Ransomware Protection Checklist for Connecticut Small Businesses (2026)

The Ransomware Reality for Connecticut Small Businesses in 2026

Ransomware is no longer a problem that only hits large corporations. In 2026, small businesses represent the majority of ransomware victims. According to Sophos's 2024 State of Ransomware report, the average ransom payment reached $1.54 million in 2023, but the total cost of a ransomware attack — including downtime, recovery, and reputational damage — averages nearly $1.82 million for SMBs. Coveware's quarterly ransomware data consistently shows that businesses with 11–100 employees are among the most frequently targeted segments.

For Connecticut businesses, the stakes are compounded by the state's breach notification law (§ 36a-701b), which requires notification to affected individuals within 60 days of discovering a breach. A ransomware attack that encrypts customer or employee data triggers this obligation — and failing to comply adds regulatory exposure on top of the operational disaster.

The good news: the controls that stop ransomware are well understood. This 15-point checklist covers each control, explains why it matters, and tells you how to implement it for a Connecticut small business.

The 15-Point Ransomware Protection Checklist

1. Multi-Factor Authentication (MFA) on All Remote Access

Why it matters: Stolen or guessed credentials are the leading initial access vector for ransomware attacks. Without MFA, a single compromised password gives attackers full remote access to your systems. Microsoft data shows MFA blocks 99.9% of automated credential attacks.

How to implement: Enable MFA on Microsoft 365, Google Workspace, VPN, Remote Desktop, and any cloud-based application. Use an authenticator app (not SMS alone) for stronger protection. Enforce MFA via Conditional Access policies so it cannot be bypassed.

2. Advanced Email Filtering and Anti-Phishing

Why it matters: Phishing email remains the most common ransomware delivery method. Verizon's 2024 DBIR found that phishing was involved in 41% of breaches. A convincing fake invoice or shipping notification gets one click, and the ransomware payload executes.

How to implement: Deploy Microsoft Defender for Office 365 (Plan 1 or Plan 2), Proofpoint Essentials, or an equivalent email security solution. Configure anti-phishing policies, safe links (URL scanning at click time), and safe attachments (sandboxing of all attachments before delivery).

3. Endpoint Detection and Response (EDR)

Why it matters: Traditional antivirus detects known malware signatures. Modern ransomware is specifically engineered to evade signature detection. EDR monitors behavioral patterns — if software starts encrypting files at an unusual rate, EDR stops it and alerts your IT team before the damage spreads to the whole network.

How to implement: Deploy Microsoft Defender for Business (cost-effective for SMBs), CrowdStrike Falcon Go, or SentinelOne on every workstation and server. Ensure real-time protection is enabled and alerts are monitored.

4. Patch Management — Apply Updates Promptly

Why it matters: Ransomware groups actively exploit known vulnerabilities in operating systems, browsers, VPN software, and remote access tools. Many major attacks exploited vulnerabilities that had patches available for months before the attack. According to Ponemon Institute, 60% of breach victims report the breach was linked to a vulnerability with an available patch that had not been applied.

How to implement: Implement automated patch management for Windows, macOS, Microsoft 365 apps, browsers, and third-party software. Apply critical patches within 14 days of release, and aim for 30 days for non-critical patches. Decommission or isolate any system running end-of-life software that cannot be patched.

5. 3-2-1 Backup with Immutable Copies

Why it matters: If ransomware encrypts your data, your only clean recovery option — short of paying the ransom — is restoring from a clean backup. But ransomware operators specifically target backup systems. Without an immutable or offline copy, your backup gets encrypted too.

How to implement: Follow the 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 copy offsite or in an immutable cloud backup. Use a backup solution that supports immutability (Veeam, Acronis, Datto). Test your restore process quarterly — a backup you have never tested is not a real backup. Keep at least one backup copy that is air-gapped or offline.

6. Network Segmentation

Why it matters: In a flat network, once ransomware infects one machine it can spread laterally to every other system, including servers and backups. Network segmentation contains the blast radius of an infection.

How to implement: Separate guest WiFi from the corporate network. Put servers on a separate network segment (VLAN). Consider separating departments (accounting systems should not be on the same segment as general workstations). Implement firewall rules that control east-west traffic — not just inbound/outbound.

7. Disable or Secure Remote Desktop Protocol (RDP)

Why it matters: Exposed RDP (port 3389) on the public internet is one of the top ransomware entry points. Attackers scan the entire internet for exposed RDP, brute-force weak credentials, and gain immediate access to the target system.

How to implement: Never expose RDP directly to the internet. If remote desktop is needed, require VPN access first, then RDP. Alternatively, use a Zero Trust Network Access (ZTNA) solution that eliminates the need for exposed RDP entirely. If RDP must be internet-exposed for a legacy reason, enforce MFA and account lockout policies at minimum.

8. Privileged Access Management (PAM)

Why it matters: Ransomware needs administrative privileges to encrypt files across the network and disable security tools. If attackers compromise a standard user account, they then seek to escalate to admin. Limiting admin accounts limits what ransomware can do.

How to implement: Apply the principle of least privilege — give employees only the access they need for their job. Maintain separate admin accounts (never use admin accounts for daily browsing or email). Use a PAM solution (CyberArk, BeyondTrust, or Microsoft's built-in tools) to control and audit privileged access. Require MFA for all admin account usage.

9. Security Awareness Training and Phishing Simulations

Why it matters: Your employees are the last line of defense against phishing-delivered ransomware. A well-trained employee who recognizes and reports a suspicious email stops an attack before it starts. An untrained employee who clicks the link starts the clock.

How to implement: Implement a security awareness training platform (KnowBe4, Proofpoint Security Awareness, Microsoft Defender Phishing Simulation). Train all employees at least annually, with monthly simulated phishing tests. Measure click rates and target repeat clickers for additional training — without shaming them publicly.

10. Disable Macros and Limit Script Execution

Why it matters: Many ransomware attacks are delivered via malicious Office macros (embedded in Word or Excel files) or via PowerShell scripts. Disabling macros and restricting script execution removes a major delivery mechanism.

How to implement: Configure Microsoft 365 group policy to disable macros by default, or allow macros only from digitally signed, trusted publishers. Restrict PowerShell execution policies to AllSigned or RemoteSigned. Use Windows Defender Application Control (WDAC) or AppLocker to whitelist approved applications.

11. DNS Filtering

Why it matters: DNS filtering blocks connections to known malicious domains — including ransomware command-and-control servers, phishing sites, and malware distribution points. It stops an attack before malware can "phone home" to receive encryption keys or exfiltrate data.

How to implement: Deploy a DNS filtering solution (Cisco Umbrella, Cloudflare Gateway, DNSFilter). Apply to all devices including remote workers (DNS filtering can be applied at the endpoint level, not just the office network).

12. Incident Response Plan

Why it matters: When ransomware hits, the first 30 minutes of response determine whether the incident is contained or catastrophic. Without a written plan, panic and confusion lead to mistakes — running antivirus that destroys forensic evidence, paying a ransom before exploring options, or failing to isolate infected systems, allowing further spread.

How to implement: Write a simple, one-page ransomware incident response plan covering: who to call (IT provider, cyber insurance, legal counsel), how to isolate affected systems (unplug from network — do not power off), what to preserve (logs, ransom note, screenshots), and Connecticut breach notification obligations (§ 36a-701b's 60-day requirement). Test it with a tabletop exercise annually.

13. Cyber Insurance with Ransomware Coverage

Why it matters: Even with strong controls, breaches happen. Cyber insurance covers ransomware response costs (forensic investigation, legal counsel, notification costs, business interruption, and — depending on your policy — ransom payment). Without cyber insurance, a single ransomware event can be a business-ending financial event for a Connecticut small business.

How to implement: Work with a commercial insurance broker experienced in cyber liability. Expect underwriters to ask about MFA, backup, EDR, and employee training before quoting. Premiums have stabilized for businesses with documented controls. Coverage amounts should reflect your potential downtime and recovery costs — not just the ransom.

14. Vulnerability Scanning and Penetration Testing

Why it matters: You cannot fix what you do not know about. Regular vulnerability scanning identifies weaknesses in your network before ransomware operators find them. Penetration testing goes further — it simulates a real attack to see how far an attacker could get.

How to implement: Run automated vulnerability scans monthly using tools like Tenable.io, Qualys, or built-in scanner capabilities in your RMM platform. Conduct an annual external penetration test by a qualified security firm. Prioritize remediation of high and critical findings, especially those with public exploit code available.

15. Vendor and Supply Chain Risk Management

Why it matters: Some of the largest ransomware incidents in recent years (Kaseya, SolarWinds) entered through trusted vendors with access to client systems. Your MSP, software vendors, and other third parties with network access are part of your attack surface.

How to implement: Review what access each vendor has to your systems. Require vendors to provide evidence of their own security controls (SOC 2 reports, security questionnaires). Enforce MFA for all vendor remote access. Use separate, time-limited credentials for vendor access rather than permanent admin accounts. Monitor vendor access with audit logs.

Connecticut-Specific Context: Breach Notification Law

Connecticut General Statutes § 36a-701b requires any company that experiences a breach of security involving the personal information of Connecticut residents to provide notice to affected individuals. "Personal information" includes Social Security numbers, driver's license numbers, financial account information, and medical information. Notice must be provided in the most expedient time possible, and no later than 60 days after discovery. If more than 500 Connecticut residents are affected, the Connecticut Attorney General must also be notified.

A ransomware attack that encrypts (and potentially exfiltrates) employee records, customer data, or patient information is almost certainly a reportable breach. Build notification capability into your incident response plan now — under the stress of an active incident is not the time to figure out your legal obligations.

Frequently Asked Questions

How long does it take to implement all 15 controls?

The timeline depends on your current environment and whether you have an IT partner helping you. With a managed IT provider, the foundational controls (MFA, EDR, email filtering, patch management, backup) can be deployed within 30–60 days. Network segmentation and PAM may take longer depending on complexity. Start with the highest-impact items: MFA, email filtering, EDR, and backup.

Do all 15 controls apply to a very small Connecticut business (under 10 employees)?

Yes — ransomware does not check headcount before attacking. The controls scale to any size. For a very small business, the implementations may be simpler (Microsoft Defender for Business instead of enterprise EDR, Microsoft 365 built-in email security instead of a separate gateway), but every control on this list has a cost-appropriate implementation for even the smallest Connecticut business.

What is the single most important thing we can do right now?

Enable MFA on all email accounts and remote access immediately. It is free with Microsoft 365 and Google Workspace, takes less than a day to implement, and blocks the majority of ransomware delivery attempts that rely on stolen credentials.

Should we pay the ransom if we are hit?

This is a decision that requires legal counsel, your cyber insurance carrier, and experienced incident responders — not a decision to make alone or quickly. Paying does not guarantee decryption, does not prevent the attackers from publishing your data, and may violate OFAC regulations if the ransomware group is sanctioned. Strong backups are the answer that makes the ransom question irrelevant.

Sentium Tech helps Connecticut businesses implement ransomware protection controls — from MFA and EDR to backup verification and incident response planning. We have helped businesses throughout Hartford County build security programs that actually stop attacks. Contact us for a free IT security assessment and we will identify where your biggest gaps are.