Ransomware Prevention & Readiness Assessment for Canadian SMBs

What Is a Ransomware Readiness Assessment?

A ransomware readiness assessment is a structured, evidence-based evaluation of two distinct questions that most Canadian SMBs answer with a shrug: how exposed are we to a ransomware attack, and if one succeeds, how quickly and cleanly can we recover? It is narrower and deeper than a general cybersecurity audit. A broad audit looks at everything; a ransomware readiness assessment follows the specific attack chain that modern ransomware crews actually use — initial access, privilege escalation, lateral movement, backup destruction, data theft, and encryption — and tests whether you can break that chain at each link.

The distinction matters because ransomware has changed. Five years ago, a ransomware incident meant some files got encrypted and you restored from backup. Today, the dominant model is double extortion: attackers spend days or weeks inside your network first, steal a copy of your most sensitive data, delete or encrypt your backups, and only then trigger encryption — so even a clean restore does not stop them from publishing your client records on a leak site unless you pay. Some crews now run triple extortion, adding direct harassment of your customers, partners, and the regulator. A readiness assessment is built around this reality. It does not ask "do you have antivirus?" It asks "can an attacker who already has a foothold reach and destroy your backups, and if they steal your data, what is your legal and reputational exposure?"

For most Canadian small and medium-sized businesses, the honest answer to those questions is unknown — and unknown is the most dangerous state to be in. Internal staff are too close to day-to-day operations to see the gaps, and most SMBs have never tested a backup restore under realistic conditions, never confirmed that their backups are actually isolated from the network an attacker would control, and never rehearsed who makes the first three phone calls when the encryption note appears. The assessment converts those unknowns into a documented, prioritized picture: this is your real exposure, here is what would happen tonight, and here is the costed plan to close the gaps.

A competent assessment produces a written report — typically 20–40 pages — with a scored risk register, a recovery-time estimate (how long you would realistically be down), and a phased remediation roadmap. It is not a vulnerability scan printout and it is not a sales pitch for a particular backup product. It is an independent, vendor-neutral answer to the only question your board, your insurer, and your largest client actually care about: are you ready?

Why Ransomware Is the Defining Threat for Canadian SMBs in 2026

The Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security (CCCS) have named ransomware the most disruptive cybercrime threat facing Canadian organizations in successive National Cyber Threat Assessment reports. The CCCS estimates that hundreds of Canadian organizations are hit each year — and because reporting is inconsistent, the true number is significantly higher. Small and medium businesses bear a disproportionate share of incidents precisely because they have the data attackers want and weaker defences than large enterprises.

Three dynamics make ransomware uniquely dangerous for the SMB segment.

Ransomware-as-a-Service has industrialized the threat. Affiliates no longer need to write malware. They rent it. RaaS operators provide the encryptor, the leak-site infrastructure, the negotiation portal, and even customer-service-style support, taking a cut of each ransom. This has flooded the market with low-skill attackers who target whoever is reachable — and SMBs with exposed remote-access services, unpatched VPNs, and no MFA are the path of least resistance. You are not too small to be a target; you are the target precisely because you are small and reachable.

The economics are brutal for SMBs. The Sophos State of Ransomware research has repeatedly put the average ransom paid in Canada in the seven figures, but the ransom is the smaller cost. Downtime, forensic investigation, legal counsel, regulator notification, credit monitoring for affected individuals, customer churn, and rebuilt systems routinely exceed the ransom several times over. The IBM Cost of a Data Breach report has placed the average Canadian breach cost near CA$7 million. For a business with CA$5M in revenue, a serious ransomware event is not a line item — it is an existential threat. A meaningful percentage of SMBs that suffer a major incident do not survive the following year.

Insurers and clients now demand proof. Canadian cyber-insurance underwriters will not bind or renew coverage without demonstrable ransomware controls: MFA on all email and remote access, tested backups isolated from production, EDR on every endpoint, and a documented incident-response plan. Larger clients increasingly send the same questionnaire down their supply chain before they will sign a contract. A readiness assessment produces exactly the evidence package both audiences require — and identifies the gaps before an underwriter denies a claim or a client walks away.

The alternative to proactive readiness is reactive crisis: discovering at 7 a.m. that everything is encrypted, that the backups were on the same domain the attacker controlled, that no one knows who to call, and that the data already sits on a leak site. Readiness is not overhead. It is the difference between a bad week and a business-ending event.

The Ransomware Kill Chain — and Where the Assessment Breaks It

To understand what a readiness assessment evaluates, you have to understand how a ransomware attack actually unfolds. Modern intrusions are not instantaneous; the median dwell time — from initial access to detonation — is often days to weeks. That window is your opportunity to detect and stop the attack. The assessment examines your ability to interrupt the chain at every stage.

The single most important insight this model delivers: a mature defence does not rely on stopping initial access. It assumes initial access will eventually succeed and builds layered controls that detect and contain the attacker during the dwell window — and that guarantee clean recovery even if every preventive control fails. The assessment scores you at every stage, then prioritizes the gaps that most shorten an attacker's path from foothold to encrypted, exfiltrated, unrecoverable.

Attack Surface: Mapping What an Attacker Can Reach

Your attack surface is the complete set of points where an attacker could attempt to gain entry. For ransomware, the most common initial-access vectors are remarkably consistent: exposed Remote Desktop Protocol (RDP), vulnerable or unpatched VPN and firewall appliances, phishing that harvests credentials, and valid credentials purchased from initial-access brokers. The assessment begins by mapping this surface from the outside in — the same way an attacker would.

An attack-surface review for a Canadian SMB looks at every internet-facing service: what ports and protocols are reachable from the public internet, which edge devices (firewalls, VPN concentrators, mail gateways) are running outdated firmware with known exploited vulnerabilities, whether RDP is exposed directly or buried behind a VPN, and which cloud services (Microsoft 365, hosted line-of-business apps) are configured to accept legacy authentication that bypasses MFA. It also catalogues the often-forgotten surface: a test server someone stood up two years ago and never decommissioned, a branch-office printer with a web interface exposed to the internet, a former employee's account still active and unused, an exposed network-attached storage device.

The principle behind attack-surface reduction is simple: every service you do not need to expose is a service an attacker cannot abuse. The highest-impact, lowest-cost ransomware control most SMBs can implement is closing direct RDP exposure, putting remote access behind a VPN or zero-trust gateway with MFA, and enforcing modern authentication that blocks legacy protocols. Many ransomware incidents in Canada trace back to a single exposed RDP port with a weak or reused password and no second factor — a gap that costs nothing to close and everything to ignore.

The assessment also covers the human attack surface and identity. Stolen and reused credentials are now among the most common initial-access methods, which makes multi-factor authentication the single most cost-effective ransomware control available. The review confirms MFA is enforced on every email account, every remote-access path, every administrative console, and every cloud service — not just "available" but mandatory, with legacy authentication disabled so it cannot be bypassed.

Backups That Survive an Attack: The 3-2-1-1-0 Rule and Immutability

Backups are the foundation of ransomware recovery — and the first thing attackers go after. The reason double-extortion crews spend days inside a network before detonating is precisely to find and destroy your backups, because backups that survive the attack make the ransom irrelevant. A readiness assessment therefore treats backup verification as its highest-priority technical task. Not "do you have backups?" — almost everyone does — but "would your backups survive an attacker who has domain administrator privileges?"

The classic 3-2-1 backup rule — three copies of your data, on two different media, with one copy off-site — is necessary but no longer sufficient against ransomware. The modern standard is 3-2-1-1-0, which adds two critical elements:

• 3 — keep at least three copies of your data (production plus two backups).
• 2 — store them on two different types of media or storage so a single failure mode cannot take out all copies.
• 1 — keep at least one copy off-site, geographically separated from the primary location.
• 1 — keep at least one copy immutable or air-gapped — physically or logically unable to be altered or deleted, even by someone with full administrative credentials.
• 0 — verify zero backup errors through regular, documented restore testing. A backup you have never restored is a hope, not a backup.

The two new elements are exactly the ones that defeat ransomware. Immutability means the backup, once written, cannot be modified or deleted for a defined retention period — implemented through object-lock on cloud storage, hardened backup appliances, or write-once media. Even if an attacker gains domain admin, they cannot encrypt or wipe an immutable copy. Air-gapping achieves the same end physically: the backup is offline and unreachable from the network for most of its life, so an attacker simply cannot touch it. The assessment verifies that at least one copy is genuinely immutable or air-gapped, that the backup system uses separate credentials from the production domain (so a compromised domain admin does not equal a compromised backup), and — critically — that someone has actually performed a full restore recently and documented the result.

The assessment also measures two recovery metrics that determine how a ransomware event actually plays out: your recovery time objective (RTO) — how long until critical systems are running again — and your recovery point objective (RPO) — how much data you would lose, measured by the gap between backups. An SMB that backs up nightly has an RPO of up to 24 hours; one that backs up continuously has an RPO of minutes. The composite case below shows why this matters: the difference between a tested four-hour RTO and an untested, unknown RTO is often the difference between absorbing an incident and paying a ransom out of desperation. For the full recovery-planning treatment, see our business backup and disaster recovery guide.

EDR: Detecting the Attack Before Encryption

Endpoint detection and response (EDR) is the control most likely to catch a ransomware attack during its dwell window — the days or weeks between initial access and detonation. Traditional antivirus matches known malware signatures; ransomware crews defeat it trivially by using living-off-the-land techniques (legitimate Windows tools like PowerShell, PsExec, and WMI) and custom payloads with no known signature. EDR works differently: it watches behaviour. It flags the patterns that precede ransomware — credential dumping, suspicious process injection, mass file modification, the disabling of security tools, lateral-movement attempts — and can automatically isolate a compromised device from the network before encryption spreads.

The assessment verifies three things about your EDR, because having a product is not the same as being protected. Coverage: is EDR deployed on every endpoint and every server, or are there gaps — the receptionist's old PC, the line-of-business server everyone is afraid to touch, the personal laptops in a bring-your-own-device environment? An attacker only needs one uncovered host. Monitoring: who watches the alerts? An EDR tool that fires an alert at 2 a.m. into an inbox nobody reads is theatre. Mature deployments pair EDR with managed detection and response (MDR) — a 24/7 team that investigates and responds — because ransomware crews deliberately detonate on weekends and holidays when in-house staff are offline. Configuration: is automatic isolation enabled, are tamper-protection and the highest sensible blocking policies turned on, or is the tool running in a passive "detect-only" mode that watches the attack happen without stopping it?

EDR is powerful but it is not a silver bullet, and any consultant who sells it as one should be a red flag. It is one layer. It dramatically raises the cost and difficulty of an attack and buys you detection time, but it must be paired with immutable backups (for when detection fails), MFA and attack-surface reduction (to limit how attackers get in), and segmentation (to limit how far they spread). Organizations ready to move from assessment findings to a fully managed EDR and monitoring deployment can engage IT Cares for round-the-clock managed endpoint protection across Canadian offices, pairing the readiness roadmap with the operational team that watches the alerts and responds in the first minutes of an incident.

Network Segmentation: Containing the Blast Radius

Most SMB networks are flat: every device — workstations, servers, printers, the guest Wi-Fi, the security cameras, the personal phones — sits on a single network where everything can reach everything else. A flat network is a gift to ransomware, because once an attacker compromises a single endpoint, lateral movement to every server and every other workstation is unobstructed. Segmentation breaks the network into isolated zones so that a compromise in one zone cannot automatically spread to the others. It is the control that determines your blast radius: whether a single infected laptop becomes a single infected laptop, or becomes every file server in the company encrypted by morning.

The assessment reviews how your network is segmented and where the obvious dividing lines are missing. For a typical Canadian SMB, a pragmatic segmentation model includes: a separate VLAN for guest Wi-Fi that has zero access to internal resources; isolation of servers from general workstations, with traffic between them restricted to only the ports applications actually need; a dedicated, tightly controlled segment for backup infrastructure so that even a compromised production network cannot reach the backup targets; and isolation of any operational technology, building systems, or IoT devices (cameras, access control, point-of-sale, manufacturing equipment) that are notoriously unpatched and make ideal attacker footholds. Where the budget and risk justify it, the assessment will recommend a path toward zero-trust principles — where no device or user is trusted by default and every access request is verified — but for most SMBs, getting from a flat network to a few well-designed segments delivers the overwhelming majority of the benefit at a fraction of the cost.

Segmentation also makes detection easier. On a flat network, lateral movement looks like normal traffic. When servers, workstations, and backups live in separate segments with controlled boundaries, an endpoint suddenly trying to reach the backup server or scanning the whole network is an obvious, alertable anomaly. Segmentation and EDR reinforce each other: the boundaries create the chokepoints where suspicious behaviour becomes visible.

Phishing Defence: Closing the Most Common Front Door

Phishing remains one of the most common initial-access methods for ransomware, and Canadian businesses face a steady stream of locally tailored lures: fake CRA tax notices that spike every February and March, fake Interac e-Transfer alerts, fake Canada Post and courier delivery notices, fake Microsoft 365 password-expiry warnings, and business email compromise targeting accounts-payable staff. The assessment evaluates phishing defence as a layered problem, because no single control catches everything.

The technical layer comes first. The assessment confirms that email authentication — SPF, DKIM, and DMARC — is correctly configured and, crucially, that DMARC is set to an enforcing policy (quarantine or reject) rather than the passive "monitor-only" setting most SMBs never advance past. Without enforced DMARC, an attacker can spoof email that appears to come from your own CEO and your staff cannot tell the difference. It checks for a modern email security gateway that sandboxes attachments and rewrites links, that attachment and macro policies block the file types ransomware loaders rely on, and that Microsoft 365 (or Google Workspace) anti-phishing and safe-attachment protections are actually enabled and tuned rather than left at defaults.

The human layer comes second, because no technical filter is perfect. The assessment reviews whether you run a security-awareness program with realistic phishing simulations and measurable results — not a once-a-year compliance video, but ongoing simulated phishing that trains staff to recognize and report suspicious messages, with metrics that show whether click rates are improving over time. The goal is not to shame employees who click; it is to build a culture where reporting a suspicious email is fast, easy, and rewarded, so your staff become a distributed early-warning sensor rather than the weakest link. And because even trained staff and good filters will eventually let something through, this layer ties directly back to MFA: if a phished credential cannot be used without a second factor, the most common phishing payoff is neutralized.

Incident-Response Readiness: The Plan You Hope Never to Use

Prevention reduces the likelihood of an attack; incident-response (IR) readiness reduces its impact when prevention fails. Mature ransomware defence assumes that, eventually, an attacker will get through — and prepares to respond fast, contain the damage, and recover cleanly. The assessment evaluates whether you have a documented, tested incident-response plan, because the first time your team works through "who isolates the network, who calls the lawyer, who calls the insurer, who notifies the CAI, and who talks to staff and customers" should never be during an actual breach at 7 a.m. on a Monday.

A ransomware-specific incident-response plan for a Canadian SMB should answer, in writing and in advance, a defined set of questions. The assessment checks that yours does:

1. Detection and declaration. How will an incident be detected (EDR alert, MDR call, a user reporting encrypted files), and who has the authority to formally declare an incident and activate the plan?
2. Containment. Who isolates affected systems and how — is there a documented, rehearsed procedure to disconnect a segment or the whole network without waiting for permission that may take hours to obtain?
3. Roles and contacts. Who is the incident commander, who handles technical response, who handles communications, and who is the legal and executive decision-maker? A printed contact sheet matters because your systems — including your contact list — may be encrypted.
4. External help. Is there a pre-arranged relationship with an incident-response firm and breach-coach legal counsel, with contact details on hand, so you are not negotiating a retainer mid-crisis?
5. Insurer notification. Most cyber policies require you to notify the insurer immediately and to use their approved IR vendors; failing to do so can void coverage. Who calls the broker, and is the policy number in the plan?
6. Regulator and legal reporting. Under PIPEDA, breaches posing a real risk of significant harm must be reported to the Office of the Privacy Commissioner and affected individuals notified. Quebec's Law 25 requires notifying the Commission d'accès à l'information for confidentiality incidents involving personal information, generally within 72 hours. The CCCS encourages reporting to the Canadian Centre for Cyber Security. Who owns each notification, and what is the clock?
7. Recovery decision. What is the documented restore procedure, what is the order of restoration (which systems first), and what is the firm policy on ransom payment — which Canadian authorities, including the RCMP and CCCS, discourage?
8. Communications. What do you tell staff, customers, partners, and the public, and who approves it? Silence and mixed messages cause more reputational damage than the breach itself.

For the full structure of an IR plan, see our incident response plan guide. A plan that exists only as an untested document is worth little — which is why the assessment culminates in a tabletop exercise.

The Tabletop Exercise: Rehearsing the Worst Day

A ransomware tabletop exercise is a facilitated, scenario-based walkthrough of a realistic attack, run with your leadership and key staff around a table — no systems are touched, no real damage is done. It is the single highest-leverage activity per hour of consultant time, because it surfaces the gaps that no document review ever catches: role confusion, decision-making bottlenecks, missing contacts, untested assumptions, and the uncomfortable discovery that three different people each assumed someone else would call the insurer.

A typical exercise presents an escalating scenario and pauses at decision points to ask the team what they would do. For example: It is 7:15 a.m. on a Monday. The office manager calls — every file on the shared drive has a strange extension and there is a ransom note demanding payment in cryptocurrency, threatening to publish stolen client data in 72 hours. The facilitator then drives the team through the unfolding event: Who do you call first? How do you contain it — do you pull the internet, and who has the authority and the access to do so? How do you know which data was stolen? Do you have backups, are they intact, and how long will recovery take? Who notifies the insurer, the OPC, the CAI, and the affected clients, and on what timeline? What do you tell staff arriving for work? Do you pay?

The value is in the gaps it reveals. A well-run SMB tabletop almost always uncovers concrete, fixable problems: the contact list is only stored on the now-encrypted file server; nobody knows the cyber-insurance policy number or that the policy mandates a specific IR vendor; the "tested" backup was last restored eighteen months ago; the person designated to disconnect the network is on vacation with no documented backup; and the 72-hour Law 25 clock was a complete surprise to the leadership team. Each gap becomes a remediation item. Running a tabletop annually — and after any major change to your systems or team — keeps the plan current and the muscle memory fresh. It is, dollar for dollar, the best security investment most SMBs can make, and it is included in a full readiness engagement.

How a Ransomware Readiness Assessment Works: Step by Step

A readiness assessment follows a defined, repeatable process. Here is how a structured engagement unfolds for a typical Canadian SMB:

1. Kickoff and scoping (Days 1–2). The assessor meets with the owner or operations lead to define scope: which systems and sites, which data types (personal information, financial records, health data, CRA correspondence), which backup and cloud platforms, and whether a tabletop and IR plan are included. Scope determines price and ensures the report is actionable rather than generic.
2. Attack-surface mapping (Days 2–5). An external review of every internet-facing service — exposed RDP, VPN and firewall firmware, mail gateways, cloud-authentication configuration, forgotten or shadow assets — to enumerate how an attacker would get in.
3. Backup verification and recovery test (Days 4–8). The assessor reviews backup architecture against the 3-2-1-1-0 standard, confirms immutability/air-gap and separate backup credentials, and — where scope allows — observes or conducts a real restore to measure RTO and RPO rather than trusting the dashboard.
4. EDR, segmentation & identity review (Days 5–9). EDR coverage and configuration across all endpoints and servers, network segmentation and lateral-movement exposure, MFA enforcement, privileged-access separation, and Active Directory hardening.
5. Phishing & email-security review (Days 6–9). SPF/DKIM/DMARC posture, email-gateway and attachment policies, and the state of any security-awareness and phishing-simulation program.
6. Tabletop exercise (Day 9–11). A facilitated ransomware scenario with leadership and key staff that stress-tests the incident-response plan and surfaces process and role gaps.
7. Report, scoring & recovery roadmap (Days 11–18). A written report — typically 20–40 pages — with a scored risk register, an honest recovery-time estimate, and a phased, costed remediation roadmap, delivered with a leadership debrief that translates findings into business language and immediate actions.

The whole process for a typical 15–60-person Canadian SMB takes two to four weeks. A core assessment without the tabletop and recovery testing runs at the lower end; a full engagement with both runs longer and costs more, but delivers the evidence that actually changes outcomes.

Ransomware Readiness Assessment Fees in Canada — 2026 Benchmarks

Pricing varies by scope, the number of sites and endpoints, and whether recovery testing and a tabletop are included. As with all security work, fixed-fee, clearly scoped engagements deliver better value than open-ended hourly billing — demand a defined scope and a fixed price before you start. The table below reflects 2026 Canadian SMB market benchmarks.

Boutique assessors in smaller centres (Winnipeg, Halifax, Québec City) may price 10–20% below Toronto and Vancouver rates. Compare these figures to the downside: the average ransom paid in Canada sits in the seven figures, the average breach cost approaches CA$7 million, and a major incident is fatal to a meaningful share of the SMBs it hits. A readiness assessment is risk transfer at a fraction of a percent of that exposure. For the recovery economics in detail, see our business backup and disaster recovery guide.

Your Ransomware Readiness Checklist

Use this checklist to gauge your own posture before engaging an assessor. If you cannot confidently tick every box, those are precisely the gaps an assessment will document and prioritize. Every "no" is an open link in the kill chain.

• MFA everywhere — enforced on all email, remote access, admin consoles, and cloud apps, with legacy authentication disabled.
• No direct RDP exposure — remote access is behind a VPN or zero-trust gateway with MFA; no RDP port open to the internet.
• Edge devices patched — firewalls, VPN appliances, and mail gateways run current firmware with a defined SLA for critical patches.
• EDR on every endpoint and server — with monitoring (in-house or MDR), automatic isolation, and tamper protection enabled.
• 3-2-1-1-0 backups — three copies, two media, one off-site, one immutable/air-gapped, zero errors verified by restore testing.
• Backups isolated — backup system uses separate credentials from the production domain and cannot be reached by a compromised domain admin.
• Tested restore — a full restore has been performed and documented in the last quarter, with a known RTO and RPO.
• Network segmentation — guest, server, backup, and IoT/OT traffic are separated; lateral movement is constrained.
• Email authentication enforced — SPF, DKIM, and DMARC configured with DMARC at quarantine or reject.
• Security-awareness program — ongoing phishing simulation with improving, measured click rates and easy reporting.
• Documented IR plan — roles, contacts, containment steps, insurer and regulator notification, all in writing and stored off-network.
• Tabletop rehearsed — a ransomware scenario has been walked through with leadership in the last 12 months.
• Cyber insurance aligned — coverage is current, control requirements are met, and the approved IR vendor and policy number are in the plan.

Case Study: Anonymized Manufacturer, Greater Montréal (2025)

The following is a composite case study based on a typical engagement profile for a Canadian SMB. Identifying details have been changed.

The client: A 42-person plastics manufacturer in the Greater Montréal area, with a small office network, a production floor full of networked machinery, and a single IT generalist who also handled the phones. Annual revenue approximately CA$11M. They held customer designs and personal data for Quebec-based clients, putting them squarely under Law 25. A major customer had just sent a supplier-security questionnaire they could not answer, which prompted the engagement.

The engagement: A full ransomware readiness assessment — attack-surface mapping, backup verification with a live restore test, EDR and segmentation review, phishing audit, a half-day tabletop, and an incident-response plan — scoped at a fixed fee of CA$14,800.

What was found: Six critical findings. RDP was exposed directly to the internet on the office firewall with a shared administrator password and no MFA — the single most common ransomware entry point in Canada. The flat network meant the production machinery, the office workstations, and the backup server all sat on one VLAN, so a single phished laptop could reach everything. Backups ran nightly to a network share on the same domain using the domain administrator account — meaning an attacker with domain admin could delete every backup, and the "off-site" copy was a USB drive last rotated four months earlier. EDR was installed on office PCs but not on the two servers or any production-floor systems. DMARC was in monitor-only mode, so the CEO's address was trivially spoofable. And there was no incident-response plan, no documented privacy officer, and no awareness within leadership of the Law 25 72-hour reporting clock.

What the tabletop revealed: When walked through a Monday-morning encryption scenario, the team discovered the emergency contact list lived only on the file server that would be encrypted, nobody knew the cyber-insurance policy required a specific IR firm, and two people each assumed the other would disconnect the network — a fifteen-minute argument in the exercise that would have been a costly delay in reality.

The outcome: The roadmap prioritized the six critical items as a 45-day sprint: RDP was closed and replaced with a VPN-plus-MFA gateway; backups were moved to an immutable cloud target with separate credentials and a tested four-hour RTO; EDR with MDR monitoring was extended to every server and the production network was carved into segments; DMARC was moved to enforce; and an IR plan plus a Law 25 privacy-officer designation were drafted and the contact sheet printed and posted. Implementation cost roughly CA$9,200 in the first quarter plus an ongoing managed-EDR retainer. The supplier questionnaire was answered cleanly, the contract was retained, and at insurance renewal the firm qualified for a meaningful premium reduction by demonstrating MFA, immutable tested backups, EDR coverage, and a documented IR plan. The most valuable finding cost nothing to discover and little to fix: the backups everyone assumed were safe were one compromised password away from gone.

Prevention vs. Recovery: Why Mature Defence Plans for Both

It is tempting to think of ransomware defence as a wall: build it high enough and nothing gets in. That mindset is exactly why so many breaches succeed. Prevention controls — patching, MFA, EDR, phishing defence, segmentation, attack-surface reduction — reduce the likelihood of a successful attack, and they matter enormously. But no wall is perfect against an industry of attackers who only need to be right once. Recovery controls — immutable tested backups, a rehearsed incident-response plan, cyber insurance, and a communications playbook — reduce the impact when prevention inevitably fails somewhere.

A readiness assessment is deliberately built around both halves, and the most important shift in mindset it delivers is this: assume breach. Design your defences as though an attacker will eventually get a foothold, and ask not only "how do we keep them out?" but "when they get in, how do we detect them in the dwell window, how do we limit how far they spread, and how do we recover without paying?" An organization that has invested only in prevention and neglected recovery is one zero-day or one convincing phishing email away from a catastrophe. An organization with mature recovery — backups an attacker cannot touch, a restore tested to a known RTO, and a team that has rehearsed the worst day — can absorb an incident that would end a less-prepared competitor.

This is why the assessment scores both sides and why the roadmap sequences them together. Phase 1 closes the cheapest, highest-impact prevention gaps (MFA, RDP exposure, EDR coverage) and the most critical recovery gap (immutable, isolated, tested backups) simultaneously — because those two together stop the majority of SMB ransomware events from becoming business-ending ones. For the broader strategic context of where ransomware readiness fits in your security program, see our small business cybersecurity hub and our cybersecurity consulting guide.

Related Guides

• Small Business Cybersecurity Hub →
• Cybersecurity Consulting Services Canada →
• Business Backup & Disaster Recovery →
• Cybersecurity Incident Response Plan (Canada) →
• Quebec Law 25 Compliance Guide →
• Managed IT Services Canada →

FAQ

Frequently Asked Questions