Ransomware Resilience: Prevention, Detection and Recovery
Ransomware is not a problem you buy your way out of with one product. It is a whole organisation resilience problem that plays out across three layers: stopping the attacker getting in, spotting them when they do, and recovering cleanly when prevention fails. Here is how those layers fit together, honestly, and where the real gaps usually sit.
Most ransomware advice falls into one of two traps. Either it sells a single product as the answer, or it lists fifty controls with no sense of which ones actually decide whether you survive an attack. Neither helps a leadership team work out where to spend the next pound. So let us start from the honest position: ransomware resilience is not a product, it is a property of the whole organisation, and it is built across three layers that each do a different job.
Why ransomware is a resilience problem, not a product problem
A modern ransomware attack is rarely a single event. It is a sequence. Someone gets in, usually through a person or an exposed service. They move quietly, escalate privilege, find the data that matters, and disable or encrypt the backups before they ever trigger the encryption you actually notice. By the time the ransom note appears, the attacker has often been inside for days or weeks.
That sequence is the reason no single control saves you. A perfect email filter does nothing about a stolen credential. Flawless backups do nothing if the attacker deleted them first. Resilience comes from layering controls so that the failure of any one of them is caught by another. The goal is not to be impenetrable, which is not achievable, it is to make sure that any single failure is survivable.
Treat ransomware as three questions, not one. Can we make it hard to get in. Can we tell when someone has. Can we recover without paying. Most organisations have invested heavily in the first, lightly in the second, and dangerously little in the third. The gap is almost always recovery.
The three layers that actually matter
Everything worth doing about ransomware fits into prevention, detection or recovery. They are not alternatives, you need all three, but they fail in different ways and they are funded very differently, so it helps to look at them separately.
1. Prevention
Make it hard to get in and hard to spread
The human layer and email are the most common entry point, alongside exposed services and stolen credentials. Prevention is about closing those doors: email and phishing defence, strong identity and multi factor authentication, prompt patching of internet facing systems, and least privilege so a single compromise does not become domain wide.
2. Detection
Assume they get in, and catch them early
Prevention will eventually fail, so the question becomes how quickly you notice. Endpoint detection, logging and monitoring, and unusual behaviour alerting shorten the window between intrusion and impact. The attacker relies on dwell time. Detection is how you take it away.
3. Recovery
Recover cleanly, without paying
If everything else fails, recovery is what decides whether you pay a ransom or restore from a copy the attacker could not touch. That means immutable, isolated backups, a tested restore process, and a plan that assumes your primary environment is compromised. This is the layer most organisations quietly neglect.
Prevention: closing the entry points
Because the human layer is the most common way in, prevention starts there. That is the subject of our wider work on human risk as the real security perimeter, and email specifically in our guide to email security and human risk. The short version: layered email defence that catches phishing, business email compromise and malicious links and attachments removes a large share of the initial access attempts before a person ever has to make a judgement call.
On the email layer, there are capable options from the platform vendors and from specialists. For estates that are heavily Microsoft native, the built in protections in the higher Microsoft tiers can be a reasonable baseline and are worth weighing before you add anything. Where organisations need stronger and more configurable defence, or want a layer that is independent of the mailbox provider, we are a Mimecast partner among others and often recommend Mimecast Email, because its detonation, link rewriting and impersonation protection are genuinely strong against the modern threat. We say that as a reasoned preference, not a default, the right answer depends on your estate, and for some organisations the native controls are enough.
Prevention is not only email. Multi factor authentication on every account that matters, rapid patching of anything exposed to the internet, and least privilege so that one compromised laptop cannot reach the whole estate, are the unglamorous controls that quietly prevent most spread. They are cheaper than any product and more effective than most.
Detection: assuming they get in
The mature mindset is to assume prevention will fail at some point and to design so that failure is caught quickly. The single most useful number in ransomware is dwell time, how long the attacker is inside before you notice. Shorten it and you turn a catastrophe into an incident.
Endpoint detection and response, centralised logging, and alerting on the behaviours that precede encryption, mass file access, privilege escalation, the disabling of security tools, are what compress that window. For many organisations this is delivered as a managed detection service rather than built in house, because detection only works if someone is actually watching and able to act around the clock. The technology is necessary but not sufficient. The response capability behind it is what makes it real.
If your prevention spend dwarfs your detection and recovery spend, you are buying comfort, not resilience. The organisations that recover well are the ones that assumed they would be breached and invested in catching it fast and restoring cleanly, not just in keeping attackers out.
Recovery: the part everyone underinvests in
Recovery is the layer that decides whether a ransomware attack is a bad week or an existential event, and it is the one most often found wanting at the worst possible moment. The attacker's whole strategy assumes you cannot recover, which is why they target backups first. So your recovery has to survive an attacker who already has administrative access to your environment.
That means backups that are immutable, so they cannot be altered or deleted within a retention window even by a compromised administrator, and isolated, so they sit outside the blast radius of the production environment. The detail of how modern storage delivers this, immutable snapshots, logical and physical air gaps, and recovery at scale, is covered properly in our companion guide on storage and ransomware, so we will not repeat it here. The point for resilience planning is that the copy you recover from must be one the attacker could not reach.
Two things separate organisations that recover from those that pay. First, a restore process that has actually been tested at realistic scale, because a backup you have never restored is a hope, not a plan. Second, clean restore points, because if your backups contain the dormant attacker, you restore the problem along with the data. Recovery planning has to include working out how far back a known good state lies, and how you stand the business up from it.
How to pressure test your own resilience
You do not need a major programme to find out where you stand. A short, honest assessment across the three layers usually surfaces the real gaps quickly. In practice that means asking:
- Prevention: is multi factor authentication on everything that matters, is anything internet facing unpatched, and is our email defence genuinely catching modern phishing and business email compromise.
- Detection: if an attacker were inside right now, how would we know, who is watching, and how fast could we respond out of hours.
- Recovery: are our backups immutable and isolated, when did we last actually restore at scale, and do we know our last known good state.
- People and process: does someone own this, is there an incident plan, and has anyone ever rehearsed it.
The answers tend to cluster. Organisations are usually strongest on prevention, thinner on detection, and weakest on tested recovery, which is exactly the wrong way round given that recovery is what decides the outcome once an attack succeeds.
How C4C helps
We help organisations build resilience across all three layers rather than selling a single box as the answer. We assess where the real gaps sit, prevention, detection or recovery, and design a layered posture that fits your estate and your budget. We are independent in that assessment, with no single platform we are obliged to recommend, and we are open about our partnerships, including Mimecast on the email layer, so that any recommendation is one you can trust. The aim is a posture where no single failure is fatal, and where if the worst happens, you recover from a clean copy rather than paying a ransom.
Want an honest view of your ransomware resilience?
Tell us about your environment and we will give you an independent read across prevention, detection and recovery, and a clear sense of where the real gaps are. No single product agenda, just where your resilience genuinely stands. We assess first, and recommend with reasons.
Prefer email? Reach us directly at hello@c4cgroup.co.uk.
Frequently asked questions
Can one product protect us from ransomware?
No. Ransomware plays out across entry, spread, and the disabling of backups, so it is defeated by layers, not a single tool. Prevention reduces the chance of getting in, detection shortens how long an attacker stays hidden, and recovery decides whether you can restore without paying. Any vendor selling a single box as complete protection is overstating it.
What is the most overlooked part of ransomware resilience?
Recovery, almost always. Organisations tend to invest heavily in keeping attackers out and far less in recovering cleanly when one gets in. Yet recovery, immutable and isolated backups plus a genuinely tested restore, is what decides whether an attack is a bad week or an existential event. Attackers target backups first precisely because they know this.
How does ransomware usually get in?
Most often through the human layer, a phishing email or a convincing message that leads to a credential or a malicious payload, or through an exposed, unpatched internet facing service, or a stolen credential without multi factor authentication. That is why prevention starts with email defence, strong identity and rapid patching, the doors attackers use most.
Are immutable backups enough on their own?
They are essential but not sufficient. Immutability stops an attacker altering or deleting the copy, but you still need the backup to be isolated from the production blast radius, to contain a clean restore point free of the dormant attacker, and to have been tested at realistic scale. A backup you have never restored is a hope, not a plan.
Should we use Microsoft's built in security or add a specialist layer?
It depends on your estate. For heavily Microsoft native organisations the higher Microsoft tiers provide a reasonable baseline worth weighing first. Where you need stronger, more configurable defence, or a layer independent of the mailbox provider, a specialist adds real value. We are a Mimecast partner among others and often recommend Mimecast Email for that role, but as a reasoned choice, not a default.
How do we know how resilient we actually are?
Pressure test the three layers honestly. Is multi factor authentication everywhere and is anything exposed unpatched. If an attacker were inside now, how would you know and how fast could you respond. Are your backups immutable, isolated and recently restored at scale. The gaps usually cluster around detection and tested recovery, which is exactly where an attack is decided.