The single sentence that starts every ransomware incident we’ve worked sounds nearly identical: “something isn’t right.” A file server is unreachable. An accounting workstation won’t open a spreadsheet. A screen has a note on it. From that first sentence, whether the next seventy-two hours is a controlled recovery or a slow-motion catastrophe is almost entirely a function of what you did in the months before the phone rang.
Readiness is the least glamorous part of security. It doesn’t show up in a demo, it isn’t on the front of a vendor slide, and it takes effort you can only spend once. But it is the difference between a business that gets its data back in a week and one that never quite recovers its customers, its momentum, or its people.
What the first hour looks like
The first hour of a real ransomware event is chaos crossed with pressure. People are trying to work and finding they can’t. Executives are being pulled out of meetings. Someone is asking whether we should “just pay it.” The person who spotted it first is trying to remember whether they were supposed to reboot the machine. A vendor whose name nobody can recall is being googled at 8am.
A prepared organization looks completely different in that same hour. Somebody is following a written runbook. Someone has already dialed the response retainer. The affected hosts are isolated but powered on. Legal has been called. The carrier has been notified. A short holding statement has been drafted for staff and one for customers, and the person who is authorized to send them is on the way. Nobody is guessing.
The plan lives on paper — not a portal
The single most common mistake we see is a beautifully written incident response plan that lives in the same environment the ransomware just encrypted. If your plan is a document on the file share, or a wiki behind an SSO that’s now down, you don’t have a plan in the moment you need it.
Print the runbook. Put copies in the on-call bag, at the front desk, and at the response lead’s home. Keep the phone numbers on paper — retainer, carrier, legal, key vendors — separate from the systems they might be needed to recover. The version on the wiki is fine for editing; the paper copy is what you actually run the incident from.
Decisions to make before you need them
A ransomware incident is not the moment to have your first conversation about paying a ransom, notifying customers, or bringing in outside counsel. Those decisions carry legal, regulatory, and reputational weight, and they need to be settled in a calm room, not at midnight with a countdown timer on a screen. Get the following on paper, signed off, before the day comes:
- Ransom stance. Not a public statement — an internal one. Under what circumstances would leadership consider paying, under what circumstances would they not, and who has the authority to decide in the moment.
- Notification thresholds. When do we tell customers, when do we tell regulators, when do we file with law enforcement. Your legal counsel and cyber carrier can help you land these; the key is that they exist.
- Communications tree. Who talks to staff, who talks to customers, who talks to the press, who talks to nobody. One voice, one message, one channel.
- Continuity fallback. Which manual processes we can fall back to for order-taking, dispatch, billing, and payroll while the systems are down. If the answer is “none,” that’s the finding.
Roles, not job titles
In a live incident, job titles are less useful than roles. The person who runs payroll is not necessarily the person who should be running the incident, and the CEO is rarely the right person to be typing at a keyboard while the fire is burning. Define four roles and name a primary and backup for each:
- Incident Commander. Owns the outcome, makes the calls, keeps the timeline. Not the most technical person in the room — the most decisive.
- Technical Lead. Directs the containment and recovery work with the response team. Speaks the same language as the vendors.
- Communications Lead. Owns every outbound message — internal, customer, press, regulator. Writes calmly under pressure.
- Business Continuity Lead. Keeps the business running while the systems are down. Coordinates the manual fallbacks so the front office isn’t idle.
Drills that actually change behavior
A tabletop exercise doesn’t need to be theater. The version that changes behavior is the one that’s uncomfortable — a specific scenario, a real time pressure, decisions made out loud, and a facilitator who is willing to make it hard. Ninety minutes, twice a year, with the whole leadership team in the room, will do more for your readiness than the fanciest tool in the security stack.
End every drill the same way: what went well, what surprised us, what we’d change, and who owns each of those changes by name and by date. Keep the list short — three items you actually finish beat thirty you never revisit. The drill is only useful if the improvements get made.
The KPIs that prove readiness is real
You cannot manage what you cannot measure, and ransomware readiness is no exception. A handful of metrics, tracked quarterly, tell you whether the program is real or theatrical:
- Mean time to detect (MTTD). From the first suspicious signal to a named human aware something is wrong. Minutes, not hours.
- Mean time to isolate (MTTI). From detection to the affected hosts being off the network. Under thirty minutes, ideally under fifteen.
- Immutable backup age. The freshest restore point that ransomware cannot alter. Under twenty-four hours for anything business-critical.
- Time since last tabletop. A number that grows too large is itself the finding. Under six months is the mark.
- Recovery-time confidence. The gap between the RTO you promise the business and the RTO you have actually proven in a drill.
Where a partner fits
Most small and midsize businesses don’t need to build a security operations center to be ready for this. They need someone to write the runbook with them, run the drills, hold the paper copies, and pick up the phone when the day comes. That’s the kind of readiness program we build for the teams we work with — small enough to actually finish, honest enough to work under pressure.
If you’re not sure whether your organization is ready or just hoping, we’ll walk it with you and give you a candid readout: what you have, what’s missing, and the three or four moves that would change the outcome of the phone call you don’t want to get.

