How to Protect Your Business from Ransomware: 15 Essential Steps
Posted: March 5, 2026 to Cybersecurity.
How to Protect Your Business from Ransomware: 15 Essential Steps
Protect your business from ransomware by implementing immutable backups, deploying endpoint detection and response (EDR) on every device, enforcing multi-factor authentication across all accounts, conducting regular security awareness training, and maintaining a tested incident response plan. These five measures form the core defense, supported by 10 additional technical and operational controls that dramatically reduce your risk of a successful ransomware attack. No single solution prevents ransomware; layered defense is the only effective strategy.
Ransomware remains the most financially devastating cyber threat facing businesses in 2026. The average ransomware payment reached $2.73 million in 2024 according to Sophos, and total incident costs (including downtime, recovery, and lost business) averaged $4.54 million. More alarming, 94 percent of organizations hit by ransomware reported that attackers attempted to compromise their backups, with 57 percent of those attempts succeeding. If your backups are not protected, paying the ransom may become your only option for recovery.
The 15 Essential Ransomware Protection Steps
1. Deploy Immutable, Air-Gapped Backups
Backups are your last line of defense against ransomware and the single most important control. Implement the 3-2-1-1 backup rule: maintain 3 copies of your data, on 2 different media types, with 1 copy off-site, and 1 copy immutable or air-gapped.
Immutable backups cannot be modified or deleted for a defined retention period, even by administrators. This prevents ransomware that compromises backup administrator credentials from encrypting or deleting your recovery data. Air-gapped backups are physically disconnected from your network and provide an additional layer of protection.
Test backup restoration monthly. A backup that cannot be restored is not a backup. Time your restoration process so you know exactly how long recovery will take for different scenarios.
2. Implement Endpoint Detection and Response (EDR)
Traditional antivirus is insufficient against modern ransomware. EDR solutions monitor endpoint behavior continuously, detect ransomware tactics such as mass file encryption, lateral movement, and privilege escalation, and can automatically isolate compromised devices from the network before the attack spreads.
Deploy EDR on every endpoint in your environment including servers, workstations, and laptops. Ensure the EDR solution is monitored 24/7, either by an internal SOC or through a managed detection and response (MDR) provider. Unmonitored EDR alerts are nearly as useless as no EDR at all.
3. Enforce Multi-Factor Authentication Everywhere
Compromised credentials are the initial access vector in over 60 percent of ransomware incidents. MFA blocks the overwhelming majority of credential-based attacks by requiring a second verification factor beyond the password.
Enforce MFA on every account, not just administrator accounts. Prioritize email accounts, VPN access, remote desktop, cloud services, and any system that can be accessed from outside your network. Use authenticator apps or hardware tokens rather than SMS, which is vulnerable to SIM swapping attacks.
4. Conduct Security Awareness Training
Phishing remains the most common delivery mechanism for ransomware. Train all employees to recognize phishing emails, suspicious attachments, and social engineering tactics. Run simulated phishing campaigns monthly to measure and improve employee resilience.
Organizations with comprehensive training programs reduce successful phishing attacks by 75 percent. Training should cover recognizing phishing indicators, safe handling of email attachments and links, reporting procedures for suspicious messages, and social engineering tactics used by attackers including phone-based pretexting and business email compromise.
5. Maintain a Tested Incident Response Plan
When ransomware strikes, the first 60 minutes determine the outcome. A tested incident response plan ensures your team knows exactly what to do: who to call, how to isolate infected systems, where to find backup restoration procedures, and how to communicate with stakeholders.
Test the plan through tabletop exercises at least quarterly, focusing specifically on ransomware scenarios. Include decision points around ransom payment, law enforcement notification, and customer communication. See our complete incident response planning guide for detailed instructions.
6. Patch and Update Systems Promptly
Unpatched vulnerabilities are the second most common initial access vector for ransomware. Establish a patch management process that applies critical security patches within 48 hours of release, applies all other patches within 30 days, includes operating systems, applications, firmware, and network devices, and tracks patch compliance across the entire environment.
Automate patching wherever possible. Manual patch management at scale inevitably leaves gaps that attackers exploit. Pay particular attention to internet-facing systems including VPN appliances, firewalls, and web servers, which are primary targets for ransomware operators.
7. Segment Your Network
Network segmentation limits the blast radius of a ransomware infection. If an attacker compromises one workstation on a flat network, they can reach every other system. Segmentation creates barriers that slow or stop lateral movement.
At minimum, segment your network into separate zones for user workstations, servers, IoT and operational technology devices, backup infrastructure, and guest or visitor WiFi. Implement firewall rules between segments that allow only necessary communication. Monitor cross-segment traffic for anomalous patterns.
8. Implement Email Security Controls
Since phishing delivers the majority of ransomware, hardening your email environment is critical. Deploy advanced email filtering that uses AI to detect sophisticated phishing beyond basic spam rules. Block executable attachments (.exe, .js, .vbs, .ps1) at the email gateway. Implement DMARC, DKIM, and SPF to prevent domain spoofing. Enable Safe Links and Safe Attachments if using Microsoft 365. Quarantine emails from newly registered domains, which are commonly used for phishing campaigns.
9. Restrict Administrative Privileges
Ransomware operators escalate to administrative privileges to maximize damage. Reducing the number of administrative accounts and implementing just-in-time privilege elevation limits their ability to do so.
Remove local administrator rights from standard user accounts. Implement privileged access management (PAM) that provides temporary elevated access only when needed, logs all privileged activity, and automatically revokes access after the task is complete. Separate administrative accounts from daily-use accounts so that compromising an email account does not grant system administration access.
10. Disable Remote Desktop Protocol (RDP) or Secure It
RDP exposed to the internet is one of the most exploited entry points for ransomware. If you must use RDP, never expose it directly to the internet. Require VPN or zero-trust network access (ZTNA) for remote access. Enforce MFA on all RDP connections. Implement account lockout policies to prevent brute-force attacks. Use Network Level Authentication (NLA) to require authentication before the RDP session starts. Monitor RDP logs for anomalous access patterns including after-hours connections and connections from unusual locations.
11. Deploy DNS Filtering
DNS filtering blocks connections to known malicious domains, preventing ransomware from reaching command-and-control servers and blocking phishing sites before users can interact with them. Implement DNS filtering at the network level and on endpoint agents for remote workers. Services like Cisco Umbrella, Cloudflare Gateway, and DNSFilter provide continuously updated threat intelligence that blocks newly identified malicious domains.
12. Monitor and Log Everything
Comprehensive logging and monitoring enable early detection of ransomware activity before encryption begins. Attackers typically spend days to weeks in an environment before deploying ransomware, during which time they are discoverable through log analysis.
Centralize logs in a SIEM platform that correlates events across your environment. Monitor for indicators of compromise including mass file access or modification, new scheduled tasks or services, PowerShell execution with encoded commands, lateral movement between systems, and credential dumping tool signatures.
13. Implement Application Whitelisting
Application whitelisting allows only approved applications to execute, blocking ransomware executables even if they evade other defenses. Windows AppLocker and similar tools can restrict application execution to a defined list of trusted programs. While application whitelisting requires initial effort to build the approved list and manage exceptions, it is one of the most effective technical controls against ransomware and other malware.
14. Secure Cloud and SaaS Environments
Ransomware increasingly targets cloud data and SaaS applications. Protect your cloud environment by enabling MFA on all cloud accounts, configuring conditional access policies, monitoring cloud activity logs for anomalous behavior, implementing cloud DLP to detect bulk data access, backing up SaaS data independently (Microsoft 365, Google Workspace data is not automatically protected by the provider's infrastructure backups), and reviewing cloud storage sharing settings to prevent excessive external access.
15. Establish Cyber Insurance
Despite all preventive measures, no security program eliminates risk entirely. Cyber insurance provides financial protection when a ransomware incident occurs. Policies typically cover forensic investigation costs, business interruption losses, ransom payments (when legally permissible), notification and credit monitoring expenses, legal defense costs, and regulatory fines in some policies.
Insurance carriers increasingly require evidence of specific security controls (MFA, EDR, backups, training) before issuing policies. Implementing the 14 steps above not only reduces your risk but also qualifies you for better coverage and lower premiums.
What to Do If Ransomware Strikes
If ransomware hits your organization despite your defenses, follow these immediate steps. Disconnect infected systems from the network immediately. Do not power off systems, as volatile memory contains forensic evidence. Contact your incident response provider and cyber insurance carrier. Report to FBI IC3 (ic3.gov) and CISA. Do not pay the ransom without consulting legal counsel and law enforcement. Assess backup integrity and begin restoration planning. Communicate with employees, customers, and stakeholders according to your IR plan.
Frequently Asked Questions
Should my business pay a ransomware demand?
The FBI recommends against paying ransoms because payment funds criminal operations, does not guarantee data recovery (only 65 percent of data is recovered on average after payment), may violate OFAC sanctions if the attacker is a sanctioned entity, and makes you a target for future attacks. However, each situation is unique, and the decision must involve legal counsel, law enforcement, business leadership, and your cyber insurance carrier.
How much does ransomware protection cost for a small business?
A comprehensive ransomware protection program for a 25-person company costs approximately $2,000 to $5,000 per month and includes EDR ($5 to $15 per endpoint), email security ($3 to $8 per user), backup and disaster recovery ($200 to $500 per server), security awareness training ($15 to $40 per user), DNS filtering ($2 to $5 per user), and managed monitoring ($25 to $50 per endpoint). This investment is a fraction of the average ransomware incident cost of $4.54 million.
Can ransomware spread through cloud services?
Yes. Ransomware can encrypt files synced to cloud storage (OneDrive, Google Drive, Dropbox) through the infected endpoint's sync client. Some ransomware variants specifically target cloud credentials to access and encrypt cloud-hosted data directly. Cloud-specific backup solutions that maintain independent copies outside the sync chain are essential.
Get Comprehensive Ransomware Protection
Petronella Technology Group implements all 15 ransomware protection controls for businesses across the Raleigh-Durham area and nationwide. With over 23 years of cybersecurity experience, we design layered defense strategies that prevent ransomware attacks and ensure rapid recovery when incidents do occur.
Schedule your free ransomware readiness assessment today and close the gaps before attackers exploit them.
