Ransomware readiness checklist: the controls that matter most
You can’t harden everything at once, and you don’t need to. This checklist is ordered by impact on surviving and recovering from a ransomware attack — do the top items first.
Priority 1 — backups you can actually restore
- Keep at least one backup copy offline or immutable, isolated from day-to-day credentials.
- Follow a 3-2-1 approach: three copies, two media types, one off-site/offline.
- Test restores regularly — an untested backup is a hope, not a plan.
- Protect backup systems with separate, strong authentication.
Priority 2 — close the front doors
- Enforce multi-factor authentication on email, VPN, remote access and admin accounts.
- Patch internet-facing systems quickly; remove or restrict exposed RDP.
- Kill password reuse and check for exposed credentials.
- Run security-awareness and phishing training.
Priority 3 — contain and detect
- Segment the network so one machine isn’t a path to everything.
- Apply least privilege and tiered administration.
- Deploy EDR/anti-malware with monitoring to catch intrusions early.
- Log centrally and alert on suspicious activity and large data transfers.
Priority 4 — plan and rehearse
- Write an incident-response plan with clear roles and decision-makers.
- Include legal, communications and regulatory reporting (e.g. NIS2 timelines).
- Run a tabletop exercise at least annually.
- Keep offline copies of the plan and key contacts — you may lose access to systems.
Prove it works
Controls on paper aren’t the same as controls that hold. A penetration test or ransomware-readiness assessment validates whether an attacker could actually get in, spread, and reach your backups — before a real group does.
FAQ
Related questions
What is the single most important ransomware control?
Tested, offline or immutable backups. They are what let you recover without paying, and attackers specifically target backups — so protecting and testing them matters most.
What is the 3-2-1 backup rule?
Keep three copies of your data, on two different media types, with one copy stored off-site or offline. It ensures a single failure or attack can’t take out every copy at once.
How often should we test our readiness?
Test backup restores regularly (at least quarterly), run an incident tabletop at least annually, and validate technical controls with periodic penetration testing.
Keep reading
More guides
-
Should you pay the ransom? What to weigh before deciding
Paying rarely delivers what victims hope. Here’s what to consider — and why preparation beats the payment dilemma entirely.
Read guide -
Building a ransomware recovery plan that works under pressure
A recovery plan is what turns a ransomware crisis into a procedure. Here’s what belongs in one — and why rehearsal matters.
Read guide