Cybersecurity
Guide

Preventing Ransomware in the SMB: 8 Measures That Actually Work

SMBs are now the primary target for ransomware precisely because attackers assume their defences are weak. The good news: a handful of well-implemented measures stop the vast majority of attacks. Here are the 8 that deliver the most protection per euro.

Jul 11, 2026
9 min read
Preventing Ransomware in the SMB: 8 Measures That Actually Work

Preventing Ransomware in the SMB: 8 Measures That Actually Work

Ransomware is no longer a big-enterprise problem. SMBs are now the primary target, precisely because attackers assume smaller companies have weaker defences and will pay quickly to get back to work. The average ransomware incident costs a Dutch SMB well over EUR 100,000 once you count downtime, recovery, lost orders and reputation, and paying the ransom rarely restores everything cleanly.

The encouraging part: most attacks are not sophisticated. They exploit a stolen password, an unpatched server or a careless click. A handful of well-implemented measures stops the vast majority. Here are the 8 that deliver the most protection per euro.

1. Multi-factor authentication (MFA) everywhere

Stolen and reused passwords are the number-one entry point. MFA, a code or app approval on top of the password, blocks the overwhelming majority of account-takeover attacks. Turn it on for email, VPN, remote access and every admin account, without exception. Prefer an authenticator app or hardware key over SMS. This single measure is the highest-impact thing most SMBs can do this week.

2. Backups you have actually tested (the 3-2-1 rule)

When prevention fails, backups are what save you. Follow 3-2-1: three copies of your data, on two different media, with one copy offline or immutable (so ransomware cannot encrypt it too). Critically: test your restores. A backup you have never restored is a hope, not a plan. Note that Microsoft 365 data needs its own backup. Microsoft does not protect you against deletion or ransomware the way people assume.

3. Patch fast, especially internet-facing systems

Attackers scan the internet for known vulnerabilities within hours of disclosure. Keep operating systems, firewalls, VPNs and applications patched, and prioritise anything exposed to the internet. Automate updates where you can, and put a process around servers and network gear that cannot auto-update. Unpatched VPN and firewall appliances are a recurring cause of Dutch SMB breaches.

4. Modern endpoint protection (EDR)

Traditional antivirus catches known malware. Ransomware often is not "known". EDR (Endpoint Detection and Response) watches behaviour (the rapid mass-encryption pattern of ransomware, for example) and can automatically isolate an infected device before it spreads across the network. For SMBs, managed EDR (monitored by your IT partner or a SOC) gives enterprise-grade detection without needing your own security team.

5. Security awareness training

Most ransomware still starts with a person: a phishing email, a fake invoice, a malicious link. Regular, short awareness training plus simulated phishing measurably reduces click rates. Teach staff to recognise urgency, spoofed senders and unexpected attachments, and make it safe to report a suspected mistake immediately rather than hide it.

6. Least privilege and network segmentation

Ransomware spreads by using the permissions of whatever account it lands on. Apply least privilege: nobody uses an admin account for daily work, and access is limited to what each role needs. Segment your network so a compromised laptop cannot reach servers, backups and every other device unhindered. This dramatically limits the blast radius of any single infection.

7. Secure remote access and email

Two channels dominate as entry points:

  • Remote access: never expose RDP directly to the internet. Use a VPN with MFA or a zero-trust access solution, and disable unused remote-access ports.
  • Email: enable spam/phishing filtering, and configure SPF, DKIM and DMARC so attackers cannot easily spoof your domain. Consider attachment sandboxing.

8. An incident response plan you have rehearsed

Assume something will get through one day. A short, practical incident response plan answers: who do we call, how do we isolate affected systems, where are the offline backups, how do we communicate, and, under NIS2, do we have a reporting duty (early warning within 24 hours)? Rehearse it once a year. The companies that recover fastest are the ones that decided what to do before the attack, not during it.

The priority order for a limited budget

If you can only do things in sequence, this order gives the most risk reduction first:

| Priority | Measure | Effort | Impact | |---|---|---|---| | 1 | MFA everywhere | Low | Very high | | 2 | Tested 3-2-1 backups | Medium | Very high | | 3 | Patch internet-facing systems | Medium | High | | 4 | Managed EDR | Medium | High | | 5 | Awareness training | Low | High | | 6 | Least privilege + segmentation | Medium | High | | 7 | Secure remote access + email auth | Medium | High | | 8 | Rehearsed incident plan | Low | High |

NIS2 makes this a legal duty

For many SMBs, these measures are no longer just good practice. Under NIS2 (the Cyberbeveiligingswet), in force in 2026, in-scope companies must take exactly these kinds of risk-based measures (MFA, backups, incident handling, supply-chain security) and report significant incidents within 24 hours, with director-level accountability. Getting the basics right protects you and moves you toward compliance at the same time.

FAQ

What is the single most important anti-ransomware measure? MFA everywhere. Stolen passwords are the most common entry point, and MFA blocks the vast majority of account-takeover attacks for very little cost.

Should we ever pay the ransom? Paying is discouraged: it funds crime, offers no guarantee of clean recovery, and marks you as a payer. Tested offline backups are what let you refuse. Report the incident to the police and, where applicable, under NIS2/AVG.

Do we need backups if everything is in Microsoft 365? Yes. Microsoft ensures platform availability but does not back up your data against ransomware or accidental deletion. Use a dedicated M365 backup with retention.

Is EDR really necessary for a small company? Increasingly, yes. Ransomware frequently evades traditional antivirus. Managed EDR gives an SMB behaviour-based detection and automatic isolation without needing an in-house security team.

Harden your defences

Want a clear picture of where your ransomware risk sits and how to close the gaps? Explore our Cybersecurity & Identity service for a security scan, or read NIS2 for SMBs to see how these measures map to the new law.

Ransomware
Cybersecurity
MKB
Backup

Related Articles

Cybersecurity

AI-Powered Cybersecurity: How Machine Learning Is Transforming Threat Detection

Cyberattacks are growing in volume and sophistication. AI-powered security tools are shifting the balance back to defenders. This article examines how Dutch organisations are using ML-driven SIEM, EDR, and threat intelligence to stay ahead.

Read More
Cybersecurity

NIS2 for SMBs: What the Law Means and What You Must Arrange

The Dutch Cyberbeveiligingswet (NIS2) lands in 2026 and brings duty of care, a 24-hour reporting duty and personal director liability. Here is who is in scope, what you must arrange, and a practical step-by-step plan for SMBs.

Read More
Managed IT

What Does Managed IT Cost for SMBs? Prices Per User (2026)

How much does managed IT support really cost for an SMB in the Netherlands? This guide breaks down price-per-user tiers, what each package includes, one-off and per-server costs, and how to compare quotes without surprises in 2026.

Read More

Need Help with Your IT Infrastructure?

Let's discuss how we can help transform your IT operations with modern solutions.