A practical ransomware readiness guide for SMEs: backups, recovery testing, response steps, and how to reduce impact.
Ransomware Readiness for SMEs: Backups, Recovery, and Response
Ransomware isn’t just a “big company” problem. SMEs are targeted because attackers know many businesses:
- don’t test backups
- have inconsistent patching
- rely heavily on email and cloud tools
- don’t have a clear incident response plan
For London and Manchester SMEs, the real question isn’t “Will we ever be targeted?” It’s: How quickly can we recover if the worst happens?
This guide focuses on practical readiness—what to put in place, what to test, and what to do if you suspect an incident.
Amazing Support is a multi-award winning, Microsoft Partner and Cyber Essentials certified provider supporting SMEs across London, Greater London and Manchester.
1) Prevention: reduce the chance of infection
Ransomware often starts with:
- phishing
- stolen credentials
- unpatched devices
- exposed remote access
Baseline prevention controls:
- MFA everywhere (especially admin accounts)
- strong email filtering + user reporting process
- patching discipline with visibility
- endpoint protection managed centrally
- least-privilege access (users shouldn’t be local admins)
2) Backups: what “good” looks like (and what doesn’t)
Backups are your recovery lifeline—but only if they’re:
- protected from deletion
- tested
- aligned to what the business actually needs
A practical backup baseline:
- identify critical systems and data (including Microsoft 365)
- set retention that matches risk (30/60/90/365 days depending on needs)
- ensure backups are isolated/immutable where possible
- test restores regularly (file-level and system-level)
Common failure mode: “Backups are running” but restores haven’t been tested—or the restore time is unacceptable.
3) Recovery: define RPO and RTO (in plain English)
Two useful concepts:
RPO=how much data you can afford to lose (time window)
RTO=how long you can afford to be down
Examples:
- If your RPO is 24 hours, losing a day of work is acceptable (many businesses can’t accept this).
- If your RTO is 4 hours, you need a recovery plan that can realistically hit that.
This is where many SMEs discover their current setup doesn’t match their expectations.
4) Response: what to do in the first hour
If you suspect ransomware or a major compromise:
- Isolate affected devices (disconnect from network/Wi‑Fi)
- Disable compromised accounts and reset credentials
- Preserve evidence (don’t wipe everything immediately)
- Assess scope (what systems are affected?)
- Communicate internally (clear instructions to staff)
- Engage your IT/security partner to lead containment and recovery
Speed matters. Confusion costs time—and time increases impact.
5) After the incident: harden and prevent repeat attacks
Post-incident work should include:
- root cause analysis (how did it happen?)
- patching and configuration improvements
- stronger identity controls
- improved monitoring and alerting
- user training refresh
- backup strategy improvements
Quick FAQs
Does Microsoft 365 protect us from ransomware?
It helps, but it’s not a complete ransomware strategy. You still need strong identity controls, device security, and a backup/recovery plan.
How often should we test backups?
At least quarterly for most SMEs—more often for higher-risk environments.
What’s the biggest ransomware mistake SMEs make?
Assuming backups will work without testing, and not having a clear first-hour response plan.
If you want to know how resilient your business really is, we can review your
backup and recovery posture, test restore capability, and help you build a practical ransomware response plan.
