Ransomware doesn't discriminate by company size. In fact, small and medium businesses are disproportionately targeted — they often lack dedicated security teams, rely on a single IT person (or none), and assume they're too small to be worth attacking. That assumption is wrong. Attackers know that SMBs are more likely to pay a ransom because they can't afford the downtime.
The good news: ransomware resilience isn't about buying expensive endpoint detection tools. It's about systematic preparation. If your backups are solid, your accounts are protected, and your recovery plan is documented, you can survive an attack without paying a cent.
Here's a 10-point plan to assess and improve your readiness.
The 10-point ransomware resilience checklist
1. Define a backup strategy
Every critical service needs a documented backup strategy. Not just "we back up to the cloud" — a specific plan that covers frequency, retention, storage location, and responsibility. If your backup strategy lives only in someone's head, it doesn't exist.
2. Test your backups regularly
A backup you've never restored is a backup you don't have. Schedule backup recovery tests at least once a year. Document the results: did the restore work? How long did it take? Were there missing files or corrupted data? Services with backups tested within the last 12 months score higher on readiness assessments.
3. Use immutable or air-gapped backups
This is the single most important defense against ransomware. Modern ransomware specifically targets backups — it encrypts or deletes them before locking your production data. Immutable backups (write-once, read-many) or air-gapped backups (physically disconnected from your network) cannot be reached by ransomware that has compromised your systems.
Without immutable backups, you're one attack away from losing everything — production data and backups alike.
4. Store backups offsite
Geographic redundancy matters. If your backups are on a NAS in the same office as your servers, a fire, flood, or physical break-in could destroy both. Offsite backups — whether in a different building, a different city, or a cloud region — ensure that a local disaster doesn't take everything.
5. Enforce MFA on all critical services
Stolen credentials are the number one attack vector for ransomware. An employee reuses a password, it appears in a breach database, and an attacker walks into your systems through the front door. Multi-factor authentication (MFA) stops this. Even if the password is compromised, the attacker can't get in without the second factor.
Enforce MFA on every service that handles sensitive data — especially email, cloud storage, admin panels, and backup management consoles.
6. Implement patch management
Unpatched software is the second most common entry point. Vulnerabilities in VPNs, firewalls, and remote access tools are regularly exploited by ransomware groups. Automatic patching is ideal. If that's not possible, establish a scheduled patching cycle — monthly at minimum for critical systems.
7. Enable encryption at rest
If an attacker exfiltrates your data before encrypting it (double extortion), encryption at rest limits the damage. Encrypted data is useless without the decryption keys. Enable disk encryption on servers, workstations, and backup media.
8. Use proper credential management
Passwords on sticky notes, shared admin accounts, credentials in spreadsheets — these are gifts to attackers. Use a credential vault (password manager) for all service credentials. Document who has access to what. Rotate credentials for critical systems regularly.
9. Document account recovery procedures
When ransomware hits and you're rebuilding, you need to recover access to your services. For each critical service, document: how to reset the admin account, where recovery keys are stored, who to contact at the vendor, and what the expected recovery time is. Without this documentation, recovery takes days instead of hours.
10. Define business criticality
Not all services are equally important. Your email system and ERP are probably more critical than your internal wiki. Classify each service by business criticality (critical, high, medium, low) and use that classification to prioritize your recovery sequence. When ransomware hits, you need to know what to bring back first.
Why immutable backups are the last line of defense
Every other control on this list reduces the probability of an attack or limits its scope. Immutable backups are different — they guarantee recovery. Even if every other defense fails, even if the attacker has full admin access to your network, immutable backups remain untouched.
The 3-2-1-1 rule extends the classic 3-2-1 backup strategy: 3 copies, 2 media types, 1 offsite, and 1 immutable. That last "1" is what separates companies that recover from ransomware from companies that pay.
How to run a backup recovery drill
A recovery drill doesn't have to be complicated:
- Pick a critical service — start with your most important one
- Simulate a loss scenario — pretend the production system is gone
- Restore from backup — follow your documented procedure (or discover you don't have one)
- Measure the time — how long from "we need to restore" to "the service is operational"?
- Document gaps — missing steps, outdated procedures, credentials that nobody knows
- Update your plan — fix what you found and schedule the next drill
Run this exercise annually for critical services. The first drill always reveals surprises.
How Readmodel® scores ransomware readiness
Readmodel® evaluates each service's ransomware resilience on a 0-100 scale across these 10 criteria, with weighted scoring that emphasizes the most impactful controls:
- Immutable backups and MFA enforcement carry the highest weight (15 points each) because they represent the strongest defenses
- Backup strategy, backup testing, offsite backups, patch management, and encryption carry standard weight (10 points each)
- Credential management, account recovery, and business criticality carry supporting weight (5 points each)
Services scoring below 40 are flagged as critical. The resilience page shows per-service scores, highlights gaps, and identifies single points of failure across your entire data landscape.
You can't buy your way out of a ransomware attack. But you can prepare your way out. Start with the checklist, fix the gaps, and test your recovery — before you need it for real.