profile // SMALL–MEDIUM · 50–500
// playbook · for IT teams with a part-time CISO (50–500)
A ransomware playbook for growing IT teams.
A six-phase walk-through tailored for companies with an in-house IT team, basic EDR / MFA controls, and a part-time CISO or vCISO. Assumes a pre-signed DFIR retainer, MSSP / SOC contract, and a real cyber insurance policy with named breach coach.
Different size?For Entrepreneurs (1–50) →
// timeline · 6 incident phasesclick a node · ← → to navigate
PHASE
01/06
// before attack · prevention
Preparation & Prevention
You have an IT team, maybe a part-time CISO, and budget for tools. The question is whether the controls are deployed correctly and tested under pressure — and whether the IR plan exists outside one person's head.
Window
Continuous
Owner
Head of IT + vCISO
Cost
1–3% of revenue
✓
Recommended
What to do
- 013‑2‑1 backups with at least one immutable copy (Veeam Hardened Repo, Datto, Acronis Cyber Backup).
- 02EDR on every endpoint - Defender for Business, SentinelOne, CrowdStrike Falcon Go cover 50–500 seats affordably.
- 03MFA + conditional access: enforce trusted device + risk-based policies for admin tier.
- 04Pre-signed retainer with a DFIR firm and breach coach - paying full price during an incident is 3–5× more.
- 05Annual tabletop with execs, IT, legal and finance - even a half-day one exposes the gaps.
✕
Avoid
What not to do
- 01Don't rely on a single "security person" - peer review and external audit are essential.
- 02Don't run privileged service accounts with non-expiring passwords across the estate.
- 03Don't decline the MSSP / SOC offer because it "looks expensive" - average incident cost dwarfs years of SOC fees.
- 04Don't let backup infrastructure share the same hypervisor or domain as production.
- 05Don't allow attestations on insurance / SOC 2 to drift away from reality between audits.
◆
Key signals
Key indicators
- 01Domain admin sprawl: more than 5 active DAs in a 200-seat company is almost always too many.
- 02Internet-facing services without WAF, rate-limit or geo-fencing.
- 03Untested DR plan - RTO not validated by a real-world drill in the last 6 months.
EDR coverage
≥ 95%
incl. servers
MFA
100% admin
≥ 95% staff
MSSP / SOC
24/7
in contract
Retainer
DFIR + coach
pre-signed
// This playbook is general guidance, not legal, insurance or incident-response advice. In a live incident, follow your insurer's breach coach and a qualified DFIR firm. Ryskly provides information only.