Ransomware Basics for Small Businesses: A Realistic Prevention Checklist

Ransomware headlines make it sound like you need a bunker and a security team. Most small businesses don’t.

What you do need is a handful of controls that stop the most common paths: stolen passwords, unpatched systems, and one bad click.

This is a realistic checklist you can work through without turning your week into a security project.

What ransomware usually looks like

• Someone gets access (often via phishing or a leaked password)
• They move around quietly, stealing data
• They encrypt shared drives / servers
• You wake up to a note demanding payment

The goal isn’t “perfect security.” It’s making your business hard enough to hit and easy to recover.

The prevention checklist (high impact first)

1) Protect your email and admin accounts

Email is the master key.

• Require 2FA on email (prefer authenticator app/passkeys)
• Turn on “sign-in alerts”
• Remove old staff accounts and shared logins

2) Patch what you already own

Unpatched systems are a gift.

• Enable automatic updates on Windows/macOS
• Update routers and NAS devices
• Keep browser + extensions up to date

3) Backups you can actually restore

A backup that can’t be restored is just storage.

Use the 3-2-1 rule:

• 3 copies of data
• 2 different types of storage
• 1 offsite / offline

Critical: keep at least one backup not always connected (offline or immutable), so ransomware can’t encrypt it too.

4) Least privilege (stop “everyone is admin”)

• Employees shouldn’t have admin rights on their laptops
• Separate admin accounts from daily accounts
• Restrict access to shared folders (not everyone needs everything)

5) Turn on basic endpoint protection

Use built-in tools first if you’re on a budget.

• Windows Security / Defender is decent
• Make sure it’s enabled and updating

6) Lock down remote access

Remote Desktop (RDP) exposed to the internet is risky.

• Disable direct RDP from the internet
• Use a VPN or a managed remote access tool
• Require 2FA

7) Train for one behavior

Long training doesn’t stick. One habit does:

If an email creates pressure and asks you to click/sign in, verify first.

8) Segment “the crown jewels”

Keep accounting, payroll, and customer data in systems with stricter access.

Even simple separation helps:

• Separate shared drive for finance
• Separate admin login

If you suspect ransomware activity

Don’t wait for the ransom note.

1. Disconnect affected machines (Wi‑Fi off, unplug network)
2. Stop syncing (OneDrive/Google Drive) temporarily to prevent spread
3. Preserve logs if you can (IT can help later)
4. Call your IT/security contact or incident response provider
5. Assess backups before considering payment

A quick “weekend plan” for small teams

• Friday: enforce 2FA on email + admin accounts
• Saturday: verify backups + do one restore test
• Sunday: remove admin rights + update devices

That alone cuts risk dramatically.

FAQs

Should we pay the ransom?

That’s a business/legal decision, but it’s risky: paying doesn’t guarantee recovery, and you may still have data exposure.

Are cloud apps safer?

Often yes, especially when paired with strong identity controls and 2FA. But you still need backups and account protection.