Preventing Ransomware in the SMB: 8 Measures That Actually Work
Ransomware is no longer a big-enterprise problem. SMBs are now the primary target, precisely because attackers assume smaller companies have weaker defences and will pay quickly to get back to work. The average ransomware incident costs a Dutch SMB well over EUR 100,000 once you count downtime, recovery, lost orders and reputation, and paying the ransom rarely restores everything cleanly.
The encouraging part: most attacks are not sophisticated. They exploit a stolen password, an unpatched server or a careless click. A handful of well-implemented measures stops the vast majority. Here are the 8 that deliver the most protection per euro.
1. Multi-factor authentication (MFA) everywhere
Stolen and reused passwords are the number-one entry point. MFA, a code or app approval on top of the password, blocks the overwhelming majority of account-takeover attacks. Turn it on for email, VPN, remote access and every admin account, without exception. Prefer an authenticator app or hardware key over SMS. This single measure is the highest-impact thing most SMBs can do this week.
2. Backups you have actually tested (the 3-2-1 rule)
When prevention fails, backups are what save you. Follow 3-2-1: three copies of your data, on two different media, with one copy offline or immutable (so ransomware cannot encrypt it too). Critically: test your restores. A backup you have never restored is a hope, not a plan. Note that Microsoft 365 data needs its own backup. Microsoft does not protect you against deletion or ransomware the way people assume.
3. Patch fast, especially internet-facing systems
Attackers scan the internet for known vulnerabilities within hours of disclosure. Keep operating systems, firewalls, VPNs and applications patched, and prioritise anything exposed to the internet. Automate updates where you can, and put a process around servers and network gear that cannot auto-update. Unpatched VPN and firewall appliances are a recurring cause of Dutch SMB breaches.
4. Modern endpoint protection (EDR)
Traditional antivirus catches known malware. Ransomware often is not "known". EDR (Endpoint Detection and Response) watches behaviour (the rapid mass-encryption pattern of ransomware, for example) and can automatically isolate an infected device before it spreads across the network. For SMBs, managed EDR (monitored by your IT partner or a SOC) gives enterprise-grade detection without needing your own security team.
5. Security awareness training
Most ransomware still starts with a person: a phishing email, a fake invoice, a malicious link. Regular, short awareness training plus simulated phishing measurably reduces click rates. Teach staff to recognise urgency, spoofed senders and unexpected attachments, and make it safe to report a suspected mistake immediately rather than hide it.
6. Least privilege and network segmentation
Ransomware spreads by using the permissions of whatever account it lands on. Apply least privilege: nobody uses an admin account for daily work, and access is limited to what each role needs. Segment your network so a compromised laptop cannot reach servers, backups and every other device unhindered. This dramatically limits the blast radius of any single infection.
7. Secure remote access and email
Two channels dominate as entry points:
- Remote access: never expose RDP directly to the internet. Use a VPN with MFA or a zero-trust access solution, and disable unused remote-access ports.
- Email: enable spam/phishing filtering, and configure SPF, DKIM and DMARC so attackers cannot easily spoof your domain. Consider attachment sandboxing.
8. An incident response plan you have rehearsed
Assume something will get through one day. A short, practical incident response plan answers: who do we call, how do we isolate affected systems, where are the offline backups, how do we communicate, and, under NIS2, do we have a reporting duty (early warning within 24 hours)? Rehearse it once a year. The companies that recover fastest are the ones that decided what to do before the attack, not during it.
The priority order for a limited budget
If you can only do things in sequence, this order gives the most risk reduction first:
| Priority | Measure | Effort | Impact | |---|---|---|---| | 1 | MFA everywhere | Low | Very high | | 2 | Tested 3-2-1 backups | Medium | Very high | | 3 | Patch internet-facing systems | Medium | High | | 4 | Managed EDR | Medium | High | | 5 | Awareness training | Low | High | | 6 | Least privilege + segmentation | Medium | High | | 7 | Secure remote access + email auth | Medium | High | | 8 | Rehearsed incident plan | Low | High |
NIS2 makes this a legal duty
For many SMBs, these measures are no longer just good practice. Under NIS2 (the Cyberbeveiligingswet), in force in 2026, in-scope companies must take exactly these kinds of risk-based measures (MFA, backups, incident handling, supply-chain security) and report significant incidents within 24 hours, with director-level accountability. Getting the basics right protects you and moves you toward compliance at the same time.
FAQ
What is the single most important anti-ransomware measure? MFA everywhere. Stolen passwords are the most common entry point, and MFA blocks the vast majority of account-takeover attacks for very little cost.
Should we ever pay the ransom? Paying is discouraged: it funds crime, offers no guarantee of clean recovery, and marks you as a payer. Tested offline backups are what let you refuse. Report the incident to the police and, where applicable, under NIS2/AVG.
Do we need backups if everything is in Microsoft 365? Yes. Microsoft ensures platform availability but does not back up your data against ransomware or accidental deletion. Use a dedicated M365 backup with retention.
Is EDR really necessary for a small company? Increasingly, yes. Ransomware frequently evades traditional antivirus. Managed EDR gives an SMB behaviour-based detection and automatic isolation without needing an in-house security team.
Harden your defences
Want a clear picture of where your ransomware risk sits and how to close the gaps? Explore our Cybersecurity & Identity service for a security scan, or read NIS2 for SMBs to see how these measures map to the new law.
