Small businesses are targeted by ransomware operators precisely because they often lack the defenses that larger organizations have invested in. Ransomware is a volume business — attackers cast a wide net, looking for organizations with weak defenses and valuable-enough data to justify a ransom demand. Small businesses frequently meet both criteria. This post covers what actually works to reduce ransomware risk, without the generic framework language that does not translate to practical action.
Why Small Businesses Are Targeted
The ransomware ecosystem has matured significantly in the past five years. Ransomware-as-a-service platforms have lowered the technical barrier to launching attacks, allowing a broader range of criminal actors to deploy ransomware. The economics are straightforward: a $15,000 ransom paid by a small business with no viable backup recovery option is as profitable as a portion of a larger ransom from an enterprise — and the small business has fewer defenses to work through.
Chicago-area small businesses are not immune. Ransomware incidents affecting law offices, medical practices, manufacturers, and service businesses in the metropolitan area have increased over the past several years — often discovered only after significant data has been encrypted and operations have been disrupted.
The Three Most Common Initial Access Vectors
Understanding how ransomware gets into your network is prerequisite to stopping it. The three most common entry points:
Phishing emails — A malicious email attachment or link that installs malware or captures credentials is how ransomware gains initial access in the majority of attacks. The sophistication of phishing emails has increased dramatically; employees cannot reliably identify all phishing attempts through caution alone. Technical controls need to supplement employee judgment.
Exposed Remote Desktop Protocol (RDP) — RDP is the remote access protocol built into Windows. Many small businesses expose RDP directly to the internet (on the default port 3389) to allow remote access. This is one of the most commonly exploited ransomware entry points. Attackers use automated scanning to find exposed RDP services and then brute-force or use previously compromised credentials to gain access.
Compromised VPN credentials — VPN vulnerabilities and stolen credentials have become a significant ransomware entry vector. Organizations using older VPN products with unpatched vulnerabilities, or VPNs without multi-factor authentication, are particularly exposed.
Five Protections That Actually Reduce Ransomware Risk
These five controls address the most common attack paths. They are not a comprehensive security program, but they produce a meaningful reduction in ransomware risk for organizations that implement them consistently.
1. Multi-factor authentication (MFA) on all accounts — Particularly email accounts, VPN access, and remote desktop or remote access portals. MFA does not prevent phishing, but it prevents a phished password from being immediately usable by the attacker. Enable MFA on Microsoft 365, Google Workspace, your VPN, and every internet-facing service that supports it. This is the highest-leverage single control for ransomware prevention.
2. Offline or immutable backups that ransomware cannot encrypt — Backups that are connected to the same network as your primary systems can be encrypted by ransomware along with everything else. Backups need to be either offline (physically disconnected), in cloud storage with immutability settings that prevent deletion or modification, or using a backup service with air-gap replication. Equally important: test your backups. A backup that has not been verified for restore is not a backup — it is data you are hoping is recoverable.
3. Endpoint protection with behavioral detection capability — Traditional signature-based antivirus is not sufficient against modern ransomware variants that change signatures regularly. Endpoint protection with behavioral detection — identifying ransomware-like behavior patterns (mass file encryption, shadow copy deletion) rather than known signatures — provides a better detection layer. Solutions like Microsoft Defender for Business, SentinelOne, CrowdStrike Falcon Go, and others provide this capability at small-business price points.
4. Firewall and RDP controls — Disable RDP exposure to the internet if you do not have a specific reason for it. If remote access is needed, require VPN first, then RDP only to VPN-connected sessions. Review your firewall rules for any other administrative port exposure to the internet. If your firewall was configured years ago and has never been reviewed, a firewall configuration review is warranted.
5. Employee phishing awareness training — Not a one-time presentation — a recurring training program that includes phishing simulation testing. The goal is not perfect phishing recognition (which is not achievable against sophisticated attacks) but changing the default behavior: when in doubt, verify through a different channel before clicking or responding. A phone call to confirm a wire transfer request prevents business email compromise. A report to IT when something looks wrong creates an early warning system.
What a Security Assessment Adds
The five controls above are starting points. A security assessment identifies the specific gaps in your environment — not just the generic risks that apply to small businesses in general, but the particular weaknesses in your network, your access controls, your configurations, and your backup infrastructure. The protections listed above may already be in place, or they may be partially implemented, or there may be gaps that are not visible without a structured evaluation.
Download the Cybersecurity Essentials Checklist as a starting point, or request a security assessment to get a clear picture of your specific risk exposure.