a recent article, I wrote about the threat that comes from inside your organization: shadow AI, well-meaning employees exposing your data without knowing it. Today, let's talk about the threat that comes from outside. And it has changed a lot since you last looked.

What you think you know

Picture a burglar. He breaks into your house, slaps a padlock on your safe, and says: "Pay me and I'll give you the key."

That's the 2019 version of ransomware. And it's probably the image most executives still have in mind.

The 2025 version looks like this: the burglar breaks in, photographs every document in your safe, copies your clients' keys, writes down your trade secrets. Then he says: "Pay me or I publish everything. And if you don't pay fast enough, I'll call your clients personally to let them know."

What used to be an IT problem is now a business problem.

The numbers that changed the game

Ransomware was present in 44% of all data breaches in 2025, a 37% increase over the previous year (Verizon DBIR 2025). But here's the number your board should focus on: 88% of breaches in SMBs involved ransomware. Not large enterprises with $50 million cybersecurity budgets. SMBs. Organizations your size.

And here's the paradox: while attacks are surging, payments are collapsing. According to Verizon, 64% of victims now refuse to pay the ransom, a complete reversal from the 50% of two years ago. IBM reached a similar conclusion: 63% refusal, up from 59% the previous year. By Q3 2025, Coveware reported a payment rate of just 23%.

Why? Because organizations that invest in their backups, response plans, and detection capabilities realize they can recover without funding the criminals. The takeaway isn't that the threat is shrinking. It's that preparation makes the difference.

Triple extortion: the new criminal business model

Attackers have adapted. If you won't pay to get your files back, they have other leverage.

The first layer is still encryption: your systems are locked, your operations stop. The second layer is exfiltration: before encrypting anything, they've already copied your sensitive data. They threaten to publish it on a leak site accessible to your competitors, clients, and regulators. The third layer is direct pressure: calls to your clients, media notifications, saturation of your online services to maximize panic.

In 2025, nearly a third of attacks used this triple extortion model. Some groups go even further, using AI-cloned voices to call executives directly and ramp up the pressure.

Wednesday morning, 7:15 AM

You're the VP of operations at a Quebec-based manufacturer with 350 employees. Your production director calls. The production management system is down. Nobody can access purchase orders, delivery schedules, or technical specifications.

By 8 AM, IT confirms: ransomware. The group has been in your systems for three to four days (Sophos Active Adversary). During that time, they explored everything: technical drawings, price lists, client contracts, the HR database with social insurance numbers for all 350 employees.

By 9:30 AM, the ransom note. Two million in crypto. A 72-hour countdown. And a link to a site where samples of your files are already posted, to prove they're not bluffing.

The reality: your backups work, but restoration will take five to seven days. In the meantime, no production, no deliveries, no invoicing. And even if you restore everything, the stolen data is still in their hands.

What it actually costs

The ransom makes the headlines, but the recovery cost is what hurts. The median payment dropped by half, from $2 million to $1 million US (Sophos State of Ransomware 2025). For SMBs, the median demand is under $350,000, calibrated to seem "reasonable."

But the ransom is never the real cost. The average recovery cost, excluding the ransom, is $1.53M US (Sophos). For SMBs with 100 to 250 employees: $638,536. 97% of affected organizations recover their data, and 53% do so in under a week, up from 35% the previous year (Sophos).

Ballpark for our 350-employee manufacturer: 12,000 employee and client records x $168/record (IBM Cost of a Data Breach 2025) = roughly $2.0M. This figure is based on average per-record costs from IBM studies, not a precise rate. Add five to seven days of production downtime, legal fees, forensic investigation, breach notifications, and a credit monitoring program for 350 employees.

And the human costs don't show up in these numbers. The stress on IT teams working around the clock for a week. The anxiety of employees whose personal data is circulating on the dark web.

How they get in, and why it's often preventable

The three main entry vectors in 2025 (Sophos): exploited vulnerabilities (32%), malicious emails (23%), and compromised credentials (20%). Together, these three vectors account for 75% of attacks.

The common thread? The three organizational factors most often linked to attacks are gaps in security logging (40%), known but unpatched vulnerabilities (40%), and lack of qualified personnel (39%) (Sophos).

These aren't incompetent organizations. They're organizations that lack resources, time, and specialized expertise. Exactly the profile of a 150-to-400-employee SMB.

The regulatory angle

In Quebec, if an incident presents a risk of serious harm, Law 25 (enacted in phases between 2022 and 2024) requires your organization to notify the Commission d'accès à l'information (CAI) and affected individuals with due diligence. And to record the incident in a mandatory incident register.

Our manufacturer with 350 stolen social insurance numbers? That's a reportable incident. And the potential penalties are not symbolic: up to $10M or 2% of global revenue for administrative sanctions, and up to $25M or 4% of global revenue for criminal penalties.

For organizations operating across Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) imposes similar breach notification requirements when there is a real risk of significant harm.

The ransomware-specific trap: even if you recover your data from backups and don't pay the ransom, the exfiltrated data potentially constitutes a reportable incident if it contains personal information and the assessment reveals a risk of serious harm. Your backups save your operations, not your legal obligations.

Three questions to ask your IT team this week

When did we last test restoring our backups? Not "do we have backups," but "have we verified we can actually restore them, and how long does it take?"

Which systems are exposed to the internet without protection? Exploited vulnerabilities are the number one attack vector. If you have internet-facing systems without current patches, that's an open door.

Do we have an incident response plan the team actually knows? A plan people have read, that's been tested, and that clearly says who does what when everything stops.

Is your organization ready?

Mario Bouchard, M. Adm., CISSP -- President, InfoSec Sécurité de l'information Inc., a strategic cybersecurity consulting firm based in Quebec City. With over 30 years of experience in cybersecurity, he helps CISOs and IT leaders turn cybersecurity into a delivery accelerator rather than a roadblock.

Sources

Verizon -- 2025 Data Breach Investigations Report (DBIR). Ransomware present in 44% of breaches (+37%). SMBs: 88% of breaches involve ransomware. 64% of victims refuse to pay (vs 50% two years prior). verizon.com/dbir
IBM -- Cost of a Data Breach Report 2025. 63% of victims refuse to pay (vs 59% the previous year). Average cost per compromised record: $168. ibm.com/security/data-breach
Sophos -- The State of Ransomware 2025. Average recovery cost (excluding ransom): $1.53M US. SMBs 100-250 employees: $638,536. Median payment: $1M (down 50%). Vectors: exploited vulnerabilities (32%), malicious emails (23%), compromised credentials (20%). Organizational factors: logging gaps (40%), unpatched vulnerabilities (40%), staffing shortages (39%). 97% recover data; 53% in under a week (vs 35%). Extortion without encryption: 6% (doubled vs 2024). sophos.com/ransomware
Sophos -- It's Oh So Quiet (?): The Sophos Active Adversary Report. Median attacker dwell time: 3-4 days. sophos.com/active-adversary
Coveware -- Ransomware Payment Trends Q3 2025. Payment rate at historic low of 23%. Only 19% for data theft without encryption incidents.
Law 25 -- Act Respecting the Protection of Personal Information in the Private Sector, Quebec. Enacted in phases (2022-2024). Administrative sanctions: up to $10M or 2% of global revenue. Criminal penalties: up to $25M or 4% of global revenue. Notification obligations with due diligence when risk of serious harm, mandatory incident register, privacy impact assessments, and proportionate security measures.