Technology Advisor Blog

Ransomware attacks can destroy a business in hours, yet having a local incident response team alongside national experts provides direct support when every minute counts. A nearby team delivers immediate on-site assistance, translates complex technical information, and works directly with your staff while national teams handle remote tasks.  When a local business was recently locked out of all their systems after a ransomware attack, a nationally recognized incident response team needed "boots on the ground" and we were honored to be called to help.

The company, a team of about 30 people, suddenly found themselves completely locked out of their systems. Payroll couldn’t be processed, critical files and records were inaccessible, and day-to-day operations came to a grinding halt. For the leadership and employees alike, it was an incredibly stressful and uncertain time - the business was simply stuck. Fortunately, they had the foresight to secure cyber insurance before the incident. That decision proved critical, helping offset the steep financial costs of recovery - costs that can escalate rapidly once the painstaking work of restoring systems and data begins.

We were honored to be called in as the local “boots on the ground” to assist a nationally recognized incident response team during a ransomware crisis at a nearby company. As we worked alongside these top-tier cybersecurity pros, one thing stood out immediately: some of the very first steps they took were to deploy the same advanced security tools and safeguards we already use for our clients every day. It was a powerful reminder that the preventative measures we put in place aren’t just “best practices” -  they’re the same frontline defenses relied upon by experts in the middle of an active cyber emergency.

The Local Team - Hands-on Support and Collaboration

While the incident response team brought in by the insurance provider had an impressive array of advanced tools and could manage much of the work remotely, there are critical parts of recovery that simply can’t be done from afar. Re-imaging computers, physically securing devices, and verifying systems on-site all require hands-on expertise. That’s where our local team came in. Beyond the technical tasks, it was invaluable for the client to have someone physically present -  a trusted local partner who could talk through the situation, act as a sounding board, and help translate the highly technical language of the remote specialists into clear, actionable information. In short, we served as both technicians and liaisons, bridging the gap between the client and the national response team.

Peace of Mind for Business Owners

For a business owner facing the worst day of their professional life, having a local team on-site provides much-needed support and peace of mind. The local experts can offer person-to-person assistance, explaining complex technical concepts and translating information from the national team. They actively participate in daily conference calls with the customer and maintain constant communication with the incident response team, fostering a sense of trust and reassurance.

Recognizing Ransomware Attacks

Recognizing the signs of a ransomware attack is crucial, and cybersecurity awareness training is a must for any size business. In a full-scale attack, the signs are usually obvious, with messages indicating that files are inaccessible. Modern ransomware tactics, such as double or triple extortion, may involve threats to expose sensitive data publicly, potentially leading to devastating consequences, especially for regulated industries.

The Importance of an Incident Response Plan

Having a well-defined incident response plan is essential, and businesses that have the foresight to secure cyber insurance policies are better positioned to handle such incidents. The insurance company provides access to a breach coach and an incident response team, who can then engage local experts like Ekaru to assist with the hands-on work.

The local team's technical expertise allows them to communicate effectively with the incident response team, ensuring compliance with insurance company requirements and facilitating a swift recovery.

Reducing the Impact of Ransomware Attacks

While it is impossible to achieve 100% security and eliminate all risks, implementing layered security measures and proactive monitoring can significantly reduce the likelihood and impact of a ransomware attack. Detecting threats early and containing them before they spread can make a substantial difference in getting systems back up and running in hours rather than days or weeks, which is crucial for the affected business.

The Human Factors of Cyber Incidents

The operational disruption, financial cost, and stress caused by ransomware are significant - but have you considered the human impact? Beyond downtime and lost revenue, there’s the unsettling reality that cybercriminals were actually inside your systems, exploring your data, and stealing sensitive information. For many business owners and employees, that violation feels deeply personal. It’s not just an IT problem - it’s a frightening, invasive experience that can shake confidence and create lasting psychological stress.

What about your employees?  It’s easy to think of a ransomware attack as something that only affects computers - ones and zeros, bits and bytes, hardware and software. But in reality, it’s a deeply human problem. When a company’s systems are locked and payroll can’t be processed, the impact ripples through every employee and their family. In moments like this, people can’t help but wonder:

• Job security – Will the company survive this? Should I start looking for another job?

• Next paycheck – Will I get paid on time?

• Meeting financial obligations – How will I cover my mortgage, rent, or upcoming bills if payroll is delayed?

• Future stability – What does this mean for the long-term health of the business?

These questions create anxiety, uncertainty, and stress far beyond the IT department. That’s why a fast, coordinated response is about more than restoring systems -  it’s about restoring confidence for the people whose livelihoods depend on them.

Developing a comprehensive incident response plan that addresses these human factors is essential for minimizing the overall impact of a ransomware attack on the organization and its workforce.

Emergency Response Protocol Excellence

If you’re a local small business facing a ransomware attack, one of the most important first steps is to immediately contact your cyber insurance provider. They’ll guide you through the correct protocols so you don’t unintentionally take actions that could hurt your chances of recovery or reimbursement. For example, trying to “fix” the problem yourself could overwrite critical forensic evidence needed to investigate the attack, or you might authorize work that isn’t covered by your policy -  leaving you with unexpected costs. The bottom line: in the first hours after an attack, well-meaning but misinformed actions can make a bad situation even worse. Get your insurance company and their incident response experts involved right away to avoid costly mistakes and protect your business’s recovery path.

Working with Your Cyber Insurance Company

When you file a claim, your cyber insurance provider will activate their incident response team to begin the recovery process

When an Incident Response team arrives on the scene, the first priorities usually include:

• Isolating affected systems – Disconnecting compromised computers and servers from the network to stop the spread of the ransomware.

• Deploying security tools – Installing advanced endpoint detection, monitoring, and containment tools to watch for and block any further malicious activity.

• Preserving forensic evidence – Capturing system images, logs, and other data so investigators can determine exactly how the attack happened and what was accessed.

• Securing backups – Identifying, isolating, and protecting clean backup copies so they aren’t accidentally infected or encrypted.

• Communicating with stakeholders – Coordinating updates between leadership, technical teams, insurance providers, and legal counsel to ensure everyone is aligned on the next steps.

• Beginning system triage – Assessing which systems are most critical to restore first to get essential operations back online as quickly as possible.

The Importance of Resilient Backups

The incident response team is going to want to take a look at the backups. One of the biggest mistakes small businesses make in the Boston area is not having resilient backups. There are lots of different ways to back up your data and some ways are more resilient than others. You want a backup that's not going to be wiped away.

Consider the amount of data that you would lose, which is your recovery point objective. For instance, if you back up every two days, you could lose up to two days of data. On the other hand, if you back up every hour, you could lose up to an hour's worth of data. That needs to be taken into account along with the recovery time objective. With a low-cost online backup, you may be able to get back your data, which is extremely important, but it might take two weeks.

Many businesses assume that simply having a backup means they’re safe - but in a ransomware attack, that’s not always the case. Skilled threat actors often search for and encrypt, corrupt, or even delete connected backups as part of their attack. That’s why it’s critical to maintain immutable backups - copies that cannot be altered or erased - stored securely off-site and completely isolated from your network. This ensures you have a clean, untouched version of your data ready to restore, even if everything else is compromised.

Another thing to keep in mind is that you don't want to accidentally recover from data right away. You would need to load that on separate equipment to allow forensics to do their thing.

Working with Incident Response Teams

When we get called into helping as sort of boots on the ground with this, we work in concert with the incident response company. What we would really love to see is folks taking the lower cost items and putting them in place:

• Multi-factor authentication
• Strong passwords
• Robust resilient backups
• Detect and respond capabilities

These are all things that you want to have in place that could help mitigate your risk or reduce the blast radius of an attack. Unfortunately, you can't put them in after the fact and doing forensics is extremely expensive. Even with insurance, you're still going to have some out-of-pocket expenses.

Do you have Cyber Insurance?

This isn't the first time we've been called to assist by an Incident Response team and the common thing we hear is that even with insurance, the experience is very expensive.   We STRONGLY recommend that ALL small businesses carry Cyber Insurance - but it’s important to remember that insurance doesn’t erase all of the financial pain. Policies can offset a large portion of the costs, but they rarely cover 100% of expenses, and in some cases, certain claims can be denied entirely.

That said, in every “boots on the ground” case we’ve been called to, one thing has been consistent: the companies have told us they probably would not have survived the incident without their insurance coverage. The policy didn’t make the attack painless, but it provided the lifeline they needed to recover. Without it, the financial impact would have been catastrophic - in some cases, a true end-of-business event.

The Importance of Accurate Insurance Questionnaires

Another really important thing is those insurance renewal questionnaires. You must be accurate on them. If you write that you're doing quarterly pen testing (penetration testing), you better be doing quarterly pen testing. If you write that you're using multi-factor authentication, you must actually demonstrate that you use that. The insurance company has no obligation to pay out if they find out that you're just lying on the application.

• Do you understand all the questions?
• Have you answered accurately?
• Are you aware that your rate will in part be determined by your answers?

After you have an incident, it may be harder to renew insurance. That's a time where you really have to step up and put safeguards into place. In my experience, whenever we’ve been called in for incident response, the immediate focus becomes putting every possible measure in place to ensure it doesn’t happen again. Some of the technical safeguards cost about a the price of a latte per month. That cost is tiny compared to what dealing with another incident will cost.

Do you know the Law?

Cybersecurity isn’t just “good practice” - for many industries, it’s the law. Here are a few common regulations and who they affect:

Ransomware Attack Prevention Expertise

The best way to recover from a cybersecurity event is to do the simple basics ahead of time to help minimize your risk and the blast radius. No system is bulletproof, and there is no one product that can provide complete protection.

The Importance of Proactive Security Measures

Incident response teams will immediately install the same security tools that they advise clients to have in place ahead of time. For a relatively small investment, you can greatly reduce your chances of having an incident.

• Catch threats before they spread (detect and respond or threat hunting)
• Look for signs of compromise, such as a forwarding rule in Outlook, combined with other indicators
• Flag potential issues quickly, sometimes within minutes, and shut down an account to prevent the threat from spreading
• Get systems back up in hours, not days or weeks

Key Steps for Ransomware Prevention

1. Segment your network to help prevent the spread of ransomware
2. Keep all your technology up to date (e.g., upgrading from Windows 10 to Windows 11)
3. Implement multi-factor authentication for Microsoft 365, email, SharePoint, and OneDrive
4. Provide ongoing security awareness training for employees
5. Monitor your systems and have tools in place to track behavior and logs

The Importance of Keeping Software Up to Date

This year, Microsoft will end support for Windows 10, and after October, no new security updates will be released for this operating system. That creates an easy target for cybercriminals, who actively look for unpatched systems to exploit. The good news is, if your computer hardware is relatively new, you can likely upgrade to Windows 11 in place - without the expense of purchasing a brand-new PC - and keep your system protected.

Multi-Factor Authentication Made Easy

Multi-factor authentication is another key aspect of ransomware prevention. Most of the time, if you are using multi-factor authentication for Microsoft 365, your email, SharePoint, or OneDrive, you won't even notice it because if you're using the same computer in the same location, you don't get challenged for it every time. However, if you go to a different location or log in at an odd time, it will challenge you for that additional authentication factor.

The Risks of Insufficient Security Awareness Training

Ongoing security awareness training is so important. Many times, people will try to do training once a year, but this is not enough.

Imagine this scenario: a brand new employee who hadn't gone through cybersecurity awareness training clicked on a link, creating a security incident for the company. Think of the stress involved in that, both for the new employee and for the rest of the employees there. With AI-generated spoofed emails, it's getting harder and harder to spot the fake ones, as they no longer contain obvious grammatical or spelling errors.

The Importance of System Monitoring

Monitoring your systems is also crucial. If you experience an incident, the first thing people want to know is how it happened. In many cases, if you don't have tools in place that monitor behavior and logs, you run the risk of never knowing exactly how it happened. The more systems you put in place ahead of time, the better equipped you will be to respond to an incident.

Some businesses may be able to live with that ambiguity, while others, particularly those in regulated industries, are required to have comprehensive log reporting in place. Make sure you are aware of your compliance regulations, whether it's CMMC, FTC safeguards, or any other requirements, and ensure that you are meeting them.

Your Next Steps for Proactive Business Protection

Your business can stay ahead of ransomware threats with proven security methods that match your needs. Our team combines deep technical knowledge and local presence to build strong defenses before problems occur.

We guide you through implementing the right security tools, creating response plans, and training your staff - all while respecting your budget constraints. Our cybersecurity specialists offer a no-cost consultation to assess your current protections and outline practical next steps.

Ready to strengthen your security? Contact us at 978-692-4200 or visit Contact Us to schedule your review - there’s no obligation. We’re happy to offer a free 30-minute assessment for any business, so you can understand your risks and options with zero pressure. We’re here to help.

About the author: