Ransomware Readiness: A Practical UK Checklist for CISOs and SMEs

Ransomware remains the most immediate and disruptive cyber threat to UK organisations. The National Cyber Security Centre’s Annual Review 2024 underlines sustained pressure on critical national infrastructure and the wider economy, along with maturing national guidance on ransom decision making and incident coordination. See the NCSC Annual Review 2024.

This practical ransomware readiness checklist is designed for UK CISOs, IT leaders and ambitious SMEs who need a clear, prioritised plan. It maps each action to likely impact, resource cost and regulatory expectations, drawing on NCSC and CISA guidance. Use it to focus scarce budget where it most reduces risk, brief your board with confidence, and evidence tangible progress against recognised UK controls such as Cyber Essentials.

How to use this ransomware readiness checklist

For each control, we summarise Priority, Impact, Cost and Owner. Score your current maturity on a 0 to 3 scale: 0 not started, 1 planned, 2 partially in place, 3 effective and tested. Aim to move the highest impact and lowest effort items first, then sustain momentum with quarterly reviews.

• Priority: Now, Next, Later
• Impact: High, Medium, Low
• Resource cost: Low, Medium, High
• Owner: IT Ops, Security, DevOps, Data Protection, Procurement, Board

Quick wins to complete in 30 days

1) Backups that actually restore

Adopt 3-2-1 backups with at least one offline or immutable copy. Test restores for your top five revenue-critical systems and document the recovery time. Ensure backups are segmented from the domain and protected with separate credentials.

(Priority: Now, Impact: High, Cost: LowMedium, Owner: IT Ops). Integrates with incident playbooks and business continuity. Build restore testing into your incident response routines.

2) Multi-factor authentication on every remote and admin path

Enforce MFA for VPN, remote desktop, email, cloud consoles, privileged accounts and backup admin consoles. Prefer phishing resistant methods where available.

(Priority: Now, Impact: High, Cost: LowMedium, Owner: Security/IT Ops). If you need help hardening coverage and exceptions, see our multi-factor authentication guidance.

3) Patching the essentials

Patch internet facing systems, VPNs, hypervisors, domain controllers, EDR agents and remote management tools first. Apply vendor critical patches within 14 days or faster if exploited in the wild. Track exceptions and compensating controls.

(Priority: Now, Impact: High, Cost: Low, Owner: IT Ops). The CISA Ransomware Guide reinforces rapid mitigation of known exploited vulnerabilities.

4) External attack surface hygiene

Inventory all domains, IP ranges and cloud front doors. Lock down RDP, SMB, and admin interfaces from the internet. Require TLS and strong ciphers. Remove orphaned services and legacy portals. Validate with a focused external network testing engagement.

(Priority: Now, Impact: High, Cost: LowMedium, Owner: Security/IT Ops).

5) Minimum viable detection and response

Ensure endpoints run EDR with centralised alerting and strict tamper protection. Configure alerting for suspicious admin activity, lateral movement and backup tampering. Establish 24×7 triage, even if starting with an outsourced model.

(Priority: Now, Impact: High, Cost: Medium, Owner: Security). For coverage and containment outcomes, consider managed detection and response backed by SOC SIEM.

6) Boardlevel ownership and a one page plan

Nominate a senior executive as ransomware sponsor. Approve a one page plan covering recovery time objectives, pre agreed ransom stance and thresholds for regulatory reporting. The NCSC Board Toolkit provides governance questions and metrics.

(Priority: Now, Impact: High, Cost: Low, Owner: Board/CISO).

Build depth in 60 to 90 days

7) Cyber Essentials baseline

Close common ransomware pathways by meeting the UKs baseline controls. Use the official resources to drive configuration changes across boundary firewalls, secure configuration, access control, patch management and malware protection.

(Priority: Next, Impact: High, Cost: LowMedium, Owner: Security/IT Ops). Start with the NCSC Cyber Essentials resources and consider independent cyber essentials certification to evidence progress.

8) Network and identity segmentation

Separate user, server and backup networks. Restrict eastwest traffic and block legacy protocols. Implement tiered administration, just in time access and dedicated admin workstations. In the cloud, apply least privilege, conditional access and segmentation in VPCs/VNETs.

(Priority: Next, Impact: High, Cost: Medium, Owner: Security/IT Ops). Validate controls with targeted cloud network testing.

9) Hardening email and endpoints

Enable advanced phishing protection, attachment sandboxing and strict DMARC enforcement. Disable Office macros from the internet, block script execution from user writable paths and restrict PowerShell to signed scripts for admins only.

(Priority: Next, Impact: MediumHigh, Cost: Low, Owner: Security/IT Ops). Review gaps via vulnerability assessments.

10) Ransomware specific incident response playbooks

Create and test a ransomware playbook covering triage, containment, forensic capture, legal and regulatory steps, stakeholder comms and recovery. Define a clear decision making framework consistent with evolving UK expectations on ransom payments and notifications.

(Priority: Next, Impact: High, Cost: Medium, Owner: Security/Legal/Comms). Align with the NCSC incident response processes. For evidence preservation and root cause, line up digital forensics support in advance.

11) People and process resilience

Run monthly phishing simulations with focused training for high risk teams such as finance and IT admins. Ensure joiner mover leaver processes remove access within 24 hours. Maintain a contact tree for out of hours escalation and supplier callouts.

(Priority: Next, Impact: Medium, Cost: Low, Owner: HR/Security). See our cyber security awareness training.

12) Validate controls through testing

Prove that controls work under pressure. Conduct a tabletop exercise for the executive team and a technical purple team drill that simulates data theft, backup tampering and domain escalation. Include suppliers where dependencies are critical.

(Priority: Next, Impact: High, Cost: Medium, Owner: Security). A focused penetration testing engagement can validate exposure and response paths.

Strategic enhancements within 90 to 180 days

13) Continuous monitoring and containment

Instrument your estates with centralised logs for identity, endpoint, email, cloud control plane and backups. Define automated responses to block suspicious token usage, disable compromised accounts and isolate hosts. Proactively hunt for early stage ransomware behaviours such as mass encryption attempts and shadow copy deletion.

(Priority: Later, Impact: High, Cost: MediumHigh, Owner: Security). If internal capacity is tight, augment with MDR and build analytics in your SOC SIEM.

14) Supply chain and third party risk

Identify your top 20 critical suppliers. Confirm their ransomware posture, including MFA, backups, EDR, IR plans and notification SLAs. Embed breach reporting clauses and minimum controls in contracts. For software providers, assess build pipeline security and code signing.

(Priority: Later, Impact: MediumHigh, Cost: Medium, Owner: Procurement/Security). For programme oversight, align with ISO 27001 governance where appropriate.

15) Data visibility and exfiltration resistance

Catalogue sensitive data and reduce exposure. Apply DLP to email and cloud storage. Encrypt at rest and in transit. Monitor for data staging behaviours and unusual outbound traffic. Periodically check for leaked credentials and mentions of your firm on criminal forums.

(Priority: Later, Impact: Medium, Cost: Medium, Owner: Security/Data). Consider proactive dark web monitoring.

16) Risk driven prioritisation and budget

Bring the checklist together in a quantified view. Tie each gap to business impact, control status and cost to close. Use this to drive budget decisions and evidence continuous improvement to auditors, customers and insurers.

(Priority: Later, Impact: High, Cost: Low, Owner: CISO/Finance). If you need a structured view, our risk assessment approach maps technical findings to business risk.

Sector specific notes

• Healthcare: Align ransomware readiness with DSPT evidence and NHS guidance referenced by the NCSC. Prioritise clinical system backups, segmentation between clinical and admin networks, and rapid restore testing for EPR and imaging.
• Financial services: Ensure ransom decision making and notifications are coordinated with regulatory expectations. Emphasise fraud controls for payment redirection and scenario testing of market communications.
• Manufacturing and logistics: Segregate OT from IT with strict jump host patterns and allow listing. Prepare manual workarounds for dispatch, warehouse management and production scheduling.
• Retail: Protect POS and payment flows, segment store networks and validate remote support paths. Emphasise credential hygiene for franchise and partner access.
• Maritime: Harden bridge, port and cargo systems with network zoning and offline restore paths. Include port authorities and agents in exercises.
• Technology and software development: Secure CICD, harden build agents, enforce code signing and protect package repositories. Monitor for malicious dependency updates and token abuse.

Regulatory and reporting expectations in the UK

The NCSC highlights active coordination with regulators and evolving ransom discipline. Prepare to document decision making, communications, data protection assessments and restoration timelines. For data breaches, be ready to assess personal data impact and notify within statutory timeframes. Build these triggers into your ransomware playbook and practice them in exercises.

For board evidence, use the NCSC board toolkit questions and track metrics such as backup restore success, MFA coverage, patch latency and mean time to contain. Policy momentum is increasing in the UK and Europe, with growing expectations for resilience and transparency. See the broader context in this Computer Weekly analysis.

Evidence to show your board and auditors

• Backups: last successful restore screenshots, immutable policy, offline location details.
• MFA: coverage report across admin and remote access, exceptions with timelines.
• Patching: time to remediate critical CVEs on internet facing assets.
• Detection: sample alerts and response runbooks, 24×7 coverage statement.
• Exercises: lessons learned and action owners with due dates.
• Third parties: top supplier posture summaries and contract control clauses.

Frequently asked questions

Should we ever pay? The UK stance emphasises careful, documented decision making and recognises that payment does not guarantee recovery or data deletion. Always consult legal counsel and law enforcement, align with your playbook, and prioritise safe restoration. See broader public sector guidance in the NCSC guidance for critical national infrastructure and the UKs ongoing policy developments referenced in the Annual Review.

Where should SMEs start? Start with Cyber Essentials, MFA everywhere and tested backups. The joint CISA advisory and the CISA ransomware guide offer plain English checklists compatible with NCSC guidance.

What good looks like in 90 days

By day 90, aim for the following outcomes:

• Backups are immutable, segmented and restore tested for your top five services.
• MFA covers all remote and privileged paths with strong methods.
• Critical patches applied within 14 days, with tight control of internet facing assets.
• EDR and centralised detection block common ransomware behaviours with 24×7 triage.
• A tested ransomware playbook aligns with NCSC processes and regulatory triggers.
• Board receives monthly metrics and signs off a pragmatic investment roadmap.

Next steps

If you want help tailoring this ransomware readiness checklist to your environment, validating controls or running an executive exercise, we can support with focused assessments and response planning. From tuned vulnerability assessments to bespoke incident response playbooks, our team helps UK organisations progress quickly and confidently.

Sources and further reading: NCSC Annual Review 2024; NCSC Cyber Essentials; NCSC Board Toolkit; NCSC Incident Management; CISA Ransomware Guide; Computer Weekly policy analysis.