How to prevent ransomware attacks
In this guide & where to go next
Part of the Small Business Cybersecurity series. Related: What Is Phishing And How To Prevent ItCybersecurity Services London Ontario
Want it handled? IT Cares — hands-on managed IT across Canada.
To prevent ransomware attacks, close the three doors attackers use most: stolen logins, unpatched software, and malicious email. That means enabling multi-factor authentication everywhere, patching systems promptly, filtering email, deploying endpoint detection, restricting admin rights, and keeping tested offline backups. No single tool stops ransomware — layered prevention plus a recovery plan is what keeps a Canadian business running when criminals come knocking.
How ransomware actually gets in
Understanding the entry points tells you where to spend defensive effort. Ransomware most commonly arrives through:
- Phishing emails with malicious attachments or links that download the payload.
- Stolen or weak credentials used to log into remote access tools like RDP and VPNs.
- Unpatched vulnerabilities in software, servers, and edge devices.
- Compromised software or vendors in your supply chain.
Once inside, modern ransomware often waits, spreads laterally, deletes backups, and steals data before encrypting — so prevention has to address the whole chain, not just the final encryption step.
The highest-impact prevention controls
If you do only a handful of things, do these:
- Multi-factor authentication on email, VPN, remote access, and admin accounts — this blocks most credential-based intrusions.
- Prompt patching of operating systems, browsers, and internet-facing devices.
- Endpoint detection and response (EDR) that can spot and halt encryption behaviour automatically.
- Email filtering to strip malicious attachments and links before staff see them.
- Least privilege: remove local admin rights so malware cannot spread freely.
Together these address the email, credential, and patch gaps responsible for the overwhelming majority of incidents.
Backups: your last line of defence
Backups are what let you say no to a ransom demand. But attackers now hunt for and delete backups first, so they must be designed to survive an attack. Follow the 3-2-1 rule: three copies, on two types of media, with one kept offsite and offline or immutable.
Critically, a backup you have never restored is just a hope. Test restores regularly so you know how long recovery actually takes and that the data is intact. Keep at least one copy disconnected (air-gapped) or write-protected (immutable) so ransomware cannot reach it. Document who restores what, and in what order, before you ever need it.
Preparing your people and your plan
Technology stops most attacks; trained people and a rehearsed plan handle the rest. Run regular security-awareness training and phishing simulations so staff recognize and report suspicious email instead of clicking.
Equally important is a written incident-response plan that answers, in advance: who to call, how to isolate infected machines, where backups live, how to notify customers, and your legal duties. Under PIPEDA — and Quebec's Law 25 — a ransomware breach involving personal data can require reporting to regulators and affected individuals. Knowing your obligations ahead of time prevents panicked, costly mistakes during an active incident.
FAQ
Should a business ever pay the ransom?
Authorities and most experts advise against paying. Payment funds criminal activity, offers no guarantee your data is restored, and marks you as a willing target for future attacks. With tested offline backups and a recovery plan, you can usually restore operations without paying. Always involve law enforcement and legal counsel before making any decision.
What is the most effective single defence against ransomware?
There is no silver bullet, but multi-factor authentication combined with tested, offline backups comes closest. MFA blocks most credential-based intrusions that lead to ransomware, while immutable or air-gapped backups ensure you can recover without paying. Layer these with patching and endpoint detection for robust, defence-in-depth protection.
How often should we test our backups?
Test restores at least quarterly, and after any major system change. Many businesses discover during a crisis that their backups are incomplete, corrupted, or take days to restore. Regular test restores confirm the data is intact, measure your real recovery time, and verify that at least one copy remains beyond ransomware's reach.
Can antivirus alone stop ransomware?
No. Traditional antivirus catches known threats but misses new and fileless attacks. Modern endpoint detection and response (EDR) is far better because it watches behaviour and can halt encryption in progress. Even then, antivirus and EDR are only one layer — they work best alongside MFA, patching, email filtering, and offline backups.