Most organizations discover their ransomware gaps after the encryption starts. By then the questions are no longer theoretical — they are a conference bridge at 2 a.m. with a lawyer, a CFO, and an incident responder who bills by the hour. The work is to front-load those questions into a checklist you actually rehearse.

This is not a compliance artifact. It is the list I hand to a CISO who asks, honestly, "where are we exposed?"

Backups and storage

  • Offline, tested backups. Not "we have Veeam." Tested means you restored a critical system end-to-end in the last 90 days and timed it. If you have not done this, your backups are a hypothesis.
  • Immutable storage. Object lock on S3, hardened repositories, or tape. The 2023 MOVEit wave hit orgs whose "backups" were writable from the same domain that got encrypted.
  • Domain-separated backup infrastructure. If your backup admin account lives in the same Active Directory as your file servers, it is not really separated.

Identity and endpoint

  • MFA everywhere, including service accounts and VPN. MFA on webmail only is a 2018 posture. See also: the separate post on why MFA is necessary but not sufficient.
  • Segmented networks. Flat networks are how a single compromised workstation turns into a seven-figure event. East-west controls matter more than the perimeter firewall at this point.
  • EDR on every endpoint, including servers and jump hosts. CrowdStrike Falcon, SentinelOne, Defender for Endpoint — pick one and make the coverage report honest. The gap between "deployed" and "99% coverage" is where adversaries live.

Response and decision-making

  • An IR plan that has been rehearsed this year. A plan in SharePoint that no one has opened is documentation theatre. Run a tabletop, find the gaps, update the plan.
  • Out-of-band communication. If your Teams tenant is encrypted, how does the response team talk? Pre-staged Signal groups, personal phone numbers, a printed call tree. Yes, printed.
  • Legal counsel on speed dial. Breach coach engaged before the incident, with an hourly rate you have already negotiated. The wrong time to shop for a lawyer is while your domain controllers are screaming.
  • Cyber insurance sanity check. Read the policy. Understand sub-limits, coinsurance, and what your carrier requires before they will pay — many now mandate specific EDR and MFA controls.

The question nobody wants to pre-answer

You need a decision tree for paying ransom. Not a policy that says "we don't pay" (every org says that until they are down for eight days), and not a blank check. A decision tree that names who decides, what inputs they need (sanctions screening, data exfil evidence, restore ETA), and what the board-level threshold is.

If the first time your executive team discusses ransom payment is during the incident, you have already lost the most expensive hours of your response.

The takeaway

Print this list. Walk it room by room with your infrastructure, identity, and legal teams. For every item where the answer is "mostly" or "we're working on it," write the date you will close it. Ransomware readiness is not a score — it is a set of ten questions you can answer cold, at 2 a.m., with auditors on the line.