TL;DR. Seven controls stop the vast majority of UK SME ransomware: MFA on every cloud account, EDR on every device, 14-day patching, offline-style backups you actually restore from, restricted admin rights, mail filtering with Safe Links, and 20 minutes of user training a quarter. None of these are exotic. Most cost nothing extra if you already pay for Microsoft 365 Business Premium.

How ransomware actually gets in

The NCSC's ransomware guidance and the DSIT Cyber Security Breaches Survey are consistent: three entry routes account for almost all UK SME cases. Phishing emails with malicious attachments or links (still the biggest single vector); exposed Remote Desktop or VPN services with weak or reused passwords; and unpatched internet-facing software, especially VPN appliances and file-transfer tools.

The good news: the controls that block those three routes are cheap, well-understood and largely already in your Microsoft 365 licence.

Control 1 — MFA on every cloud account, no exceptions

Multi-factor authentication stops well over 99% of identity-based attacks. Enable it for every mailbox, every admin, every shared tenant. Cyber Essentials v3.3 Danzell (in force 27 April 2026) auto-fails tenants where MFA is available and off. Use the Microsoft Authenticator app or FIDO2 keys — avoid SMS where you can.

Control 2 — EDR on every device

Signature antivirus doesn't stop modern ransomware. Endpoint detection and response (EDR) records process behaviour, isolates infected machines and, in the best products, rolls back encryption. Defender for Business sits inside Business Premium at no extra cost. Turn on tamper protection and attack-surface-reduction rules — don't just install it.

Control 3 — Patch within 14 days

Operating systems, browsers, Office, VPN appliances, firewalls. 14 days is the Cyber Essentials limit for "high" and "critical" vulnerabilities. Your provider should produce a monthly patching report naming every machine and every outstanding fix. No report means it isn't being tracked.

Control 4 — Backups that follow the 3-2-1 rule

Three copies of your data, on two different media, with one off-site and ideally offline or immutable. Microsoft 365 mailboxes and SharePoint libraries need a third-party backup — Microsoft's native retention is not a backup. See our 3-2-1 explainer. Test-restore monthly or the backup is theoretical. This is the layer that gets you home without paying a ransom.

Control 5 — Restrict admin rights

Nobody does day-to-day email from a Global Admin account. Separate admin accounts. No local admin rights for standard users on laptops. Intune Conditional Access to block admin logins from outside the UK. These three changes remove most of the "domain-wide encryption" worst case.

Control 6 — Email filtering with Safe Links and Safe Attachments

Defender for Office 365 Plan 1 — included in Business Premium — rewrites URLs and sandboxes attachments. Configure preset security policies to "Strict", not "Standard". Add DMARC, SPF and DKIM to your domain so that impersonation attacks get quarantined. Most UK SMEs still have DMARC at `p=none`, which is the same as having no DMARC at all.

Control 7 — Train your people for 20 minutes a quarter

Security awareness training has a modest effect but is cheap. Phishing simulations every six weeks, a 10-minute video on the common lures, a clear report button in Outlook. You're aiming for "call IT before clicking" as the muscle memory when something looks off.

If ransomware hits anyway — the first hour

  • Disconnect affected machines from the network — physically, if the EDR hasn't isolated them
  • Do not power them off (volatile memory is forensic evidence)
  • Reset passwords and revoke sessions for every account on the device
  • Notify your insurer and, if personal data may be affected, the ICO within 72 hours
  • Report to Action Fraud and — for eligible cases — the NCSC
  • Recover from backups, not from a payment

A written incident-response plan on a laminated card in the server cupboard is worth more than a shelf of compliance documents. We build one for every cyber security and backup and disaster recovery client.

FAQ

Should I pay the ransom?

The NCSC and the UK government strongly advise against paying. Payment funds the next attack, offers no guarantee of decryption, and may breach sanctions law. Your insurer will usually refuse to cover a payment made without their approval.

How much does ransomware cost a UK small business?

Industry data puts typical recovery costs for UK SMEs between £10,000 and £50,000, before downtime and reputational damage. The ransom itself is usually the smallest line item.

Is Microsoft Defender enough to stop ransomware?

Defender for Business — included with Microsoft 365 Business Premium — stops most common ransomware when properly configured with attack-surface-reduction rules, tamper protection and automated investigation. It is not a substitute for backups and MFA.

Do we need cyber insurance?

Yes, and most insurers now require MFA, EDR and tested backups before they will quote. Becoming IASME-certified for Cyber Essentials under £20m turnover usually bundles in cyber liability insurance automatically.

Syntek Solutions Team

We deliver ransomware-ready IT for West Sussex SMEs — EDR, MFA, backups, training — as part of a single managed service. Ask for a risk review.