Playbook: Ransomware Readiness for Small Business (The 3-2-1 Backup Rule and 6 More Steps)
Ransomware is not just about getting hacked. It is about whether your business can keep running after it happens. The companies that recover fast are not the ones that were impossible to breach. They are the ones that were ready. Here are seven steps that make a ransomware attack survivable, starting with the one that matters most.
1. Follow the 3-2-1 backup rule
This is the single most important control. Keep 3 copies of your important data, on 2 different types of media, with 1 copy kept offline or immutable (a copy that cannot be changed or deleted, even by an administrator). Ransomware that cannot reach your backups cannot hold them hostage.
2. Actually test a restore
A backup you have never restored is a guess, not a safety net. Once a quarter, pick a few files and a full system, and prove you can bring them back. Time how long it takes. That number is your real recovery time.
3. Turn on MFA, especially for remote access
Most ransomware gets in through a stolen password or an exposed remote login. Multi-factor authentication on email, remote access, and admin accounts shuts down the most common entry point. If you do not need Remote Desktop open to the internet, close it or put it behind a VPN.
4. Patch quickly
Attackers reuse known software flaws for months after a fix exists. Turn on automatic updates for operating systems and applications, and prioritize anything exposed to the internet.
5. Limit who has admin rights
Ransomware spreads with the privileges of the account it lands on. Day-to-day work should happen on standard accounts, with admin rights reserved for specific tasks. This alone limits how far an attack can travel.
6. Install reputable endpoint protection
Modern endpoint detection and response tools can spot and stop the behavior of ransomware before it finishes encrypting. For a small business, a managed option means someone is watching even when you are closed.
7. Write a one-page response plan
Decide now, while it is calm, who you call, who can authorize decisions, where the backups are, and how you will communicate if email is down. Tape it somewhere you can find it without a computer. In a real incident, this page saves hours.
To see how these gaps play out in real life, read how one forgotten remote login locked a dental practice out for nine days. Not sure which of these steps you have covered? A quick assessment will tell you in minutes.