Why ransomware readiness is non-negotiable
Ransomware remains one of the most likely and most damaging cyber threats for UK mid-market organisations. Attackers target backups, escalate privileges, and only then deploy encryption—so "we have backups" is necessary but not sufficient. Insurers and auditors now routinely ask for evidence of isolated backups, tested restore, MFA, and incident response. This checklist aligns with NCSC and insurer expectations.
Before an attack: prevention and resilience
- Backups are isolated from production (air-gapped or immutable) and tested regularly — If backups live on the same network or can be deleted by the same account that runs production, they are at risk. Test restores at least quarterly; document results.
- Critical assets and recovery priorities are documented (RTO/RPO) — Recovery Time and Recovery Point Objectives for key systems. Without this, you cannot prioritise or prove you can recover.
- Patch and vulnerability management is in place for internet-facing systems — Known vulnerabilities are the primary entry point. Evidence: patch policy, schedule, and evidence of execution.
- Email and endpoint protection (e.g. MFA, EDR) are deployed and monitored — MFA on all cloud and remote access; EDR or equivalent with alerting. Weak signal: MFA only on "important" systems.
- Staff receive regular security awareness training, including phishing simulation — Training at least annually; simulated phishing with metrics and follow-up. Document completion and trends.
When it happens: response readiness
- Incident response plan includes a ransomware playbook and offline contact list — Who to call (internal lead, insurer, legal, comms); what to do in the first hours; contact list available offline.
- Decision-makers know who to call (internal lead, insurer, legal, comms) — Not just "IT." Run a tabletop so the exec team knows the drill.
- You have a process to preserve evidence and notify regulators (ICO) if required — Don't destroy evidence in a panic. Know your ICO notification obligations for personal data breaches.
What insurers and assessors typically want to see
Governance (board-level ownership, regular review), technical controls (MFA, patching, isolated backup, tested restore), and evidence—not assertions. A one-page checklist is a start; closing gaps and documenting progress is what counts.
Discuss your ransomware readiness with our team—we help organisations harden defences and test response plans. Or take our Ransomware Readiness Score for an instant gap view.