The ransomware readiness checklist

Ransomware remains the incident most likely to take a mid-market company offline, and the one boards ask about most. Readiness is not a single product; it is four stages working together: making entry hard, limiting how far an intruder can spread, being able to recover without paying, and responding calmly when it happens. This checklist walks through all four and the questions a board should be able to answer about each.

Stage 1: Reduce the chance of entry

Most ransomware enters through a small number of well-understood routes. Close them:

• ·Multi-factor authentication everywhere, especially on email, remote access and administrative accounts. This alone blocks the majority of credential-based intrusions.
• ·Patch internet-facing systems promptly. Exposed, unpatched services are actively scanned for and exploited within days of a vulnerability becoming public.
• ·Security awareness training with realistic phishing simulation, so people recognise and report the lures rather than clicking them.
• ·Email and web filtering to stop the common delivery methods before they reach a person.

Board question: how would an attacker most likely get in, and what specifically stops them?

Stage 2: Limit the spread

Entry is not the same as catastrophe. What turns a single compromised laptop into a company-wide outage is the ability to move freely once inside. Contain it:

• ·Network segmentation, so a foothold in one area cannot reach everything.
• ·Least-privilege access, so a compromised account cannot do company-wide damage.
• ·Endpoint detection and response (EDR) that can spot and isolate malicious behaviour early.
• ·Restricted administrative rights, since ransomware spreads fastest using admin credentials.

Board question: if one device were compromised tonight, how far could the attacker realistically get?

Stage 3: Recover without paying

This is the stage that decides whether ransomware is a catastrophe or a hard week. The whole point of the controls is to make paying unnecessary:

• ·Isolated backups that an attacker who controls your network cannot reach or encrypt (offline or immutable).
• ·Recent backups, with a retention window that outlasts the time an attacker may have been dwelling undetected.
• ·Restore tested in the last twelve months. This is the step most often skipped and most often regretted. An untested backup is a hope.
• ·A documented recovery order, so you restore the systems the business needs first.

Board question: could we recover from clean backups without paying, and when did we last actually prove it?

Stage 4: Respond when it happens

Even well-defended companies can be hit. A calm, practised response limits the damage:

• ·An incident response plan naming the first ten actions in the first hour and who makes which decisions.
• ·A tested plan. A tabletop exercise in the last year is what makes the plan real under pressure.
• ·Clear roles, including who talks to staff, clients, regulators and, where relevant, law enforcement and the insurer.
• ·A considered position on payment, decided in advance with legal counsel rather than improvised in crisis. Paying carries no guarantee of recovery and real legal risk.

Board question: what is the first hour, who is in the room, and when did we last rehearse it?

Turning the checklist into a plan

Few companies can answer all four board questions with evidence the first time, and that is the value of running through the checklist: it shows you exactly where the readiness gaps are. From there, a Cyber Assurance Assessment turns the gaps into a ranked, costed roadmap, managed security provides the round-the-clock detection and response behind stages 2 and 4, and continuous compliance keeps the backup tests and the plan exercises on a schedule rather than forgotten until it is too late.

If you would like the ransomware readiness checklist as a single page for your next leadership meeting, send a note. To pressure-test your own readiness with a senior advisor, book a 30-minute call.