Ransomware Protection for Small Businesses in BC: A Practical Checklist
Ransomware isn't a big-company problem. Attackers automate everything, and a 15-person Vancouver firm gets scanned, phished, and probed just like a national bank — except the bank has a security team. This is the practical, prioritized checklist we implement for our clients.
1. Multi-factor authentication everywhere
The single highest-return control. Most ransomware incidents start with a stolen password — from phishing or a leaked database. MFA on email, VPN, remote access, and admin accounts blocks the overwhelming majority of account-takeover attacks, and it's now a hard requirement for virtually every cyber insurance policy.
2. Modern endpoint protection (EDR), not legacy antivirus
Traditional antivirus matches known signatures; modern ransomware is rebuilt for every campaign. Endpoint detection and response (EDR) tools like Sophos Intercept X watch behaviour — mass file encryption, credential theft, suspicious scripts — and can roll back damage automatically.
Better still is MDR (managed detection and response): a 24/7 human team that investigates and responds to what the tools flag. Attacks are deliberately launched at 2 a.m. on holiday weekends; MDR is what answers.
3. Backups that ransomware can't encrypt
Ransomware crews hunt down and encrypt backups first — it's what forces victims to pay. Your backups must include an immutable copy (unchangeable, even by an administrator account) and an offline or offsite copy. Follow 3-2-1: three copies, two media types, one offsite.
Just as important: test restores. A backup that's never been restored is a hope, not a plan. Schedule test restores and time them — that number is your real recovery capability.
4. Patch the way in
Unpatched firewalls, VPN appliances, and remote desktop servers are the front door for ransomware groups. A managed patching program — covering not just Windows but firmware, browsers, and third-party apps — closes the doors attackers scan for daily.
5. Train your people, then test them
Phishing remains the number one entry point. Short, regular security awareness training plus simulated phishing campaigns measurably cuts click rates. Your goal isn't zero clicks — it's employees who report suspicious emails fast, because early reporting is what turns an incident into a non-event.
6. Have an incident response plan before you need it
Know in advance: who do you call, what do you disconnect, how do you communicate if email is down, and in what order do systems come back? An afternoon spent writing this down — and an hour rehearsing it annually — saves days of chaos during a real incident.