Ransomware and the SMB: A Practical Defence Playbook

Ransomware remains one of the most damaging and disruptive threats facing businesses today, and small and medium-sized businesses (SMBs) are far from immune. If anything, attackers have increasingly shifted focus toward smaller organisations, recognising that they often carry valuable data but have fewer dedicated security resources. The good news is that the defences which work best against ransomware are not expensive or exotic. They are disciplined, consistent basics.

Why SMBs Are Attractive Targets

The assumption that attackers only go after large enterprises has proven dangerously wrong. SMBs are targeted precisely because they are perceived as easier entry points. A company with 50 employees is unlikely to have a 24-hour SOC or a dedicated incident response team. Many still rely on unpatched software, weak password policies, and infrequent backups - the combination ransomware groups depend on.

There is also the matter of the supply chain. Even if an SMB does not hold data that is valuable on its own, it may be a vendor, contractor, or technology partner to a larger organisation. Compromising the smaller company can be a stepping stone to the real target.

The Core Defences That Actually Work

Ransomware defence does not require an enterprise security budget. The following measures, applied consistently, block the majority of ransomware campaigns:

• Offline and offsite backups: Backups are your single most important ransomware defence. They must follow the 3-2-1 rule: three copies, on two different media types, with one stored offsite or air-gapped. Backups that are accessible from the same network as production systems will be encrypted along with everything else. Test restoration regularly - a backup you have never restored from is an untested assumption.
• Patch management: The majority of ransomware exploits known vulnerabilities, many of which have patches available. Prioritise patching internet-facing systems and operating systems. If legacy systems cannot be patched, isolate them from the rest of the network.
• Multi-factor authentication: Remote Desktop Protocol (RDP) and VPN access without MFA are among the most common ransomware entry points. MFA on all remote access and email accounts is non-negotiable.
• Email filtering and user training: Phishing remains the dominant delivery mechanism. A good spam filter catches a lot, but employees who can recognise and report suspicious emails provide a layer no technical control can replicate.
• Endpoint detection and response (EDR): Modern EDR tools, many of which are affordable for SMBs, can detect and block ransomware behaviour, such as mass file encryption, before it completes. Traditional antivirus alone is not sufficient.

Preparing for the Worst: Incident Response Basics

Even with strong preventive measures, no organisation should assume it is immune. Having a basic incident response plan - even a simple, documented one - dramatically reduces the chaos and cost when something does go wrong.

At minimum, your plan should cover:

• Who gets notified first internally, and who has authority to take systems offline.
• Which systems are most critical to restore first.
• How to contact your internet service provider, cloud providers, and any cybersecurity insurance carrier.
• Whether you have legal obligations to notify customers or regulators after a breach.

The organisations that recover fastest from ransomware are those that practised the response before they needed it. A tabletop exercise - walking your team through a simulated attack scenario - costs nothing and surfaces gaps that paperwork alone will not reveal.

On the Question of Paying the Ransom

The official guidance from law enforcement agencies is consistent: paying the ransom does not guarantee data recovery, funds further criminal operations, and marks your organisation as a willing payer for future targeting. Prevention and backup-led recovery is the only reliable strategy.

Unity Software Solution helps SMB clients build resilient, security-conscious infrastructure - from hardened deployment environments to backup strategies and incident response planning - so a ransomware event never becomes a business-ending one.