Mon – Fri  9AM – 5PM|Client Portal
ITstuffed
0800 487 883
Cybersecurity

How to Stop Ransomware Before It Stops You: A Practical Five-Step Plan

Ransomware does not announce itself in advance. Your practice manager opens her laptop to find files are locked, a ransom note is on the screen, and nobody can access patient records or appointment schedules. By that point, the attack has already succeeded. The only thing that determines how bad it gets is whether the right five things were in place before it happened.

Ransomware rarely arrives as a single dramatic event. It typically starts with something unremarkable - a login from an unfamiliar location, a staff account with more access than it needs, a piece of software that never got updated. The attacker moves quietly, gathers access, and only triggers the visible damage once they can cause maximum disruption. By then, options are limited. Law enforcement advice is consistent on this point: paying the ransom does not guarantee you will get your data back, and it tends to invite further attacks.

The NZ Privacy Act 2020 adds another layer of pressure. A breach involving patient or client data may require notification to the Office of the Privacy Commissioner at privacy.org.nz. That is a conversation no practice manager wants to have. The goal of a ransomware defence plan is not to prepare for that conversation - it is to make sure it never happens.

A strong defence disrupts the attack early, before encryption begins. There are five practical areas to address.

The first is making logins harder to fake. Most ransomware incidents still start with stolen or guessed credentials. Multi-factor authentication - where staff confirm their identity with a second step beyond a password - stops a stolen password from being enough on its own. The stronger versions of this cannot be bypassed by a fake login page, which matters when staff are being specifically targeted. Admin accounts and remote access deserve the highest priority here.

The second is limiting what each account can actually do. If a staff member's login is compromised, the damage should be contained to what that person legitimately needed access to - not the entire network. Admin-level access should belong to a separate account used only when genuinely necessary, not the same account used to check email every day.

The third is closing known gaps. Unpatched software and outdated systems are well-documented entry points. Critical vulnerabilities need to be addressed quickly. Internet-facing systems - anything accessible from outside the office - deserve the most attention. This includes third-party applications, not just the operating system.

The fourth is early detection. By the time a staff member notices files are corrupted, the attacker has often been inside the environment for some time. Endpoint monitoring that flags unusual behaviour - abnormal file access, unexpected logins, software behaving strangely - gives your IT support team a chance to contain the problem before it spreads. This is not a feature most businesses configure by default. It needs to be set up deliberately.

The fifth is backups that actually work. Backups are only useful if attackers cannot reach them, and if you have tested that restoration is actually possible. Keeping at least one copy isolated from the main environment is the minimum. Running a restore drill - actually recovering files in a test scenario - is what separates a backup strategy from a false sense of security. CERT NZ at cert.govt.nz provides practical guidance on backup requirements for NZ businesses.

None of these steps require rebuilding your entire setup overnight. Most Canterbury practices have a weak link somewhere - an account with too much access, a system that has not been updated in months, backups that have never been tested. Starting with the weakest point and tightening it is the right approach. When the fundamentals are in place and regularly checked, ransomware shifts from a catastrophic unknown to a contained incident you are prepared to manage.

For healthcare practices and professional services businesses that handle sensitive client data, managed IT support built around your sector makes this significantly easier to get right and keep right.

ITstuffed works with Canterbury professional services businesses to assess their current exposure and get the basics consistently enforced. A 15-minute IT Fit Check is a practical place to start.

Back to News