Every ransomware vendor pitch ends the same way: buy our product and this can't happen to you. We've cleaned up after enough of these to tell you that's false. Every business we've seen get hit owned at least one security product. What they didn't have was layers. Ransomware defense works like flood control: no single wall holds, but five walls in a row mean the water almost never reaches the building. Here are the five that matter, in the order the attack meets them.
Layer 1: Email filtering
Most ransomware starts in an inbox, either as a malicious attachment or a link that steals a password that later becomes remote access. So the first wall is keeping that email from arriving at all.
If you're on Microsoft 365 or Google Workspace, you already own decent filtering. The problem is it usually ships in a middle setting. Turn on the stronger tiers: Defender for Office 365 (included in Business Premium) or Google's enhanced pre-delivery scanning, with link rewriting and attachment detonation enabled. Then set up the three DNS records that stop crooks from sending email as your own domain: SPF, DKIM, and DMARC, with DMARC eventually set to quarantine or reject. Spoofed "from the boss" emails are still the top opener for wire fraud and payload delivery, and those records shut down the easiest version of the trick.
This layer fails sometimes. Filters miss things weekly. That's fine. Its job is to cut the volume so the next layers deal with less.
Layer 2: Patching
The other big way in is an unpatched hole: a firewall or VPN appliance with a known vulnerability, a server missing two years of updates, remote desktop exposed straight to the internet. Attackers scan the whole internet for these constantly. They don't pick you; their scanner does.
What good looks like: Windows and macOS updates applied automatically within days, not months. Third-party apps (browsers, PDF readers, Java if you still have it) updated by a tool, not by hoping users click the popup. Firewall and VPN firmware on a schedule, because those have been the worst offenders lately. And nothing exposed to the internet that doesn't absolutely need to be, with RDP behind a VPN or removed entirely.
Patching is boring, which is exactly why it works. Most incidents we see exploited a hole that had a fix available for months.
Layer 3: EDR on every machine
When something gets past the first two walls, this is the layer that catches it in the act. EDR (endpoint detection and response) watches behavior on each computer instead of just scanning files against known signatures. A process that starts encrypting hundreds of files a minute, or an Office app spawning PowerShell, gets killed and the machine gets isolated from the network before the damage spreads.
Two requirements make this layer real. First, coverage: every computer and every server, because ransomware crews specifically hunt for the machines without an agent. Second, a human watching the alerts around the clock, either your MSP's SOC or a managed service like Huntress, because ransomware detonates at 3 a.m. on Saturday on purpose.
Layer 4: Offline, tested backups
This is the layer that decides whether a successful attack is a bad week or the end of the company. Modern ransomware crews go for your backups first, on purpose. They find the backup server, delete everything on it, and then encrypt your production data. If your backups live on a NAS in the same network with a password the attacker already stole, you don't have backups. You have a second copy of your hostage.
What survives: at least one backup copy the attacker can't reach from inside your network. Immutable cloud storage (the backup provider literally cannot delete or alter it for a set window, a feature in products like Veeam, Datto, and most business cloud backup services) or a physically disconnected copy. Follow 3-2-1: three copies, two different media, one offsite and offline or immutable.
And tested. A backup you've never restored is a rumor. Do a restore drill on a schedule: pull back a file, a folder, and a full machine, time it, and see what breaks. The middle of an incident is a terrible time to learn your restore takes nine days or that the backups have been silently failing since March.
Layer 5: Training
Your people are the layer that's present for every attack the tools miss. The goal isn't turning the office into paranoid security experts. It's two habits: pause before clicking anything urgent or unexpected, and report weird things fast without fear of getting yelled at.
That second habit matters more than people think. The user who clicks a bad link and reports it in five minutes just gave your responders a five-minute head start, which is often the whole ballgame. The user who clicks and stays quiet out of embarrassment gave the attacker a weekend. Short phishing simulations a few times a year, a one-click report button in the mail client, and zero public shaming for failures. Punishing clicks teaches people to hide clicks.
The point of five
Any one of these layers fails routinely. A filter misses an email, a patch lags a week, a user clicks. Attacks succeed when several fail at once, and the math of stacked layers is what makes that rare. When we do incident cleanups, the story is almost never one heroic hack. It's a missed email, on an unpatched machine, with no EDR, backing up to a NAS on the same network, clicked by someone who'd never seen a phish before. Five walls, all down.
Grade yourself honestly: for each layer, is it in place, on everything, and has someone verified it this quarter? Anything scoring "I think so" is a no. Fix the cheapest no first. Most of this list costs a few dollars per person per month and a bit of discipline, which is a rounding error next to what the incident costs.
Stuck on this, or want it done for you? That's the job.
Email us →