Ransomware Is the Number One Threat to Small Business
Ransomware -- software that encrypts your files and demands payment to unlock them -- has become the most feared cyberthreat for small business owners. And for good reason. The average ransom demand for small businesses has climbed past $100,000, and even if you pay, there is no guarantee you will get your data back.
But here is what the headlines do not tell you: most ransomware attacks are preventable. Attackers typically exploit the same basic weaknesses -- weak passwords, unpatched software, phishing emails, and poor backup practices. Fix these fundamentals and you make your business a dramatically harder target.
Here are 10 concrete steps you can take, starting today.
Step 1: Enable Multi-Factor Authentication (MFA) Everywhere
Multi-factor authentication adds a second verification step beyond your password. Even if an attacker steals a password, they cannot get in without the second factor (usually a code from your phone).
Enable MFA on:
- Email accounts (this is the single most important one)
- Cloud storage (Microsoft 365, Google Workspace, Dropbox)
- Remote access tools (VPN, RDP)
- Financial accounts and banking portals
- Admin panels for your website and business applications
This one step alone blocks the majority of credential-based attacks that lead to ransomware infections.
Step 2: Back Up Your Data (The Right Way)
Backups are your ultimate insurance policy against ransomware. If your files get encrypted, you can restore from backup instead of paying the ransom. But your backup strategy needs to follow the 3-2-1 rule:
- 3 copies of your data
- 2 different storage types (e.g., local drive + cloud)
- 1 copy offsite or in a separate, isolated environment
Critical: Test your backups regularly. A backup you have never tested restoring from is not really a backup -- it is a hope.
Step 3: Keep Everything Updated
Patch management sounds technical, but the concept is simple: install software updates promptly. Many ransomware attacks exploit known vulnerabilities in software that has available patches. The attackers know about the vulnerability, they know many businesses are slow to update, and they exploit that gap.
- Enable automatic updates on operating systems
- Keep web browsers up to date (they usually auto-update)
- Update business applications within a week of patch release
- Replace software that is no longer receiving security updates
Step 4: Train Your Team to Spot Phishing
Phishing emails remain the number one delivery method for ransomware. A single employee clicking a malicious link can compromise your entire network. Invest in regular, practical training that teaches your team to recognize and report suspicious messages. (See our detailed phishing training guide for a complete framework.)
Step 5: Limit User Privileges
Not everyone in your company needs admin access to everything. Implement the principle of least privilege: give each employee only the access they need to do their job, nothing more.
- Remove admin rights from everyday user accounts
- Use separate admin accounts for IT management tasks
- Review access permissions quarterly
- Disable accounts promptly when employees leave
If ransomware gets in through a limited account, the damage is contained. If it gets in through an admin account, everything is at risk.
Step 6: Segment Your Network
Network segmentation means dividing your network into smaller sections so that if one part gets compromised, the ransomware cannot easily spread to everything else. For small businesses, this can be as simple as:
- Separate your guest WiFi from your business network
- Keep IoT devices (security cameras, smart thermostats) on their own network segment
- Isolate sensitive systems (accounting, HR) from general workstations
Step 7: Deploy Endpoint Protection
Modern endpoint security software goes far beyond traditional antivirus. Look for solutions that include:
- Ransomware-specific detection (watching for mass file encryption behavior)
- Behavioral analysis (catching threats that signature-based detection misses)
- Centralized management so you can monitor all devices from one console
- Automatic updates to stay current with new threats
Step 8: Secure Remote Desktop Protocol (RDP)
If anyone at your company uses Remote Desktop to access work computers, pay attention. RDP is one of the most commonly exploited entry points for ransomware. If you must use RDP:
- Never expose RDP directly to the internet
- Require VPN access before allowing RDP connections
- Enable MFA on RDP sessions
- Use strong, unique passwords for RDP accounts
- Limit who can use RDP to only those who need it
Step 9: Create an Incident Response Plan
Hope for the best, plan for the worst. An incident response plan ensures your team knows exactly what to do if ransomware strikes. Your plan should cover:
- Who to contact (IT team, insurance provider, legal counsel)
- How to isolate affected systems
- How to assess the scope of the attack
- Decision framework for whether to pay a ransom (hint: paying should be a last resort)
- Communication plan for customers and employees
Practice the plan at least once a year with a tabletop exercise. Walking through a scenario as a team reveals gaps you would not find any other way.
Step 10: Get a Security Assessment
You cannot fix what you do not know about. A security assessment identifies your specific vulnerabilities before attackers do. It gives you a prioritized list of what to fix first based on actual risk, not guesswork.
To Pay or Not to Pay?
If the worst happens, the question of whether to pay the ransom is agonizing. Here is the reality:
- Paying does not guarantee you will get your data back (about 1 in 4 companies that pay never get a working decryption key)
- Paying marks you as a willing payer, making future attacks more likely
- Paying may violate regulations if the attacker is a sanctioned entity
- Some cyber insurance policies cover ransom payments, but increasingly with conditions
The best strategy is prevention. The second-best strategy is having solid backups so you never have to face this choice.
Next Steps
How many of these 10 steps does your business currently have in place? Our free Security Check evaluates your current security posture and gives you a prioritized action plan. It takes about 5 minutes and covers the critical controls that prevent the vast majority of ransomware attacks.
Do not wait for an attack to find out where your gaps are. Find them first.