Ransomware is no longer about a single encrypted laptop. Modern crews spend days inside an environment quietly, exfiltrating data, killing backup jobs and pivoting to admin accounts before they trigger the ransom note. Preparing for that requires controls across prevention, recovery and response.

1. Prevention

EDR on every endpoint and server.
Patch operating systems and third-party software on a defined cadence.
MFA on every account, with Conditional Access on top.
Block legacy authentication and risky protocols.
Phishing-resistant MFA for admins, on dedicated admin accounts.

2. Tested backups

The single biggest determinant of recovery cost is the quality of your backups. We require, for every client:

3-2-1 — three copies, two media, one off-site.
Immutable storage that attackers cannot delete.
Microsoft 365 backup independent of the tenant being protected.
Documented RTO/RPO, with quarterly restore tests.

More detail in Why Backups Are Not Enough Unless You Test Recovery.

3. Least privilege

No standing Global Admin access — use Privileged Identity Management.
Local admin rights removed from end-user devices.
Service accounts scoped tightly, rotated and inventoried.

4. Detection

Ransomware leaves a trail before it detonates. Microsoft Sentinel and Defender for Endpoint flag the precursor behaviours — unusual login locations, mass file changes, suspicious PowerShell — early enough to act.

5. Incident response plan

Decide before the incident:

Who declares an incident.
Who is allowed to talk to attackers, insurers and regulators.
Where the offline copy of the IR plan lives.
The contact details of your IR partner, on paper.
A tabletop exercise at least once a year.

How MVT helps

Our cybersecurity and backup & DR practices cover this end-to-end — from the controls that keep attackers out, to the rehearsed recovery plan that gets the business back online if they do.

Book a ransomware readiness review →

How to Prepare Your Business for a Ransomware Attack