A ransomware attack isn't bad luck — it's several defences failing at once. No single control will save you, but the twelve below cover 95% of the attack vectors we see in practice.
Based on guidance from NÚKIB, NIST CSF, and ENISA. We rate each control by two criteria: probability it stops an attack, and the cost / complexity of rollout. The "critical" label means — without this, an attack is just a question of time.
Three copies of data, two different media, one fully off the network (offline / immutable). If all backups are online and reachable from the domain, ransomware will encrypt them along with production. Test restore at least quarterly — a backup you haven't tried isn't a backup.
VPN, RDP, email, cloud consoles, admin accounts. 80% of ransomware campaigns start with stolen credentials bought from the dark web — MFA stops them even with a valid password. SMS as a second factor beats nothing, but TOTP or hardware keys are safer.
Separate production systems from the office, the office from guest Wi-Fi, critical servers from the rest. Without segmentation an attacker can move anywhere after the first compromised laptop. You don't need to roll out zero-trust on day one — even basic VLAN segmentation with firewall rules stops lateral movement.
Most exploited vulnerabilities have had a patch available for 6+ months. Apply critical patches within 72 hours, high within 14 days. Maintain a system inventory and process ownership — without those there's no patching, just ad-hoc reaction.
Traditional signature-based AV catches yesterday's ransomware. Modern EDR (CrowdStrike, SentinelOne, Defender for Endpoint, Sophos Intercept X) watches behaviour — unusual encryption, suspicious PowerShell calls, lateral movement — and can stop the attack mid-flight. Without EDR you're blind to targeted attacks.
A user shouldn't be a local admin on their own PC. Service accounts shouldn't hold domain admin. Privileged accounts should have separate sign-ins and be audited. PAM tools (CyberArk, Delinea) do this, but even Active Directory tiering without a tool dramatically reduces the blast radius.
90% of ransomware starts with phishing. A solid email gateway (Microsoft Defender for O365, Proofpoint, Mimecast) blocks known threats. DMARC, SPF, and DKIM stop spoofing of your own domain. Without DMARC, attackers introduce themselves as you.
A one-hour annual PowerPoint doesn't work. What works is a short repeated drill (5–10 minutes monthly) plus real phishing simulations with feedback. The goal isn't 100% catch rate — the goal is for the employee to know where to report the phishing they fall for.
Without logs, post-attack forensics is a dead end — you don't know when, how, or how long the attacker was inside. The minimum: AD logon events, EDR telemetry, firewall logs, email gateway. Ideally into a SIEM with 90-day retention. The ransomware operator is in the network typically 4–60 days before encryption.
When an incident hits, there's no time to figure out who calls whom. The IRP has: roles, contacts (24/7), escalation matrix, communications templates, lawyer, regulator, external IR team. Test it with a tabletop exercise at least once a year — you'll find gaps you'd otherwise hit during a real attack.
You can't protect what you don't track. Asset management (CMDB, Lansweeper, RunZero) keeps an overview of servers, endpoints, applications, owners, and criticality. During an incident this saves hours — you know what's infected and what's a priority to restore.
SolarWinds, Kaseya, 3CX — supplier-driven attacks are the trend of the last few years. For key vendors require: ISO 27001/SOC 2, incident reporting clauses in the contract, separate access accounts with MFA, restricted remote access. For smaller vendors, at least a brief security questionnaire.