Ransomware isn’t just a large-company problem. According to Verizon’s 2025 Data Breach Investigations Report, 88% of all ransomware breaches involved small and mid-sized businesses. The good news is that most ransomware attacks follow a predictable sequence, and breaking that sequence early is entirely possible with the right controls in place. This post walks through a five-step plan you can start acting on today.
Most ransomware attacks don’t start with a dramatic breach. They start with a login.
An attacker gets hold of a valid username and password, maybe through a phishing email, maybe from a credential dump on the dark web, and they simply log in. From there, they move quietly through the environment, escalate their access, locate the most valuable data, and wait until they can do maximum damage before triggering encryption.
By the time files start disappearing or screens go dark, the attacker has often been inside the network for days or weeks.
That’s the pattern that makes ransomware so destructive and so hard to stop reactively. According to Verizon’s 2025 Data Breach Investigations Report, ransomware was involved in 88% of breaches at small and mid-sized businesses, compared to just 39% at larger organizations. Attackers target smaller businesses precisely because the defenses tend to be thinner and the response slower.
The goal of a proactive ransomware defense plan isn’t to build an impenetrable fortress. It’s to make the attack chain harder to complete at every stage, so that if something gets through one layer, the next layer slows it down or stops it entirely. And if the worst happens, recovery is something you’ve planned for rather than something you’re improvising under pressure.
Here’s how to build that.
Step 1: Make Stolen Credentials Useless
Most ransomware still begins with credential theft. A convincing phishing email, a reused password from a previous breach, or a brute-force attack on a remote access portal: all of these give an attacker a valid login. The first line of defense is making sure that a stolen password alone isn’t enough to get them in.
Basic multifactor authentication (MFA) is a step in the right direction, but it’s not the finish line. Standard MFA methods that send a one-time code by text or email can still be defeated by a convincing fake login page. Phishing-resistant authentication methods close that gap by using credentials tied to the device itself, which can’t be stolen through a fake site.
What to put in place:
Enforce strong MFA on every account, with priority given to admin accounts and anything that touches remote access. Remove legacy authentication methods that let users bypass MFA for convenience. Set up conditional access rules so that logins from new devices, unfamiliar locations, or unusual hours trigger additional verification automatically.
When a stolen password can’t be used without a second factor that an attacker doesn’t have, the most common entry point closes.
Our cybersecurity consulting services include a review of your current authentication setup and a clear plan for tightening it without creating daily friction for your team.
Step 2: Limit How Far an Attacker Can Move
Once an attacker is inside a network, the question becomes: how much can they reach? In most small business environments, the answer is “almost everything,” because access tends to accumulate over time without being cleaned up.
Least privilege access means each account gets only what it needs to do its job, nothing more. Separation of privileges means admin accounts are kept distinct from everyday user accounts, so a compromised regular account doesn’t hand over control of critical systems.
These two principles together shrink what an attacker can do with a single compromised login.
Practical moves:
Keep administrative accounts completely separate from the accounts employees use day-to-day. Eliminate shared logins and broad “everyone has access” groups that no longer reflect how your business actually operates. Limit access to administrative tools to only the specific people and devices that genuinely require them. When an employee changes roles or leaves, update their access immediately rather than leaving it in place.
This doesn’t require a complex overhaul. It requires a deliberate review of who has access to what, and a commitment to cutting what isn’t needed.
Our managed IT services include regular access reviews as part of ongoing security management, because access creep is one of the most common and most overlooked risks we find in small business environments.
Step 3: Close the Gaps Attackers Are Counting On
Attackers look for the path of least resistance. Unpatched software, outdated remote access tools, and internet-facing systems with known vulnerabilities are all invitations.
The challenge for small businesses isn’t awareness. Most business owners know patching matters. The challenge is consistency. Patches get delayed, third-party applications get overlooked, and exceptions accumulate quietly until the environment is significantly more exposed than anyone realizes.
Making patch management measurable is what closes that gap.
Set clear guidelines for how quickly different types of vulnerabilities get addressed: critical patches within 24 to 48 hours, high-risk issues within a week, everything else on a defined schedule. Prioritize internet-facing systems and remote access infrastructure, since those are the most likely entry points. And cover third-party applications alongside the operating system, because browsers, PDF readers, and common business software are frequent targets that often get skipped.
If you can point to a report that shows what was patched, when, and what exceptions exist and why, you have a patch management process. If you can’t, you have a hope and a schedule.
Step 4: Catch the Warning Signs Before Encryption Starts
Ransomware attacks leave footprints. Unusual login times, account behavior that doesn’t match normal patterns, large amounts of data being accessed or moved: these are warning signs that show up before encryption begins. The question is whether anyone is watching for them, and whether there’s a clear process for acting on them quickly.
Most small businesses don’t lack alerts. They lack a consistent process for turning those alerts into action before it’s too late.
A strong detection baseline includes endpoint monitoring that can flag suspicious behavior in near real time, centralized logging from sign-in activity and critical applications, and clear triage rules that separate “investigate now” from “review later.” The goal isn’t to build a security operations center. It’s to make sure that when something unusual happens, the right person knows about it fast enough to do something about it.
Pairing detection with cybersecurity awareness training also matters here. Employees who can recognize and report a suspicious email or an unexpected account change become part of the detection system, not just potential entry points.
Step 5: Make Recovery Predictable Before You Need It
Even with strong defenses in place, every business should operate as if a ransomware attack is possible. The businesses that recover quickly aren’t the ones that got lucky. They’re the ones that engineered their recovery before anything went wrong.
Secure, tested backups are the foundation of that. Backups that can be reached and encrypted by an attacker provide almost no protection. Backups that have never been tested may not restore cleanly when you need them most. Both situations leave businesses in the same position: facing a difficult choice between paying a ransom and losing their data.
What secure, tested backups actually look like:
At least one copy of your backup data stored in a location that is isolated from your main environment, so an attacker who compromises your network can’t reach it. Regular restore drills that confirm your data can actually be recovered, not just that the backup process is running. Clearly defined recovery priorities so your team knows which systems need to come back online first and in what order.
Recovery from a ransomware attack costs an average of $1.53 million in 2025, excluding any ransom payment, according to Sophos. That’s the cost for organizations that have backups and incident response plans. Organizations that don’t have those in place face a much harder road. The investment in getting this right before an incident is a fraction of the cost of recovering without it.
Our data backup and recovery services are designed to make sure that if the worst happens, recovery is a planned process rather than a crisis.
Ransomware Succeeds When Defenses Are Reactive
The businesses that get hit hardest by ransomware aren’t always the ones with the weakest technology. They’re the ones that never had a plan. When an attack hits, everything feels urgent, unclear, and improvised. Decisions get made under pressure that wouldn’t get made any other way.
A proactive ransomware defense plan changes that dynamic. Each of these five steps targets a different stage of the attack chain: credential theft, lateral movement, known vulnerabilities, detection, and recovery. When all five are consistently in place, attackers face a much harder environment. When one layer fails, the next one is already there.
You don’t need to build all five at once. Start with the weakest area in your environment, fix it, confirm it’s working, and move to the next. That kind of steady progress is what separates businesses that manage ransomware as a contained risk from businesses that experience it as a crisis.
If you’d like help identifying where your biggest exposures are and building a practical plan to address them, reach out to the Z-JAK team. We work with small and mid-sized businesses across Louisville to put the right controls in place before something forces the issue.
Frequently Asked Questions
Do small businesses really need to worry about ransomware?
Yes, and the numbers are striking. Ransomware was involved in 88% of all data breaches at small and mid-sized businesses in 2025, according to Verizon’s DBIR. Attackers target smaller businesses specifically because defenses tend to be thinner and recovery resources more limited. The assumption that small businesses are too small to be worth attacking is one of the most dangerous misconceptions in cybersecurity today.
Should my business pay a ransom if we get hit?
Law enforcement guidance from the FBI and other agencies consistently recommends against paying. Paying the ransom doesn’t guarantee you’ll get your data back, and businesses that pay are frequently targeted again. The better investment is building the backup and recovery capabilities that make paying unnecessary. That said, every situation is different, and the decision ultimately depends on the specific circumstances of the incident.
What’s the most common way ransomware gets into a small business?
Phishing remains the most common initial access vector, followed by stolen or compromised credentials and unpatched vulnerabilities in internet-facing systems. In most cases, the attacker doesn’t exploit a sophisticated technical flaw. They get in through a door that was left open, whether that’s a credential that was reused, an MFA method that could be bypassed, or a system that hadn’t been patched in months.
How often should we test our backups?
At minimum, quarterly. But for businesses that depend heavily on their data, monthly restore drills are worth the time. The goal isn’t just to confirm that backups are running. It’s to confirm that the right data can be restored to a working state within a timeframe your business can survive. Many organizations discover gaps in their backup coverage only when they actually try to restore, which is exactly the wrong time to find out.
What’s the difference between ransomware protection and general cybersecurity?
Ransomware protection is a focused subset of cybersecurity that targets the specific attack chain ransomware follows: initial access, lateral movement, data access, and encryption. General cybersecurity covers a broader range of threats. The five steps in this post address ransomware specifically, but several of them, including strong authentication, least privilege access, and patch management, also reduce risk from a wide range of other threats. The overlap is by design.
Let’s Build Your Ransomware Defense Plan Together
Knowing what to do and having it consistently in place are two different things. Z-JAK works with small and mid-sized businesses across Louisville to assess their current defenses, identify the gaps that matter most, and put practical controls in place that hold up under real conditions. Get in touch with our team today and let’s start with an honest look at where your business stands.