Ransomware is no longer a big-company problem—it’s a small-business cash-flow crisis waiting to happen. Attackers know most SMBs rely on a handful of systems, a few key people, and thin margins. One encrypted file server or payroll laptop can halt operations, trigger missed invoices, and burn customer trust. The good news: a focused, step-by-step plan can dramatically lower your risk and speed up recovery if something slips through.

Use the checklist below to evaluate your current cybersecurity posture today. Give yourself 1 point for every box you can honestly check. Anything left blank becomes a concrete action item. Aim for steady progress, not perfection—an IT management partner can help you close gaps fast.

How to Use This Checklist

• Copy this into your task tool or print it.

• Check each item you already meet.

• Prioritize un-checked items by business impact and ease of implementation.

• Re-score quarterly or after any major change (new software, new office, acquisitions).

1) Know What You’re Protecting (Assets & Data Map)

Your defense can’t be stronger than your visibility. Start by documenting the “crown jewels.”

Checklist

• I have an up-to-date inventory of laptops, servers, cloud apps, and critical third-party tools.

• I know where sensitive data lives (e.g., finance, HR, client records) and who can access it.

• I’ve identified the business-critical systems that must be restored first.

2) Backups That Actually Restore (3-2-1 + Immutable)

Ransomware’s worst enemy is a tested, offline-capable backup.

Checklist

• We follow 3-2-1: 3 copies, 2 media types, 1 offsite/offline.

• At least one backup set is immutable (cannot be altered/deleted).

• We test restores monthly and document Recovery Time (RTO) and Recovery Point (RPO).

• Cloud apps (e.g., Microsoft 365, Google Workspace, CRM) have dedicated backup—not just recycle bins.

3) Patch & Vulnerability Management (Speed Beats Sophistication)

Most ransomware operators reuse known flaws. Closing them quickly is your easiest win.

Checklist

• Critical security updates are deployed within 7–14 days (sooner if actively exploited).

• We run weekly vulnerability scans and track remediation.

• Unsupported/end-of-life systems are isolated or retired on a plan.

4) Identity Hardening (MFA Everywhere That Matters)

Credentials are the attacker’s skeleton key. Make them useless on their own.

Checklist

• MFA is enforced for email, VPN, remote desktop, admin accounts, and core SaaS apps.

• We use a password manager and require strong, unique passwords.

• Conditional access (geo/IP/device posture) limits high-risk logins.

• Privileged accounts are separate from everyday user accounts.

5) Email & Web Security (Block the Bait)

Most ransomware starts with a phish. Filter it before humans ever see it.

Checklist

• Advanced email security is enabled (malware/URL rewriting, attachment sandboxing).

• SPF, DKIM, and DMARC are configured to reduce spoofing.

• High-risk file types from the internet are blocked or auto-detonated in a sandbox.

• Browser isolation or DNS filtering reduces malicious web exposure.

6) Endpoint Protection (EDR, Not Just Antivirus)

Modern ransomware moves fast and laterally; you need detection and response, not signatures only.

Checklist

• All endpoints run EDR/XDR with 24/7 alerting.

• Local admin rights are removed for standard users.

• USB storage is restricted or monitored.

• Application control/allow-listing is enabled for critical systems.

7) Network Resilience (Segment & Shut the Doors)

Limit “blast radius” so one compromised device doesn’t become an outage.

Checklist

• Remote Desktop Protocol (RDP) is disabled externally or tightly gated behind VPN/MFA.

• Internal networks are segmented (servers, users, IoT/guest separated).

• Firewalls block east-west traffic not explicitly required.

• Default ports and services are minimized; unused ones are closed.

8) Configuration Hardening (Secure by Default)

Small tweaks remove an entire class of attacks.

Checklist

• Macros, PowerShell, and scripting are restricted for non-admins.

• Auto-run is disabled; file extensions are shown by default.

• Security baselines (CIS/Microsoft) are applied to Windows, macOS, and SaaS tenants.

• Endpoint disk encryption is enforced and recoverable keys are stored centrally.

9) Human Firewall (Training That Sticks)

People can be your strongest control—if training is practical and ongoing.

Checklist

• New-hire security onboarding within their first week.

• Quarterly micro-training (10–15 minutes) covering phishing, social engineering, and safe data handling.

• Phishing simulations with targeted coaching for clickers (no shaming).

• A simple, well-known way to report suspicious emails (e.g., “Report Phish” button).

10) Monitoring & Logging (See Trouble Early)

If you can’t see it, you can’t stop it—or prove what happened.

Checklist

• Centralized logs (SIEM/XDR) from endpoints, firewalls, identity, and cloud services.

• Alerts are triaged 24/7 (internal or managed SOC).

• We retain logs long enough to investigate (at least 90 days, ideally 1 year).

• High-fidelity alerts trigger an on-call process.

11) Incident Response (Decisions on Paper, Not in Panic)

Pre-decide who does what, when, and in what order.

Checklist

• A written IR plan names roles, contacts (IT, legal, insurance, PR), and decision thresholds.

• We maintain an out-of-band contact method (phone tree or secure messaging).

• Tabletop exercises are run at least annually (include executives).

• A clean-room recovery plan exists to rebuild from known-good images and backups.

12) Third-Party & Insurance (Your Extended Perimeter)

Vendors and carriers matter when minutes do.

Checklist

• Vendors with network or data access have MFA, patching, and least-privilege enforced.

• Stale vendor accounts are promptly removed; access is time-boxed.

• Cyber insurance is in place, and we meet its security control requirements.

• We have retainer details for breach counsel and IR forensics (or know how to activate via insurance).

Quick Self-Score

• 10–12: Strong posture. Keep testing and refining.

• 6–9: Good foundation—prioritize backups, MFA, EDR, and email security next.

• 0–5: High risk. Focus on backups/restore tests, MFA everywhere, and patching immediately.

Common Red Flags to Fix First

• Shared admin passwords or single admin account used by multiple people.

• Remote desktop exposed directly to the internet.

• Backups on the same network with delete permissions from regular accounts.

• “Set and forget” antivirus without EDR or 24/7 monitoring.

• No written recovery order (which systems come back first).

A 30-Day Action Plan (Practical & Doable)

Week 1: Turn on tenant-wide MFA, disable external RDP, snapshot current backups, and perform a single test restore.
Week 2: Roll out EDR to all endpoints, remove local admin for standard users, and apply security baselines.
Week 3: Configure email authentication (SPF/DKIM/DMARC), enable attachment/link protection, start DNS filtering.
Week 4: Run a tabletop exercise, finalize your IR playbook, and schedule monthly restore tests and quarterly training.

How an IT Management Partner Helps

An experienced IT management company can accelerate your progress without disrupting business:

• Fractional security leadership: Set policy, prioritize controls, and align with budgets.

• Done-for-you operations: Patch management, EDR monitoring, backup testing, and alert triage 24/7.

• Rapid incident support: Containment, forensics coordination, and clean-room rebuilds.

• Compliance alignment: Map controls to frameworks your customers or regulators expect.

Final Word

Ransomware readiness isn’t a one-time project—it’s a routine. Use this checklist to establish the basics, then improve a little every quarter. If you want help implementing any of the items above—especially MFA, EDR, backup/restore testing, and IR planning—partnering with a trusted IT management team can turn this list into a living, breathing security program that keeps your business running.