Ransomware Protection for Small Business: What Actually Works
7 min read · May 2026
Small businesses now account for more than half of all ransomware attacks. The reason is simple: you're a softer target than an enterprise, and you're more likely to pay because you can't afford weeks of downtime. The average ransom paid by a small business is $36,000. The average total cost of recovery — including downtime, lost data, and remediation — is closer to $200,000.
The good news: most ransomware attacks are preventable with a handful of basic measures. Here's what actually works, ranked by impact.
What actually works
Offline, tested backups
High impactThe single most important thing. If ransomware encrypts your files, a recent backup means you recover in hours instead of paying tens of thousands of dollars. The key word is 'tested' — most businesses have backups they've never verified actually work.
Multi-factor authentication (MFA) on everything
High impactMost ransomware gets in through stolen credentials. MFA means a stolen password alone isn't enough. Enable it on email, cloud storage, banking, and any remote access tools. It takes 10 minutes to set up and eliminates a massive attack surface.
Email filtering and phishing training
High impactOver 90% of ransomware starts with a phishing email. A good email filter catches most of them. Staff training catches the rest. One 30-minute phishing awareness session can prevent a $200k incident.
Software and firmware updates
Medium impactRansomware frequently exploits known vulnerabilities in unpatched software. Keeping Windows, applications, routers, and firewalls up to date eliminates a huge category of attack. Automate this wherever possible.
Endpoint detection (EDR) software
Medium impactBetter than standard antivirus. EDR tools detect suspicious behavior — not just known malware signatures — and can stop an attack in progress. For businesses with 5+ workstations, this is worth the investment.
Network segmentation
Medium impactSeparating your guest Wi-Fi from your business network, and your point-of-sale system from everything else, limits how far ransomware can spread if it gets in. Simple to implement, often overlooked.
What doesn't work (on its own)
Antivirus alone
Traditional antivirus catches known threats. Ransomware is constantly evolving and often slips past it. It's necessary but not sufficient.
Cyber insurance without controls
Insurance is important but it doesn't prevent an attack — it just helps you recover financially. And premiums are rising fast for businesses without basic controls in place.
One-time security setup
Security is not a project, it's an ongoing practice. Threats evolve, software changes, staff turns over. A setup from 3 years ago may have significant gaps today.
Where to start if you're starting from zero
Don't try to implement everything at once. In order of priority: verify your backups, turn on MFA for email and cloud storage, and schedule a 30-minute phishing awareness session with your staff. Those three things dramatically reduce your risk at minimal cost.
A professional security audit will identify your specific gaps and give you a prioritized list. For most small businesses in Sonoma County, a basic audit runs $600–$1,200 and takes less than a week.
One question to ask yourself
If ransomware hit your business tomorrow and encrypted everything — how long would it take to recover, and what would it cost? If you don't have a clear answer, that's the gap to close.
Get practical tech tips for Sonoma County businesses.
One email when we publish something worth reading. No spam, unsubscribe anytime.