<p>Ransomware protection wasn’t on anyone’s mind at a small accountancy firm in Birmingham when they opened the office on a Monday morning in early 2024. By 9:15, every shared drive was encrypted. A red screen demanded £40,000 in Bitcoin. Their backup? It was connected to the same network, so it got encrypted too. Three weeks of client records, gone. They paid. They never got the files back.</p>
<p>I wish that story were unusual. It’s not.</p>
<p>The <a href=”https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks” target=”_blank”>NCSC</a> reported a sharp rise in ransomware incidents targeting UK small businesses through 2023 and into 2024. The numbers are hard to pin down exactly — somewhere around 40% of attacks now target firms with under 250 employees, though some surveys put it higher. Attackers have worked out that smaller companies are less likely to have proper defences and more likely to pay quickly because they can’t afford downtime.</p>
<h2>Why Ransomware Protection Fails in Practice</h2>
<p>Most businesses think they’re covered because they have antivirus software. That’s a bit like thinking you won’t get burgled because you have a doorbell camera. Antivirus catches known threats — signatures it’s already seen. Modern ransomware changes its signature constantly, sometimes with every single deployment. The toolkits attackers buy on dark web marketplaces generate unique variants automatically.</p>
<p>There’s also a timing problem. Ransomware doesn’t always detonate immediately. Some strains sit dormant for weeks, mapping the network, identifying backups, checking for admin credentials. By the time the encryption kicks in, the attacker already knows where everything is. Your “clean” backup from last Tuesday might already contain the payload.</p>
<p>One thing I’ve noticed from years of cleaning up after these incidents: the entry point is almost always boringly predictable. A <a href=”https://1st-it.com/it-compliance-services/cyber-essentials-checklist/”>phishing email</a> that someone clicked. An RDP port left open to the internet. A VPN appliance that hadn’t been patched since it was installed three years ago. Nothing sophisticated. Just neglected basics.</p>
<h2>Building Ransomware Protection That Actually Works</h2>
<p>Offline backups are the single most effective defence. Not cloud-synced folders — those get encrypted too. I mean genuinely disconnected backups. An external drive that’s plugged in for the backup window and then physically removed. Or an immutable cloud backup that can’t be overwritten or deleted, even with admin credentials. This is the one thing that separates businesses that recover from those that don’t.</p>
<p>Patch management is the second priority. Not glamorous, I know. But that Fortinet VPN vulnerability from 2023 — the one that was all over the news — was still being exploited months after the patch was released, simply because people hadn’t applied it. Attackers scan for known vulnerabilities constantly. If your systems are behind on patches, you’re essentially advertising an open door.</p>
<p>Then there’s email filtering. A decent mail gateway with attachment sandboxing will catch most phishing attempts before they reach inboxes. Combine that with staff training — not a one-off webinar, but regular, short simulations — and you’ve closed the most common entry point. The <a href=”https://ico.org.uk/for-organisations/report-a-breach/” target=”_blank”>ICO</a> looks at whether you took reasonable precautions when assessing breach reports. Having documented training helps your case.</p>
<h2>The Part Nobody Wants to Hear</h2>
<p>Even with solid ransomware protection, there’s no guarantee. That’s the uncomfortable reality. A determined attacker with enough time and resources can breach almost any target. Zero-day exploits exist. Social engineering works on smart people too. The goal isn’t to become impenetrable — it’s to make yourself a harder target than the company next door.</p>
<p>I think the biggest mistake businesses make is treating cybersecurity as a one-off project. You buy a firewall, tick the box, move on. But ransomware protection is ongoing — it’s patching, monitoring, testing backups, updating training. The firms that recover quickly aren’t the ones with the most expensive tools. They’re the ones that practiced.</p>
<p>If you’re not sure where your gaps are, a <a href=”https://1st-it.com/cyber-security-audits/”>cyber security audit</a> is the fastest way to find out. Not to sell you something — but because you can’t fix what you can’t see. And right now, the attackers can see a lot more of your network than you probably think.</p>