• Client Portal
Valukoda - IT Consulting and Managed Services
Contact Us
Valukoda Cybersecurity & Risk blog category

Ransomware Preparedness: The Conversation Beyond Backups

Every organization I have worked with talks about ransomware. Most talk about backups. Almost none actually prepare for what happens when ransomware strikes. There is a critical difference between having insurance and having a plan. You can have all the backups in the world, but without clarity on authority, decision-making, communication protocols, and recovery timelines, backups become worthless. I have seen companies with robust backup systems spiral into chaos because they never had the conversation about whether to pay the ransom, who makes that decision, or how to communicate with stakeholders while systems are down.

Ransomware preparedness is not a technology problem. It is a business continuity problem. The moment your systems are encrypted, you are in executive territory. The IT team cannot solve this alone. Your CFO, general counsel, board, customer relations team, and insurance carrier all need to be part of the decision framework before the crisis occurs.

The Decision Framework: Pay or Do Not Pay

This is the conversation that separates mature organizations from reactive ones. When ransomware hits, you have minutes to begin crisis response, not days to debate whether paying is even an option.

Your board and C-suite need to establish criteria in advance. This is not hypothetical. You need a documented decision matrix that answers: At what financial threshold do we pay? What is our recovery timeline tolerance? Does our cyber insurance cover ransom payments? What are the legal and regulatory implications of paying a sanctioned entity? What does our general counsel say about the distinction between ransom and extortion? Have we consulted with our cyber insurer on their willingness to fund a payment?

I have seen organizations paralyze themselves because they never established this framework. When the encryption hits, executives are arguing about whether paying is morally defensible, whether it violates sanctions, or whether the board should be involved. You cannot have that debate during an active incident.

Establish your ransomware decision authority in writing now. Who has the authority to make the pay/no-pay decision? At what financial threshold? Involving whom? This conversation belongs in your incident response plan, not in your crisis moment.

Communication: Internal and External

Ransomware is not a technical failure. It is a business disruption. Your employees, customers, partners, and regulators need to hear from you, not from the news.

You need communication protocols established before the incident. Who communicates externally? Does the CEO speak to major customers directly, or does your account team? Do you issue a public statement? How do you communicate with regulators if required? What do you tell your board? What do you tell your employees?

The worst organizations I have worked with took days to establish a communication strategy after ransomware struck. The best ones had templates, pre-authorized messages, and clear escalation paths. You will not have time to draft these under pressure.

One critical distinction: transparency is not apology. You can be transparent about the situation without admitting fault. You need legal counsel involved in message development. You need your insurance carrier consulted. You need to understand what information disclosure triggers regulatory requirements versus what you can withhold.

Legal and Regulatory Obligations

If you are in healthcare, finance, or critical infrastructure, ransomware is a regulatory event. You do not get to decide whether to report it. You need to know in advance who must be notified, when, and what information is required.

HIPAA, for example, requires breach notification within 60 days for healthcare organizations. If your systems are encrypted and you cannot determine what was accessed, that is a HIPAA breach until proven otherwise. Your cyber insurance does not cover regulatory fines. Your backup recovery timeline cannot slip past your notification deadline.

If you process payment cards, you have PCI compliance implications. If you handle customer personal data, you have state breach notification laws. These are not theoretical. I have watched organizations face millions in regulatory fines because they did not have clear legal counsel guidance on disclosure requirements built into their incident response plan.

Assign your general counsel now to review your ransomware response plan with a specific focus on regulatory notification requirements. Who must you notify? When? What will they require? What fines apply if you miss deadlines?

Recovery Time Objectives and System Dependencies

You cannot recover systems in order. You recover them by business impact. If ransomware encrypts everything tomorrow, which system do you restore first? Your email? Your accounting system? Your manufacturing line? Your customer portal?

This is a business question, not an IT question. Your business leaders need to establish recovery time objectives (RTOs) for critical systems. Which systems can tolerate 4 hours of downtime? Which need 15 minutes? Which are business-critical and require constant availability?

Then you map dependencies. You cannot restore your order management system if your database server is still offline. You cannot process payroll if your financial systems are not available. You need to understand the sequence.

I have seen organizations with expensive backup systems that cannot actually meet their stated RTOs because they never sequenced recovery in advance. They back up everything, but they do not know in what order to restore it. They do not have a prioritization matrix. So when ransomware strikes, they spend hours deciding what to restore first instead of actually restoring.

System Isolation and Network Segmentation

Ransomware spreads. The moment it lands on one system, it begins laterally moving through your network. If your entire environment is connected, ransomware encrypts everything simultaneously. If your critical systems are on the same network as non-critical systems, your recovery timeline extends exponentially.

Network segmentation is not a technology project. It is a ransomware containment strategy. Your critical systems should be on isolated networks. Your finance, operations, and HR systems should not be on the same network as guest Wi-Fi or development systems. If ransomware lands on a development server, it cannot spread to your accounting system because they are not connected.

You also need to know where your backups live. If your backups are on the same network as your production systems, ransomware encrypts both. Your backups need to be offline, air-gapped, and immutable. This is not theoretical. I have seen organizations with backups that were encrypted along with their production systems because the backups were stored on network-attached storage that ransomware could reach.

Tabletop Exercises: Practicing Without Pressure

You do not learn whether your ransomware plan works by executing it during an actual incident. You learn it by practicing.

Run tabletop exercises at least annually. Bring together your executive team, legal counsel, IT leadership, business unit heads, and your cyber insurance broker. Walk through a scenario: ransomware hits your critical systems. What happens next? Who makes the decision to pay or not pay? When do you notify regulators? How do you communicate with customers? What is your recovery sequence? How long does recovery take with your current backups?

These exercises reveal gaps immediately. You find out that your CFO thought cyber insurance covered ransom payments (it might not). You find out that your backup recovery timelines are measured in weeks, not hours. You find out that you do not have legal guidance on regulatory notification requirements. You find out that your incident commander lacks clear authority to make decisions.

Tabletop exercises are uncomfortable. That is the point. They are where you discover problems before they become crises.

Schedule a ransomware tabletop exercise for the next quarter. Include your board if possible. Your goal: discover gaps in your plan while there is still time to fix them.

The Backup You Should Not Have to Use

This is the conclusion that separates mature ransomware preparedness from checkbox compliance. Your backups are important. But your goal is never to use them. Your goal is to prevent ransomware from landing in the first place.

Backups are your fail-safe. They are not your ransomware strategy. Your ransomware strategy is prevention: email filtering, endpoint detection, patch management, access controls, network segmentation, and threat hunting. If ransomware reaches your systems and encrypts them, your backup recovery begins. But if you have done your prevention work correctly, you may never need to activate that backup recovery plan.

The organizations that handle ransomware best do not focus on backup recovery times. They focus on making sure ransomware never lands. They have email filtering that catches 99.9 percent of phishing attempts. They have endpoint detection that identifies suspicious behavior. They have network segmentation that limits lateral spread. They have backup-and-recovery plans as their insurance policy, not their primary strategy.

This is the discipline that separates ransomware preparedness from panic. Preparation is not about hoping your backups work. It is about preventing the need to use them while ensuring they will work if you must.

Valukoda helps growing businesses make smarter technology decisions. Whether you need strategic IT leadership, managed services, or a security program built from the ground up, we bring decades of CIO and CISO experience to your team. Schedule a conversation or call us at 888.380.7212.

© 2026 Valukoda, Inc. All rights reserved.

Your Company Needs a Security Leader, Not a Security Engineer with a New Title