Ransomware Prevention 101 for SMBs

What SMBs Need to Know About Ransomware Today

Ransomware is constantly evolving. Over the years, cybercriminals have moved from a spray-and-pray methodology to big-game hunting, where cybercrime gangs target victims that may be the most vulnerable to such attacks, according to Asheer Malhotra, technical lead and security researcher at Cisco Talos, a threat intelligence research organization under Cisco.

“With the leak of ransomware code, we have also seen — and reported — several cases where less proficient actors targeted smaller businesses for less ransom money,” he says. “Furthermore, ransomware operations have evolved to now follow the double-extortion model where the adversaries threaten to leak sensitive data that they’ve stolen from the victim organization unless a ransom is paid, as well as deploying ransomware on compromised systems.”

Ryan adds that today’s cybercriminals often combine data theft with encryption — known as double or even triple extortion — to increase pressure on victims.

“They are also using automation and AI to launch attacks faster and at greater scale, while Ransomware as a Service platforms make advanced capabilities available to less skilled attackers,” she explains. “For small businesses, this means the threat landscape is broader, more automated and more relentless than ever. The old idea that ransomware is a one-off nuisance is gone; it is now a business-ending risk if you are not prepared.”

Malhotra emphasizes that it’s important for SMBs to be aware of changes in the threat landscape.

“Understanding relationships between various ransomware threat actors and initial access brokers and their tactics, techniques and procedures is imperative to discovering and hunting for compromises,” he says. “Such intelligence also enables organizations to protect themselves from follow-on intrusions after a ransomware attack has already happened. Therefore, while defense-in-depth and complementing processes are important, small businesses must also recognize the value of threat intelligence toward proactively discovering, blocking and remediating intrusions.”

DISCOVER: Here’s a cyber resilience strategy that supports success.

The Most Important Steps SMBs Can Take to Prevent Ransomware

While small businesses often have more limited budgets and difficulty hiring highly skilled security staff, they are up against the same ransomware threats that large enterprises face. The consequences of a successful attack can also be tougher for SMBs to handle.

Ryan says the key to defending against ransomware attacks is to focus on practical, high-impact steps that deliver real protection without overextending resources. Here are some of the ways SMBs can bolster their cybersecurity posture:

• Don’t go at it alone. “Start by outsourcing where it makes sense, such as partnering with a managed security provider or taking advantage of the built-in protections in cloud and email platforms,” says Ryan.
• Reduce your attack surface. Ryan recommends enforcing multifactor authentication everywhere, closing unused accounts and services, and disabling risky settings such as open Remote Desktop Protocol. Vitor Ventura, security researcher and manager of the EMEA and Asia outreach team at Cisco Talos, adds that it’s essential that MFA be prioritized for high-privileged accounts.
• Automate hygiene. By turning on auto updates and standardizing on a small set of apps and devices, SMBs can better protect their business, says Ryan.
• Plan for failure. SMBs can do this by “testing data restoration from backups at least quarterly and keeping one backup offline or immutable so you can recover without paying a ransom,” Ryan explains.
• Invest in modern, AI-driven endpoint protection. Endpoint protection tools should stop attacks automatically and do not require in-house analysts, says Ryan.
• Keep employee training simple but consistent. “Short phishing refreshers and regular simulations are far more effective than a once-a-year training session,” she adds. “These actions create a practical and achievable path to resilience for any SMB, even with limited resources.”
• Patch internet-facing servers. This should be done regularly to ensure servers have the latest security updates, says Ventura, who recommends that SMBs restrict exposure of internal systems to the internet. “Patch management keeps attackers from exploiting well-known flaws, and automating updates wherever possible helps take the burden off limited IT staff,” adds Ryan.
• Set up network monitoring. “Network monitoring provides early warning by spotting suspicious activity before ransomware can spread, and many managed providers can deliver this as a service if you do not have the expertise in house,” says Ryan.
• Implement defense-in-depth models. “An organization’s diverse network environment results in multiple potential attack surfaces, such as email, web servers, endpoints, etc.,” Ventura explains. “Up-to-date protections must be present on these attack surfaces so that organizations can detect and block intrusions even if initial compromise has been successful.”

Ventura adds that defense in depth, which includes deploying software for detection and blocking of threats across multiple attack surfaces, must be complemented by comprehensive and continuous process-based actions.

“Timely patch management, identity and access control, network segmentation and monitoring, and backup and recovery are imperative to ensure that organizations are protected against proliferation of ransomware across their environments,” he says.

Backup and recovery are the last line of defense, according to Ryan, but it only works if SMBs test it regularly and keep at least one copy offline or immutable.

“To bring these pieces together, modern endpoint detection and response solutions give SMBs visibility across their environment, detect ransomware activity quickly and stop it before it can cause widespread damage,” she explains. “Taken together, these practices create a layered defense strategy that aligns with limited budgets and resources while still defending against enterprise grade threats.”

Advice for SMBs on Ransomware Prevention

Knowing the solutions and services needed to protect against ransomware is just the first step in preventing a successful attack. SMBs also need to know how to ensure these implementations work within their security environment.

“The biggest piece of advice is to focus on progress, not perfection,” says Ryan. “Most small businesses will never have the budget or staff of a large enterprise, but that does not mean they are defenseless. Start with the basics that deliver the highest impact: enforce MFA, turn on automatic updates, train employees to spot phishing and ensure backups are reliable.”

She also recommends that SMBs have a modern endpoint detection and response solution in place.

“Today’s EDR tools, especially those powered by AI, can automatically detect and stop ransomware activity before it spreads, giving small businesses enterprise-grade protection without needing a large security team. From there, continue building step by step. Every action strengthens resilience and reduces the chance that a single mistake turns into a business-ending event,” Ryan adds. “Security should be seen not only as protection but also as a business enabler. It preserves customer trust, ensures continuity and can differentiate you from competitors who have not invested. The good news is that meaningful improvement is achievable without massive budgets, and small steps taken today prevent far bigger problems tomorrow.”

UP NEXT: SMBs should be concerned about ransomware and social engineering attacks.

Ultimately, the most important thing for small businesses to understand is that they are not too small to be targeted, says Ryan. By leaning on managed security partners and adopting AI-driven EDR solutions, SMBs can achieve enterprise-level protection that runs largely on its own.

“Many small businesses should also consider cyber insurance policies as part of their overall risk-mitigation planning. There are even a number of SMB-focused insurers who can help these businesses assess their current security posture and recommend steps that can lower risk in a way that could both improve their security posture and result in a more favorable insurance policy premium,” she says.

“Cybersecurity is no longer optional. It is central to protecting customer trust, keeping operations running and ensuring the long-term success of the business,” Ryan adds. “The sooner you take steps to strengthen your defenses, the better positioned you will be to face today’s threats with confidence.”