Axia Computer Systems Ltd

Guide

Ransomware protection for UK SMEs: a practical playbook

How to prevent, contain and recover from a ransomware attack — the controls that matter, the ones that don't, and a 30/60/90-day plan a 25–100 person business can actually follow.

Ransomware is the bogeyman of UK IT — and for good reason. In 2024 it remained the single most disruptive cyber event for small and mid-sized businesses, with average recovery costs (excluding any ransom paid) routinely running into five figures, and into six for businesses that didn't have tested backups.

But it's also the threat where sensible preparation pays off most. The businesses that come through a ransomware incident intact are almost never the ones with the most expensive security stack — they're the ones that did the unglamorous work in advance. This guide is the unglamorous work.

What "ransomware protection" actually means

It isn't one thing. It's three layers that behave differently when something goes wrong:

  1. Prevention — stop the attacker getting in.
  2. Containment — slow the blast radius once they're in.
  3. Recovery — get the business back up without paying.

Spending only on prevention is the most common SME mistake. Prevention will fail eventually — the question is whether you recover in 24 hours or in 24 days.

Prevention: the controls that actually block ransomware

Email — the single biggest entry point

  • An email security gateway with sandboxing (not just signature-based filtering).
  • DMARC, SPF and DKIM configured on your domain — many ransomware loaders arrive as spoofed "partnership" or "invoice" emails that look internal.
  • External recipient warnings in Outlook/Gmail to make unexpected invoices obvious.

Identity

  • Multi-factor authentication on everything — email, VPN, file share, finance systems, admin consoles. No exceptions for "trusted" users.
  • Conditional access: block sign-ins from countries you don't operate in.
  • No standing admin rights. Admin accounts separate from day-to-day accounts.

Endpoints

  • Modern endpoint detection & response (EDR), not just traditional antivirus. EDR is the difference between catching an attacker in hour one and finding out about them two weeks later.
  • Patching SLA: critical and high-severity updates applied within 14 days (this is also your Cyber Essentials obligation).
  • RDP and other remote administration ports closed on the firewall — including for "temporary" supplier access.

Users

  • Short, regular phishing simulations with immediate coaching for failures.
  • A clear "report this email" button in Outlook and an actual human who reads responses.
  • Annual refresher training that is relevant, not a 40-minute corporate video nobody watches.

Containment: assume the attacker is already inside

Modern ransomware operators spend days or weeks moving sideways before they encrypt anything. Your containment posture needs to assume they're already in a user's mailbox or a developer's workstation.

  • Network segmentation. Finance, file servers, domain controllers and backups should not live on the same flat network as general office users.
  • Privileged Access Workstations. Admins do not browse the web or read email from accounts that can change domain and backup settings.
  • EDR with network isolation. When EDR flags a host, your IT team (or your MSP) can pull it off the network in seconds, not hours.
  • An "assume breach" playbook. A short, rehearsed runbook for the first 60 minutes after a credible alert: who is called, what is disabled, what is preserved for forensics.

Recovery: where most SMEs win or lose

This is where ransomware either costs you a long weekend or a long quarter. There are five things that must be truebefore an incident:

  1. Backups exist. Obvious — but check yours ran last night.
  2. Backups are isolated. Offline or immutable. Ransomware specifically targets backup systems first. If your backup share is just another mapped drive, it's already lost.
  3. Backups are tested. A backup you have never restored from is a hope, not a backup.
  4. Restoration time is known. For each critical system: how long to restore, and from where.
  5. The business can operate without IT for 24–72 hours. Paper orders, manual payroll, a pre-printed contact list. Ransomware is increasingly used as part of double-extortion plays that include DDoS — having non-IT continuity is real resilience.

Target the 3-2-1-1-0 model: three copies of data, on two different media, one offsite, one immutable or air-gapped, and zero unverified restores.

Should you pay the ransom?

Our strong recommendation: don't plan to. Paying does not guarantee decryption, does not guarantee the data isn't leaked, and may breach sanctions depending on the actor. It also makes you a confirmed-paying target for the next crew.

Build your recovery plan around not paying. If you ever end up considering it despite that, the decision belongs to the board and your insurers — not your IT team, and certainly not at 02:00 on a Saturday.

A realistic 30/60/90-day plan

First 30 days — close the obvious holes

  • Enforce MFA on every cloud service and VPN.
  • Confirm backups are running and isolated. Verify at least one full restore end-to-end.
  • Close inbound RDP and other unmanaged remote access.
  • Remove standing admin rights.

Days 31–60 — make incident response real

  • Deploy or upgrade EDR with network isolation capability.
  • Write the 60-minute incident runbook. Print it. Tape it to the wall.
  • Brief the leadership team: who calls whom, when, and how decisions get made.
  • Run a tabletop exercise. Pick a date this quarter and put it in the diary before the diary fills up.

Days 61–90 — embed and test

  • Network segmentation for finance, identity and backup systems.
  • Phishing simulation programme live, with monthly reporting to leadership.
  • Backup restore drill against a critical system (file server, finance system, ERP).
  • Cyber insurance reviewed, with the recovery plan actually shared with the underwriter.

The brutal truth about ransomware

No checklist stops every attack. What stops ransomware from becoming an existential event is the boring work — tested backups, MFA everywhere, EDR with isolation, segmented networks, rehearsed response. Most of the SMEs we work with that came through a real incident intact had done most of those things in advance.

Need help building your ransomware plan?

We help SMEs across Hertfordshire, Bedfordshire and London put ransomware defences in place — and, more importantly, keep them tested. If you want a gap review against the controls in this guide, get in touch.

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

Authorised trading partners