profile // MICRO / SMALL · 1–50
// playbook · for owners and small teams (1–50)
A ransomware playbook for owners and small teams.
A six-phase walk-through tailored for businesses without a dedicated security team. Recommendations assume a trusted IT partner / MSP, cloud-first tools, and a cyber insurance policy doing the heavy lifting.
Different size?For Corporations (50–500) →
// timeline · 6 incident phasesclick a node · ← → to navigate
PHASE
01/06
// before attack · prevention
Preparation & Prevention
Before anything happens. With no full-time security team, your edge is simplicity: a trusted IT partner, a written incident contact, MFA on every account, and an insurance policy you actually understand. The decisions here decide whether an incident is survivable.
Window
Continuous
Owner
Owner / Director
Cost
~€50–200 / user / yr
✓
Recommended
What to do
- 01Pick an IT / MSP partner you trust and put their 24/7 number on paper - not just in a Slack DM.
- 02MFA on every account (Microsoft 365, Google Workspace, banking, accounting) - authenticator app over SMS.
- 03Cloud-native backups for Microsoft 365 / Workspace via a third-party tool (the platform recycle bin is not a backup).
- 04Cyber insurance - entry-level policies start around €1–3k / year and are often the difference between surviving and closing.
- 05Use the free baseline: Defender for Business, Google Workspace alerts, national CERT checklists (CISA, NCSC, ANSSI).
✕
Avoid
What not to do
- 01Don't share the owner password across the team - every person gets their own account.
- 02Don't run unsupported systems (Windows 7, EOL accounting software) just because "it still works".
- 03Don't assume your MSP is doing backups and patching - get the scope of work in writing.
- 04Don't let staff use personal devices for customer data without basic device management.
- 05Don't misrepresent controls on the insurance form - a small lie about MFA can void a six-figure claim.
◆
Key signals
Key indicators
- 01Single point of failure: only one person knows admin passwords / goes on holiday next week.
- 02Backup tested? Most small businesses have never tried to restore - the time to find out is not during an incident.
- 03Where is customer data? If you can't list it in 5 minutes, attackers will find more than you do.
Backup tested
1× / year
absolute minimum
MFA coverage
100%
non-negotiable
IT contact
24/7 number
in writing, on paper
Insurance
€1–3k / yr
entry policy
// This playbook is general guidance, not legal, insurance or incident-response advice. In a live incident, follow your insurer's breach coach and a qualified DFIR firm. Ryskly provides information only.