Ransomware Defence Plan in 5 Steps

18 Feb Ransomware Defence Plan in 5 Steps

Posted at 12:00h in Cybersecurity, TCT News by TCT

Ransomware isn’t a jump scare. It’s a slow build. In many cases, it begins days, or even weeks, before encryption, with something mundane, like a login that never should have succeeded. That’s why an effective ransomware defence plan is about more than deploying anti-malware. It’s about preventing unauthorised access from gaining traction. Here’s a five-step approach you can implement across your small-business environment without turning security into a daily obstacle course.

Why Ransomware Is Harder to Stop Once It Starts

Ransomware is rarely a single moment—it’s a process. Attackers usually gain access first, then increase their privileges, move through systems, access or steal data, and only encrypt files once they can cause maximum damage. By that stage, they often have valid credentials and elevated access, which lets them move faster than most teams can respond. As Microsoft puts it, attackers are no longer “breaking in”—they’re logging in.

That’s why relying on late‑stage defences rarely works. Once encryption starts, options are limited, and law enforcement and cybersecurity agencies consistently advise against paying ransoms because recovery is not guaranteed and payments encourage more attacks. There is no single tool that stops ransomware outright. The most effective defence breaks the attack chain early, limits how far an attacker can move, and ensures recovery is planned and predictable—before an incident ever occurs.

The 5-Step Ransomware Defence Plan

This ransomware defence plan is built to disrupt the attack chain early, contain the damage if access is gained, and ensure recovery is dependable. Each step is practical, easy to implement, and repeatable across small-business environments.

Step 1: Phishing-Resistant Sign-Ins

Most ransomware attacks still begin with stolen credentials, so strengthening how users sign in is the fastest way to reduce risk. Phishing‑resistant sign‑ins make it harder for attackers to reuse credentials even if a user is targeted. This means enforcing strong MFA across all accounts—starting with administrators and remote access—removing legacy authentication methods that bypass modern controls, and applying conditional access rules that trigger extra verification for high‑risk sign‑ins such as new devices, unusual locations, or elevated risk signals.

Step 2: Least Privilege + Separation

Least privilege ensures every account has only the access it needs to do its job, while separation keeps administrative privileges distinct from everyday user activity. Together, these controls limit how far an attacker can move if a login is compromised. In practice, this means using separate admin accounts, removing shared logins and overly broad access groups, and restricting administrative tools to only the specific people and devices that genuinely require them, in line with NIST guidance.

Step 3: Close known holes

Known holes are weaknesses attackers already know how to exploit, usually caused by unpatched systems, exposed services, or outdated software. Closing these gaps removes easy entry points before they can be abused. This requires clear patching standards that prioritise critical vulnerabilities, a focus on internet‑facing systems and remote access infrastructure, and consistent patching of third‑party applications—not just the operating system.

Step 4: Early detection

Early detection focuses on identifying ransomware behaviour before encryption spreads across systems and data. Rather than relying on user reports after damage is done, organisations need visibility into suspicious activity that enables fast containment. A strong baseline includes endpoint monitoring that can detect abnormal behaviour and clearly defined escalation rules so genuine threats are acted on immediately while lower‑risk alerts are reviewed appropriately.

Step 5: Secure, Tested Backups

Secure, tested backups ensure the business can recover without paying a ransom. Backups must be protected from attackers, isolated from the main environment, and proven to work before an incident occurs. This means maintaining at least one isolated backup copy, running regular restore tests, and defining recovery priorities in advance so critical systems and data are restored first in a controlled and predictable way.

Stay Out of Crisis Mode

Ransomware succeeds when environments are reactive, when everything feels urgent, unclear, and improvised. A strong ransomware defence plan does the opposite. It turns common failure points into predictable, enforced defaults. You don’t need to rebuild your entire security program overnight. Start with the weakest link in your environment, tighten it, and standardise it. When the fundamentals are consistently enforced and regularly tested, ransomware shifts from a headline-level crisis to a contained incident you’re prepared to manage. If you’d like help assessing your current defences and building a practical, repeatable ransomware protection plan, contact us today to schedule a consultation.

Robert Brown
18/2/2026