Ransomware Readiness for Leaders: Decisions to Make Before the Attack

Ransomware is one of the few risks where the outcome is largely decided before the attack ever lands. By the time systems are encrypted and a ransom note is on the screen, your options are mostly set by choices you made, or failed to make, in the calm beforehand. Readiness is not a technical project you can buy. It is a set of decisions leaders should make while they still have the luxury of thinking clearly.

Assume it will happen

The organizations that handle ransomware well are the ones that stopped treating it as a hypothetical. Prevention matters and you should invest in it, but prevention is not a plan. A plan starts from the assumption that one day an attacker will get in, and asks what happens next. That mindset shift, from if to when, changes every downstream decision for the better.

Backups are the whole game, until they are not

Most leaders believe they have backups. Far fewer have tested whether those backups would actually let them recover, how long it would take, and whether the attacker could reach and destroy them first. Modern ransomware crews specifically hunt for backups, because they know that a company that can restore does not need to pay. The questions to answer in advance are unglamorous and decisive. Are the backups isolated from the systems they protect? Have you ever actually restored from them under realistic conditions? How long would full recovery take, in honest hours and days, not optimistic ones?

Everyone has backups. The companies that survive ransomware are the ones that tested whether their backups actually work before they needed them to.

Decide the hard questions while you are calm

• Would we ever pay, and who decides? This is a business, legal, and ethical question, not a technical one. Decide your stance and your decision-makers in advance, not at 2 a.m. under pressure.
• Who do we call? Legal counsel, law enforcement, insurer, incident response firm. Have the numbers before you need them.
• How do we operate while systems are down? If a hospital, a plant, or a service goes dark, what is the manual fallback that keeps the essential mission alive?
• Who speaks, and what do they say? Customers, staff, regulators, and the press will all want answers. Silence and improvisation both make it worse.

Practice before it is real

A plan that has never been rehearsed is a document, not a capability. The most valuable thing a leadership team can do is walk through a realistic scenario together, out loud, before anything happens. You will discover the gaps that only reveal themselves under simulated pressure, the assumption that does not hold, the decision nobody actually owns. Far better to find those in a conference room than in a crisis.

The point is composure, bought in advance

None of this prevents an attack. What it buys you is the ability to respond with composure instead of panic, because the hardest calls were already made when your head was clear. That composure is frequently the difference between a contained incident and an existential one. Readiness is, in the end, just the discipline of deciding early, which is the same discipline behind everything in good technology leadership.