1. Back Up Your Data — and Keep One Copy Offline
Why it matters: Ransomware can lock or erase your files. A backup is your insurance.
Action:
- Use a reliable cloud backup service daily.
- Once a week, copy critical files to an external USB drive and keep it unplugged.
- Test your backup by restoring a file.
Example resource: The Cybersecurity & Infrastructure Security Agency (CISA) provides a simple guide on creating offline backups and storage best practices.
2. Turn On Automatic Updates
Why it matters: Ransomware often exploits outdated software. Keeping everything current blocks easy entry points.
Action:
- Enable automatic updates for Windows/macOS and common apps like browsers and Adobe products.
- Choose a downtime day for your weekly restart to complete updates.
Example resource: The National Institute of Standards and Technology (NIST) emphasizes patching as a key practice in their Cybersecurity Framework for small businesses.
3. Enable Two-Factor Authentication (2FA)
Why it matters: Passwords can be stolen. 2FA adds a second line of defense.
Action:
- Enable 2FA on email, financial, and cloud accounts.
- Use an authenticator app (like Authy or Microsoft Authenticator), not SMS.
- Start with your own accounts, then roll out to your team.
Example resource: The National Cyber Security Centre (NCSC)—the UK’s government cybersecurity authority—provides clear guidance suitable for all business sizes.
4. Use Strong, Unique Passwords (Even Without a Password Manager)
Why it matters: Weak or repeated passwords are an open door for hackers.
Action:
- Choose passphrases of at least 15 characters (e.g., “SunnyRiverGreenSky2025!”).
- Make each password unique for every account.
Example resource: The National Institute of Standards and Technology (NIST) explains how using long, memorable passphrases is more secure and user-friendly.
5. Adopt Application Allowlisting
Why it matters: Only trusted applications are allowed to run, keeping ransomware out before it starts.
Action:
- Use PC Matic Pro, which enforces application allowlisting (“SuperShield”). Unknown apps are blocked unless specifically approved.
Example resource: PC Matic explains how allowlisting outperforms traditional antivirus for small businesses.
6. Restrict Admin Rights
Why it matters: Limiting admin-level accounts reduces opportunities for malware to install and spread.
Action:
- Use standard user accounts for daily tasks. Only the owner or trusted manager should have admin access.
- Grant admin access temporarily only when needed, then remove it.
Example resource: Canada’s Canadian Centre for Cyber Security offers nonprofit-aligned guidance on applying least privilege in small environments.
7. Have a One-Page Incident Response Plan
Why it matters: During a cyber incident, a clear, simple plan saves precious time—and keeps panic at bay.
Action:
- Write a one-page checklist: who to call, how to isolate devices, where backups are.
- Keep it printed and visible.
- Practice it annually like a fire drill.
Example resource: The Cybersecurity & Infrastructure Security Agency (CISA) provides a straightforward and nonprofit-aligned Incident Response Plan Basics template.
