Ransomware isn’t only a “big company” problem. UK SMEs are routinely targeted because they’re often the easiest stepping-stone into larger customers.

In fact, 43% of UK businesses reported a breach or attack in the last 12 months. (1)

This guide gives you a practical ransomware response plan you can actually run. It’s written for Microsoft 365-centric SMEs, and it’s built around a Cyber Essentials–style baseline — controls you can evidence and maintain, not a one-off tool purchase.

Click here to Book a free Security Triage Call!

What this plan is for (and who owns it)

A ransomware plan is an operating document. It defines who decides, what’s in scope, and what “good” looks like on a normal day.

The goal isn’t perfection. It’s repeatable action when pressure is high.

Define “in-scope” systems (Microsoft 365, endpoints, line-of-business apps, backups)

Keep the scope tight enough to execute.

Include:

• Microsoft 365 (Exchange, SharePoint, OneDrive, Teams).

• Entra ID identities, admin accounts, MFA/Conditional Access.

• Endpoints (company laptops/desktops, shared PCs).

• Key line-of-business apps (SaaS + any on-prem apps).

• Backup systems (M365 backup, servers, endpoints if used).

• Remote access paths (VPN, RDP gateways, remote tools).

Exclude (but list separately):

• Personal devices not enrolled/managed.

• Shadow IT apps you don’t control.

• Supplier-managed systems (until you confirm contacts + access).

Name roles: business owner, IT owner, comms/clients, legal/insurance, supplier contacts

Decisions stall when roles are vague. Name them now.

Minimum roles to assign:

• Incident owner (business): final decisions, spend approvals.

• IT owner (technical lead): containment + restore coordination.

• Comms owner: client/supplier updates, internal staff updates.

• Insurance/legal contact: policy notification, evidence handling.

• Supplier contacts list: ISP, MSP (if applicable), backup vendor, LOB vendor.

NCSC recommends a basic incident response plan includes key contacts and escalation criteria.

The first 60 minutes: contain the incident safely

In the first hour, your priority is simple: stop spread and preserve options.

You’re trying to protect:

• Identity (admin accounts, MFA, tokens).

• More devices getting encrypted.

• Backups getting deleted or poisoned.

• Evidence you’ll need for insurers/regulators.

Execution in this window should be handled through your IT/incident response provider and insurer route, not improvised from a public checklist.

Triage indicators: encryption notes, abnormal account activity, EDR alerts

Common “this is ransomware” signals:

• Ransom note files appearing across folders.

• Files renamed/encrypted across multiple machines.

• Unusual admin logins (especially from new locations).

• Multiple MFA prompts users didn’t initiate.

• Endpoint protection alerts (EDR) indicating ransomware behaviour.

Isolation steps: affected devices, privileged accounts, remote access pathways

Focus on high-level containment goals, with a clear decision owner.

Key action categories:

• Isolate affected systems to limit spread, without disrupting evidence unnecessarily.

• Contain identity risk (especially privileged access) so attackers can’t expand control.

• Reduce exposure from remote access pathways until scope is understood.

• Engage your insurer, specialist incident response provider, and/or SOC as appropriate.

If you have SOC-backed endpoint protection, this is where you involve them. That monitoring can be 24/7 — your service desk support doesn’t need to be.

Evidence basics: logs, screenshots, timestamps, “do not wipe yet” decision gate

Do not wipe machines as your first move. Not yet.

Capture evidence first:

• Photos/screenshots of ransom notes and error messages.

• Timeline: “first noticed at”, “what changed”, “who reported it”.

• Affected systems list (device names, user accounts).

• Security alerts and event logs (export what you can).

NCSC’s incident management guidance emphasises keeping the information and evidence you’ll need to manage the incident.

Decision gate: avoid wipe/rebuild until you know:

• What’s compromised.

• What you’re restoring from.

If you need to report the incident, the UK government signposts reporting routes such as NCSC and Action Fraud depending on your situation.

You can also report incidents to NCSC via their reporting service.

Decide your recovery path (restore vs rebuild) and manage obligations

Recovery is a business decision as much as a technical one.

You’re balancing:

• Downtime cost.

• Data integrity.

• Legal/regulatory exposure.

• Reputational risk.

• The chance of reinfection.

Assess impact: what’s down, what’s sensitive, what’s business-critical

Document this quickly:

• What services are unavailable (email, files, LOB app, finance).

• What data might be affected (client data, HR, payment info).

• What you must restore first to operate (invoices, order fulfilment).

Notification map: insurers, key clients/suppliers, relevant authorities/regulators (as applicable)

Most cyber insurance policies require prompt notification and evidence preservation.

Also map:

• Critical clients who will notice outages.

• Key suppliers (especially IT and software vendors).

• Regulators if personal data is involved.

If a personal data breach is notifiable, you must report it to the ICO without undue delay and within 72 hours of becoming aware.

Ransom decision factors (without recommending payment)

We won’t tell you to pay. We also won’t pretend it’s a simple decision.

What matters:

• Do you have proven restores and clean backups?.

• Is data exfiltration likely (double extortion)?.

• Are you at risk of sanctions/legal issues if you pay?.

• What does your insurer require?.

• What’s your operational impact if you don’t?.

NCSC and UK law enforcement do not encourage, endorse, nor condone paying ransoms, and highlight there’s no guarantee you’ll regain access or be “clean” afterwards.
NCSC also publishes specific guidance for organisations considering payment.

Recover without reinfecting: restoring from known-good backups

Backups only help if they’re both:

• Available.

• Safe to restore.

NCSC’s guidance is explicit: before restoring, verify backups are free from malware.

“Known-good” criteria: malware-free validation before restore

Treat every restore like a forensic operation.

Verification criteria for “known-good” restores:

• Restores can be validated in isolation first (where feasible).

• Restored data can be scanned with up-to-date malware tooling.

• Admin accounts and identity logs are confirmed clean.

• Backup admin credentials are confirmed not compromised.

• Backups are confirmed not deleted/altered during the incident window.

Order of restoration: identity first, then endpoints, then servers/apps, then data

A sensible order for most SMEs:

1. Identity & admin control (Entra ID, MFA, admin segregation).

2. Management plane (device management, patching, security tooling).

3. Endpoints (rebuild from standard build, not “repair in place”).

4. Servers/apps (if you have them).

5. Data restores (files, SharePoint/OneDrive, LOB data).

Why identity first? Because if attackers still control accounts, you’re rebuilding on sand.

RPO/RTO basics for SMEs and how restore testing proves reality

Keep it plain:

• RPO: how much data you can afford to lose (time).

• RTO: how long you can afford to be down.

If you’ve never tested a restore, your RPO/RTO are guesses.

NCSC’s ransomware-resistant backup principles include ensuring owners can test whether they can restore from current backup state.

Prevention that actually reduces ransomware risk (controls, not slogans)

Most ransomware “prevention” advice fails because it’s vague. SMEs need a baseline that’s:

• Standardised.

• Enforced.

• Checked routinely.

• Evidenceable.

Identity & access (Microsoft 365): MFA coverage, admin segregation, conditional access patterns

Prioritise:

• MFA for every user, especially admins.

• Separate admin accounts (no day-to-day admin use).

• Conditional access patterns appropriate for SMEs (location/device/risk based).

• Secure reset processes (stop “phone a mate” password resets).

This is where many ransomware incidents start: identity compromise, not “a virus”.

Device security: managed enrolment, encryption, patch compliance, local admin minimisation

For 10–25 seat SMEs, the fastest risk reduction is managed devices.

Baseline expectations:

• All devices enrolled and policy-managed.

• Encryption enabled.

• Patch compliance visible and enforced.

• Local admin rights minimised.

• No unmanaged endpoints “because it’s easier”.

Standardisation (e.g. Microsoft 365 + Intune/Autopilot) reduces your recovery time because rebuilds are predictable.

Malware protection + monitoring expectations (SOC vs business-hours support boundary)

Be specific about what’s monitored and when.

A practical model:

• SOC-backed endpoint monitoring 24/7 (detection + triage).

• business-hours support for day-to-day user issues and changes.

• Clear escalation routes for suspected active threats.

This avoids the common trap: thinking you’ve bought “security” when you’ve only bought software.

Backup posture: SaaS + server coverage, retention, immutable/offline principles, test cadence

For ransomware resilience, “a backup” is not enough.

Aim for:

• Microsoft 365 backup (not just recycle bin).

• Server/LOB backups where relevant.

• Retention that matches business needs.

• Protection against deletion/tampering.

NCSC has a full collection on ransomware-resistant backups, focused on mitigating destructive ransomware.

Tools vs an operating baseline (governance + ownership + evidence)

Tools help. But tools don’t own your risk.

An operating baseline means:

• Someone checks the controls.

• Exceptions are managed.

• Evidence exists when insurers/clients ask.

Ownership: who checks MFA coverage, patch compliance, restore tests, joiner/leaver hygiene

Assign named owners for:

• MFA coverage reports (monthly, as an internal governance target).

• Admin account review (monthly, as an internal governance target).

• Patch compliance (a regular review cadence agreed internally, with evidence).

• Restore test schedule (typically at least quarterly for critical systems, as an internal governance target).

• Joiner/leaver process (every single time).

If nobody owns it, it doesn’t happen.

Evidence: what to record (exports/screenshots), how often, and where it lives

Keep an “evidence pack” folder:

• MFA coverage exports/screenshots.

• Device compliance reports.

• Backup success + restore test records.

• Admin account list + change history.

• Incident timeline notes (if an event occurs).

This makes supplier questionnaires and insurance conversations far less painful.

Standardisation: why unmanaged devices and exceptions create repeatable failure modes

Unmanaged endpoints create the same failure pattern every time:

• Unknown patch status.

• Unclear admin rights.

• Inconsistent security controls.

• Unpredictable rebuilds.

That’s why we’re opinionated about standardisation. It’s how you get stability.

How a Cyber Essentials–style baseline supports ransomware readiness

Cyber Essentials organises requirements under five technical controls.

You don’t need to chase certification to benefit from the model. You need Cyber Essentials–style alignment to CE control themes that’s real and maintained — and separate from any formal Cyber Essentials certification outcome.

Secure configuration

• Standard builds for devices.

• Remove unnecessary services and risky defaults.

• Lock down macros and script execution sensibly.

Boundary firewalls & internet gateways

• Limit inbound access.

• Minimise exposed services.

• Ensure remote access is controlled and logged.

Access control

• Least privilege.

• Separate admin accounts.

• Remove local admin where possible.

• Strong joiner/leaver discipline.

Malware protection

• Managed endpoint protection across every device.

• Monitoring expectations defined.

• Consistent response steps when alerts appear.

Security update management (patching)

• Visible patch status.

• Deadlines for critical updates.

• Remove “we’ll get to it later” as an option.

This is what “ransomware readiness” looks like when it’s operational, not theoretical.

Getting outside help: Security Triage vs a paid Security Baseline Review

If you’re an owner-manager, you usually don’t need more tooling. You need to know where the gaps are.

That’s why our flow is:

Security Triage → paid Security Baseline Review → all-inclusive managed service

Security Triage Call: what it covers (high-level RAG across identity/devices/backup/endpoint/readiness)

Use triage when you need clarity fast.

We’ll cover, at a high level:

• Identity and admin basics.

• Managed vs unmanaged devices.

• Backup posture (M365 + servers).

• Endpoint protection and monitoring.

• Incident readiness basics (who does what).

Output is a simple RAG view so you can decide next steps.

Click here to Book a free Security Triage Call!

Security Baseline Review (paid): evidence collection, written baseline report, prioritised risks, phased roadmap

Use the Baseline Review when you need evidence-led answers.

It includes:

• Evidence collection (exports, screenshots, walkthrough).

• Written baseline report (RAG by domain).

• Top risks ranked.

• Phased roadmap (now / next / later).

It’s built around Cyber Essentials–style alignment to CE control themes — without implying certification, guaranteeing certification, or acting as a certification body.

“If you’re mid-incident” criteria: when to escalate immediately vs when to schedule triage

Escalate immediately if:

• Encryption is actively spreading.

• Admin accounts look compromised.

• Backups are being deleted/modified.

• You suspect data theft.

• Core operations are down.

If you’re in a live incident, UK guidance signposts reporting routes (including Action Fraud) and NCSC’s reporting service.

If ransomware is active, follow your insurer and specialist incident response routes and the official reporting guidance; the Security Triage Call is designed for post-stabilisation gap mapping and baseline planning, not live containment.

If the incident is contained and you’re stabilised, book triage to map gaps and next steps.

Ransomware readiness governance checklist (validation)

Keep this as a readiness validation list. It supports baseline ownership, evidence, and restore confidence.

People & process checklist

• Incident owner named, with deputy.

• IT technical lead named, with deputy.

• Supplier contacts list kept current.

• Insurance policy details accessible.

• Comms template drafted for clients.

• Evidence pack location defined.

• Restore test schedule agreed and tracked (as an internal governance target).

Identity checklist (Microsoft 365)

• MFA enforced for all users.

• Admin accounts separated and minimal.

• Conditional access policies reviewed quarterly (as an internal governance target).

• Leavers deprovisioned same day (process).

• Privileged access reviewed monthly (as an internal governance target).

• Sign-in logs accessible and retained appropriately.

Device checklist

• All endpoints enrolled and managed.

• Encryption enabled across devices.

• Patch compliance reviewed regularly (as an internal governance target).

• Local admin rights minimised.

• Standard build documented and repeatable.

• Endpoint protection deployed everywhere.

Backup & restore checklist

• M365 backup in place (not assumed).

• Server/LOB backups covered where needed.

• Backup admin access locked down.

• Immutable/offline principles applied where feasible.

• Restore tests logged (with a cadence set and owned internally, typically at least quarterly for critical systems).

• “Known-good” restore process documented.

NCSC’s ransomware guidance stresses validating backups before restore and designing backups to withstand ransomware.

Supplier/third-party checklist

• Critical apps list maintained (owner per app).

• Vendor support contacts recorded.

• Admin access controlled and reviewed.

• Integrations documented (what has what permissions).

• Contract/security questionnaire evidence pack ready.

If you’re a 10–25 user, owner-managed SME in Sussex or Kent, we’ll give you a clear RAG view across identity, devices, endpoint protection, and backup readiness.

Click here to Book a free Security Triage Call!

(1) UK Government, Cyber Security Breaches Survey 2025 — 43% of UK businesses reported a breach or attack in the last 12 months.