5-Step Ransomware Defence Planning
Unlocking the slow build
8 Minute Read or 3 minute scan
It's Monday morning. Your team arrives to find every file encrypted. Invoices, quotes, client records - all locked. A message demands £50,000 in Bitcoin within 72 hours.
Here's what most don't realise: this didn't start Monday. It started three weeks ago when someone in accounts clicked a convincing Microsoft security alert and entered their password. The attackers have been inside ever since, quietly escalating privileges and waiting for the perfect moment.
Why Most Defences Fail
Ransomware isn't a single event - it's a sequence: initial access, privilege escalation, lateral movement, data theft, then encryption once maximum damage is possible.
Microsoft puts it bluntly: "Attackers are no longer breaking in, they're logging in." They use legitimate credentials your employees accidentally handed over weeks earlier.
By the time files encrypt, your options are all bad: pay the ransom (no recovery guarantee, and you've funded their next attack), restore from backups (if you have recent, tested ones that weren't also encrypted), or accept the data loss.
The NCSC and law enforcement are clear: don't pay. There's no guarantee of recovery, and payment encourages further attacks.
The better approach? Stop the attack before encryption begins.
The 5-Step Ransomware Defence Plan
This isn't about installing more software or hiring security experts. It's about breaking the attack chain early with practical measures.
Step 1: Make Logins Harder to Fake
Most ransomware starts with stolen credentials. Someone clicks a fake login page, enters their password, and hands criminals the keys.
What you need:
MFA on everything - not just email. Every system, especially admin accounts and remote access.
Kill old authentication methods that bypass MFA.
Conditional access rules requiring additional verification for new devices, unusual locations, or high-risk scenarios.
This is explicitly covered in Cyber Essentials. No MFA everywhere? You won't pass certification - and you're vulnerable.
Step 2: Limit Who Can Do What
When your office manager's account gets compromised, they shouldn't have admin access to your entire network. Too many businesses give everyone more access than needed.
Least privilege: Each account gets only the access required for that specific job.
Practical moves:
Separate admin accounts from everyday user accounts
Eliminate shared logins (Sales@, Admin123)
Remove "everyone has access" permission groups
Limit who can install software or change settings
NIST recommends verifying each account has only necessary access following least privilege principles.
Step 3: Patch the Known Holes
Attackers exploit vulnerabilities publicly known for months because businesses haven't updated systems.
Make it simple:
Critical vulnerabilities? Patch immediately.
High-risk issues? Address within 30 days.
Everything else? Monthly patching schedule.
Prioritise internet-facing systems and remote access tools - first targets for attackers. Don't forget third-party software (Adobe, Java, browsers). Operating system updates aren't enough.
Another Cyber Essentials requirement: keeping devices and software updated with security patches.
Step 4: Spot Warning Signs Early
Early detection means catching suspicious behaviour before encryption begins, not hearing "files won't open anymore."
Watch for:
Unusual login times or locations
Accounts accessing unfamiliar systems
Large volumes of file modifications
Suspicious processes on endpoints
You need monitoring tools that flag these behaviours and clear escalation rules for immediate action versus later review.
For most businesses, this means working with IT providers who monitor proactively rather than waiting for problem reports.
Step 5: Backups That Actually Work
Most businesses have backups. Most haven't tested whether they can restore from them. Attackers know this and specifically target backup systems.
Make backups real:
Keep at least one copy completely isolated from your main environment (offline or immutable cloud storage)
Test restores regularly - quarterly minimum. Don't discover corrupt backups during emergencies.
Define recovery priorities ahead of time - what systems restore first, in what order?
NIST and NCSC emphasise backups must be protected, isolated, and proven to work. NCSC: keep backups up-to-date to recover "without paying ransom."
You Don't Need Everything at Once
Ransomware succeeds when businesses are reactive - everything urgent, unclear, improvised. Strong defence does the opposite: turns common failure points into predictable, enforced defaults.
Start here:
This week: MFA on all accounts, starting with admin and remote access
This month: Audit user permissions, remove unnecessary access
This quarter: Establish patching schedule, test backup restore
When fundamentals are consistently enforced and regularly tested, ransomware shifts from business-ending crisis to contained incident you're prepared to manage.
The Saturday Cloud Approach
We work with South Wales businesses to implement practical ransomware defences without massive budgets or dedicated security teams. We focus on fundamentals: proper authentication, limited access, regular patching, proactive monitoring, and tested backups. The basics done properly and consistently.
The goal isn't "stop every threat forever." It's breaking the attack chain early and ensuring that if the worst happens, recovery is predictable rather than catastrophic.
Don't Wait Until Monday Morning
Book a free ransomware defense assessment with Saturday Cloud. We'll tell you exactly where you're exposed and what to do about it.
“Republished with Permission from The Technology Press