Industry-leading Cloud Services for the Channel

Close this search box.

Part 2: Creating your Ransomware Defence

Welcome back to part two in the blog series ‘Breaking the Ransomware Cycle’. In this section, we’ll be exploring how organisations can formulate a plan to limit the impact of Ransomware should it strike.

For a more in-depth view, you can watch the accompanying webinar here.

Part 2: Creating your Ransomware defence originally led by Richard May, CEO of virtualDCS.

Putting together a security plan and starting from a blank canvas is difficult, but there are several frameworks available to help organisations put the building blocks in place. Some of the more popular ones include ISO 27001, the National Institute of Standards (NIST), Cyber Essentials and the National Cyber Security Centre.

Exploring the NIST Cyber Security Framework


For this blog, like the webinar, we’ll be using NIST as the framework – offering ‘food for thought’ and areas to consider when putting together your own Ransomware defence strategy.

What is NIST?

The NIST cybersecurity framework is a set of security measures published by the National Institute of Standards and Technology, an agency of the US government. It was created to help companies structure their cybersecurity models and like Cyber Essentials Plus, the framework offers a set of standards, guidelines, and proven best practices that can help businesses of all sizes.

The structure can be applied to any cyber security risk and allows companies to structure their contingency planning strategies. Each of the standards/guidelines is implemented and managed by five key functions: to identify, protect, detect, respond and recover. We’ll now cover this in more detail.

NIST: Identify

Risk assessment: The first step in effectively planning for a ransomware attack is to identify and assess your risks. This involves understanding the data and information you have, the systems you rely on, and the potential impact of losing access to them. It’s crucial to consider not just the immediate impact of data loss, but also the longer-term consequences of a breach, such as the potential release of sensitive information.

One key aspect of this process is to evaluate the accessibility of your data. Ransomware attacks often target data that is easily accessible, so it’s important to ensure that any information or systems you may no longer need are securely stored and not readily available. If it’s difficult for you to get to, it’s difficult for the Ransomware to get to and by reducing the amount of “low-hanging fruit” for attackers, you can significantly decrease the impact of an attack.

RPO/RTO: It’s also critical to understand your recovery point objectives (RPOs) and recovery time objectives (RTOs) for different types of data. You need to understand what data you have, how quickly it’s changing and what the impact of this data loss would be. This will help you prioritise your backup and recovery strategies, ensuring that the most critical information and systems can be restored quickly in the event of an attack.

Supply chain management: It’s also essential to consider the security of your supply chain. Now we’re all in the Cloud, it’s important to think about aspects such as data location – are you backing up data to the same physical locations that it’s hosted in? We explore this in more detail in the webinar.

Data vs Configurations: Water without a container is a puddle. The same can be said for data. You can back up all your data, emails and files, but on recovery how do they all hang together? Who do they belong to? Who has access to them? What are your mailbox rules? What policies did you have in place? To fully recover, there’s much more to consider than having a simple copy of your information. We’ll go into this in more detail later.

NIST: Protect

People: While it may be tempting to focus solely on technological solutions, the reality is that 88% of cyber attacks originate from human error. Tools like Vade, a partner of virtualDCS, can help protect your organisation from phishing and other social engineering attacks, reducing your attack surface from the outset.

Backups: Backups are essential, but they’re only half the battle. As mentioned in the first blog, 93% of successful hacks target the backup systems too. It’s crucial not only to have a backup copy, but to ensure that it’s stored offsite, is immutable, and can be reliably accessed when needed.

Secondary processing sites: Ransomware crawls through networks, so having two DR sites connected can be problematic and something you need to consider. Leveraging service providers can give you access to offsite disaster recovery options for your most critical workloads, offering better protection against the lateral movement of ransomware.

Entra ID: Entra ID, is rapidly positioning itself as the centre of all authentications and it’s important to ensure you have a comprehensive view of what’s being stored and managed within Azure, along with how to protect and recover it. Again, we’ll cover this in more detail shortly.

NIST: Detect

Effective detection and response capabilities are critical in the fight against ransomware.

Inline Malware detection: Knowledge is power and Veeam, in its latest version, has introduced extra detection processes. Inline detection of Malware is one of them, providing valuable information, and identifying if Malware is present in a backup so you can recover to a clean version of your data in a clean environment.

On-demand scanning: Veeam lets you scan the backups you currently have in place to see if they’re free from infection.

Azure detection and CloudCover Guardian for Azure: Earlier in the blog we briefly covered data and the importance of the configurations that hold it together. We’re now going to explore this further with Microsoft 365.


Think about the cockpit of a plane – there are numerous buttons, dials and switches – all of which have unique definitions and purposes. They’re all important for making the plane get to its destination in one way or another.

If the control panel for the plane were to break and then be restored with half of the controls, the flight would likely fail, and the same can be said for restoring data without the configurations binding it.

CloudCover Guardian for Azure (available in Enterprise plus plans of CloudCover 365) offers the ability to backup and restore both data and configurations across all the different functions within a Microsoft tenancy. This includes Entra ID, intune, Exchange, OneDrive, SharePoint, Teams, Security and Compliance, and Planner.

We included CloudCover Guardian for Azure in NIST’s ‘Detect’ section as it’s not just a full-fidelity Microsoft 365 backup service. Let’s explore this further.

Azure configuration detection

CloudCover Guardian for Azure offers advanced configuration comparisons, highlighting any changes to the Microsoft 365 tenancy. This enables IT managers to easily spot anomalies including malicious and accidental changes that may pose a threat, such as an admin adding themselves to a confidential group or the creation of a new unknown user.

Configuration changes can then be investigated and easily rolled back within the portal.


Azure Blueprint

CloudCover Guardian for Azure also enables organisations to maintain a Blueprint of their desired Azure configurations so that should an incident occur, it can be easily restored within the CloudCover 365 portal. The importance of this within a Business Continuity plan can’t be underestimated, so much so that and ISO 27001:2022 now has a ‘configuration control’ standard.

NIST: Respond and Recover

Both respond and recover will be covered in part 3 of the blog series. If you can’t wait to read the next part, you can view the full webinar on-demand, here.

Share the news to: