The short version: Small businesses are frequent ransomware targets, and the cost of an attack goes well beyond the ransom demand. Firms that recover quickly have tested offsite backups, a short written response plan, and security controls on Microsoft 365 that are actually configured and turned on.
Ransomware is not a big-company problem anymore
If you manage the office for a law firm, medical practice, accounting shop, or any small professional services business, you are not too small to be a target. In many cases, you are exactly the target.
Ransomware groups have automated their attack tools. They scan the internet for exposed systems, unpatched software, and accounts without multi-factor authentication. A ten-person office looks like an opportunity when its file server or cloud accounts are misconfigured. The size of your payroll does not factor into that calculation.
Who gets hit
The businesses that get hit most often share a short list of characteristics:
- No multi-factor authentication on email or remote access
- Backups stored on the same network as the primary data
- Employees who open attachments or click links without hesitation
- Software that has not been updated in months
- No incident response plan — not even a one-page checklist
Industry does not matter as much as people assume. Legal, dental, real estate, construction, logistics — attackers target whoever is reachable and holds data valuable enough to motivate payment. If your clients' files are on your systems, you have something worth encrypting.
What does a ransomware attack actually cost a small firm
The ransom demand gets the attention. It should not. For most small businesses, the ransom is the smaller part of the total loss.
Consider what stops the moment ransomware deploys:
- You cannot access client files, contracts, invoices, or records
- Staff cannot work — or are working manually, slowly, and inaccurately
- You may be legally required to notify clients, regulators, or your state attorney general
- Your professional reputation is now at risk with every client who hears about it
Downtime for businesses with no tested backup is measured in days to weeks. Recovery labor — rebuilding systems, reinstalling software, re-entering lost data — accumulates on top of that. Breach notification carries legal costs. If a client sues over exposed records, litigation expenses dwarf everything else combined.
Paying the ransom does not reliably solve the problem. Attackers may provide a decryption key that works partially, slowly, or not at all. Paying also does not remove the malware from your systems, and it marks your business as one willing to pay.
How the firms that recover do it
The businesses that come back quickly share the same fundamentals. None of them are complicated or expensive to implement.
They have tested, offsite backups
A backup on the same server or same network as your working files is not a backup — it gets encrypted along with everything else. Effective backup means a separate copy, stored somewhere ransomware cannot reach, verified recently enough that you know it actually works.
The industry standard is the 3-2-1 rule: three copies of your data, on two different media types, with one copy offsite. For a small office running Microsoft 365 Business Premium, that means:
- Your Microsoft 365 data in the cloud (Exchange Online, SharePoint, OneDrive)
- A third-party backup of that cloud data — Microsoft retains data but is not a backup provider
- A separate backup of any on-premises files, isolated from your primary network
Important: Microsoft 365's built-in retention protects against accidental deletion. It is not designed to protect against ransomware that encrypts synced files before Microsoft can intervene.
They have a written response plan — even a short one
When ransomware deploys, the first ten minutes matter. Without a plan, the instinct is to start clicking and calling — which can spread the infection, contaminate evidence, or alert attackers that you have noticed them.
A written plan does not need to be long. It needs to answer four questions:
- Who makes the call to disconnect systems from the network?
- Who do we contact first — IT, legal counsel, or cyber insurance?
- Where is our backup, and who has the credentials to access it?
- Who notifies clients and regulators if notification is legally required?
Print it. Put it somewhere that does not require a working computer to find.
They use the security tools already included in Microsoft 365 Business Premium
Microsoft 365 Business Premium includes Microsoft Defender for Business — an enterprise-grade endpoint detection and response tool built for businesses without a dedicated security team. It can detect ransomware behavior before encryption completes and isolate affected devices automatically. It is not enabled by default and is rarely configured correctly at small offices.
Business Premium also includes Conditional Access policies, which can block sign-ins from unexpected locations or unmanaged devices. Multi-factor authentication, enforced across every account, stops the majority of credential-based attacks before they ever reach your files.
These tools are included in what many small firms already pay for. The gap is configuration and ongoing monitoring — not the license.
What this means for your office right now
Ransomware targeting small businesses is not becoming less common. The attacks are more automated, ransom demands are increasingly calibrated to what small firms can actually afford to pay, and attackers now routinely threaten to publish stolen data even after you restore from backup.
The firms that will absorb an attack and keep operating have three things in place before the attack happens: verified offsite backups, a response plan that does not require a working computer to execute, and security controls on their Microsoft 365 environment that are actually turned on and monitored.
None of that requires an enterprise IT department. It requires a decision to act before the ransom note appears on the screen.
