Imagine arriving at the office tomorrow morning and finding no computers booting up. Or perhaps they do, but all files are encrypted and a message appears on the screen demanding €40,000 in Bitcoin for their recovery. The file server is inaccessible. The management system is locked. Emails from the last three years are encrypted.
This isn’t a science fiction scenario. It’s exactly what happened last year to hundreds of medium-sized companies in Spain and Latin America. Companies with IT teams, with antivirus software installed, convinced that “this wouldn’t happen to them.”
The question isn’t whether ransomware is a real threat. It is, and the data confirms this beyond a doubt. The question is whether your company is prepared to survive an attack today. Not necessarily to avoid it, but to survive it: to recover data, restore systems, and resume operations within a timeframe that the business can sustain.
To find out, you don’t need a six-week security audit. You just need to answer ten questions honestly.
First: what exactly does ransomware do?
Before the test, it’s important to understand precisely what happens during a ransomware attack, because many companies overestimate their response capacity precisely because they haven’t thought through the details.
Ransomware is a type of malware that, once inside a system, encrypts files, rendering them inaccessible. The encryption is real and robust: without the key in the attacker’s hands, recovering the files by brute force is virtually impossible with current technology.
What most companies don’t know is that modern ransomware doesn’t act immediately. Attackers typically spend weeks inside the network before activating encryption, during which time they map the infrastructure, identify critical systems, delete or corrupt accessible backups, and, in many cases, exfiltrate data to use as a second lever for extortion: “Pay us or we’ll publish your information.”
By the time encryption is finally activated, it is already too late for many of the reactive measures that companies assume they could take.
The test: 10 questions to find out if your company would survive
Answer each question honestly. At the end you will find the interpretation of the results.
Question 1: Do you have automatic and regular backups of all your critical systems?
Not just some. All of them: file servers, databases, management systems, email, network configurations.
— Yes, we have automatic backups of all critical systems daily or more frequently. (2 points) — We have backups of some systems, but not all, or the frequency is weekly or less. (1 point) — We do not have automatic backups or we do not know for sure what is being backed up. (0 points)
Question 2: When was the last time you tried restoring from a backup?
A backup that has never been tested is not a backup: it’s a hope. Restoration failures are far more common than people realize, and discovering them in the middle of an incident is the worst possible time.
— We have done a full restoration trial within the last three months. (2 points) — The last trial was more than three months ago but less than a year ago. (1 point) — We have never attempted a full restoration, or we don’t remember when the last time was. (0 points)
Question 3: Are your backups isolated from the main network?
This is where most companies unknowingly fail. If your backups are on a network drive accessible from the same systems that get infected, ransomware will encrypt them as well. For a backup to be effective against ransomware, it needs to be isolated: in the cloud with independent access, on physical tape, or following the 3-2-1 rule (3 copies, 2 different media, 1 off-site).
— Our backups are completely isolated from the main network and are not accessible from production systems. (2 points) — We have some level of isolation, but we are not sure it is complete. (1 point) — Our backups are on the same network as the production systems or on drives accessible from them. (0 points)
Question 4: Do you know how long it would take to restore your critical systems?
This is the number that matters most, and almost no company knows it before an incident occurs. Restoring a 2TB file server doesn’t take the same amount of time as restoring a management database with complex dependencies. Hours? Days? A week?
— We have a defined Recovery Time Objective (RTO) and have validated it with real-world tests. (2 points) — We have a rough estimate but have not validated it with tests. (1 point) — We have no idea how long it would take to recover the systems. (0 points)
Question 5: How many days of data could you afford to lose?
The Recovery Point Objective (RPO) is the maximum amount of data your business can afford to lose in an incident. If you perform daily backups and suffer an attack at 5 PM, you would lose all the work done that day. Is that acceptable for your business? What if backups are weekly?
— Our RPO is defined, our backups meet it, and we have validated it. (2 points) — We have a rough idea, but we haven’t aligned the backups with a formal RPO. (1 point) — We haven’t thought about this, or our backups wouldn’t allow us to meet any reasonable RPO. (0 points)
Question 6: Do you have MFA enabled on all critical access points?
Credential theft is one of the primary entry points for ransomware. If an attacker obtains the credentials of a user with access to systems, MFA (multi-factor authentication) is the barrier that prevents that theft from automatically becoming a breach. Without MFA on critical access points (VPN, email, admin panel, cloud systems), a stolen password is all an attacker needs.
— MFA enabled on all critical access points: VPN, email, cloud systems, and admin panels. (2 points) — MFA enabled on some systems but not all critical ones. (1 point) — MFA not implemented or implemented only on email. (0 points)
Question 7: Do you have a documented incident response plan?
Not a document stored in a folder that no one has read. A real plan: who does what when an incident is detected, how the affected systems are isolated, who to call, how to communicate internally and externally, what decisions can be made without waiting for management.
— We have a documented plan, the team is familiar with it, and we have practiced it at least once. (2 points) — We have something documented, but the team hasn’t practiced it or it’s outdated. (1 point) — We don’t have a documented plan. In case of an incident, we would improvise. (0 points)
Question 8: Do you have an active patch management process?
Exploiting unpatched vulnerabilities is another common entry vector for ransomware. If your company’s operating systems and applications aren’t systematically and promptly updated when security patches are released, you’re leaving openings that attackers actively exploit.
— We have an automated patch management process with defined application times. (2 points) — We apply patches, but the process is manual, inconsistent, or frequently delayed. (1 point) — We do not have a defined patch management process. (0 points)
Question 9: Have your employees received training on phishing in the last year?
Phishing remains the number one entry vector for ransomware, and the reason is simple: it’s easier to deceive a person than to exploit a well-patched technical vulnerability. Security awareness training doesn’t eliminate the risk, but it significantly reduces it. And a phishing simulation conducted periodically provides a realistic measure of current exposure.
— Annual security awareness training and regular phishing simulations. (2 points) — We have done some training, but it is not systematic and does not include simulations. (1 point) — We have not done any specific phishing training, or it was more than two years ago. (0 points)
Question 10: Do you have cyber risk insurance?
Cyber risk insurance is not a substitute for technical measures, but it is the financial safety net that can make the difference between a costly incident and one that threatens business continuity. It covers everything from recovery costs and lost profits to regulatory penalties and legal expenses resulting from a data breach.
— We have current cyber risk insurance with specific coverage for ransomware. (2 points) — We are evaluating or have general insurance that could cover part of the impact. (1 point) — We do not have cyber risk insurance. (0 points)
Interpretation of results
17 to 20 points — High preparation
Your company has the fundamentals in place. You have isolated and tested backups, defined processes, and a security posture that would give you a real chance of recovering from an attack without it causing an existential crisis. The next step is to maintain and audit what you have, because preparedness degrades over time if it isn’t actively reviewed.
10 to 16 points — Partial preparation
You have some pieces in place, but there are significant gaps that an attacker could exploit. Most likely, in the event of an actual attack, recovery would be possible but costly, slow, and chaotic. Identify the questions you scored 0 or 1 on and treat them as immediate priorities, not long-term improvements.
5 to 9 points — Insufficient preparation
A ransomware attack today would put you in a very difficult situation. The chances of restoring operations within a reasonable timeframe without paying the ransom are low, and the financial and reputational impact would be severe. This is not a result to be ignored: it’s a sign that action is needed now.
0 to 4 points — No preparation
In all honesty: your company wouldn’t survive a serious ransomware attack under the current conditions. Not because improvement is impossible, but because the most basic elements of resilience are missing. The good news is that the first steps are concrete and achievable. The bad news is that every day that passes without action is a day of real vulnerability.
The most common mistake: backups that aren’t backups
If there’s one practical conclusion to be drawn from this test, it’s this: most companies that believe they have sufficient backups to survive a ransomware attack discover during the incident that their backups had one or more of these problems:
They were connected to the same network. The ransomware encrypted them along with the rest of the files. The company had three backups, and all three were rendered unusable.
They had never been tested. The restoration failed due to configuration errors, data corruption, or incompatibilities that no one had detected because no one had attempted to restore under real-world conditions.
They only covered part of the systems. The file server backup existed and worked. The management system database backup did not. Recovering the files without the customer database had limited value.
The restoration time was manageable in theory, but not in practice. Restoring 4TB from an external backup over a standard internet connection can take days. Days during which the company is down.
These are not hypothetical scenarios. These are the patterns that repeat themselves time and again in post-incident reports from companies that suffered ransomware attacks thinking they were protected.
How exactly does Acronis solve these problems?
Acronis started as a backup company and has evolved into what it now calls cyber protection: the convergence of backup, disaster recovery and cybersecurity on a single platform.
The reason for this convergence is precisely the problem we’ve described: a backup that isn’t actively protected against ransomware can be encrypted along with the rest of the data. And a security solution that doesn’t include backups can’t guarantee recovery if the attack is successful.
Immutable and isolated backup
Acronis stores backups in a format that makes them resistant to modification or encryption by ransomware. Its cloud copies are immutable: neither malware, malicious administrators, nor operational errors can alter them. This directly solves the problem of encrypted backups along with the rest of the data.
AI-powered active ransomware protection
Acronis includes an AI-powered ransomware detection engine that monitors process behavior in real time. When it detects characteristic ransomware patterns—such as rapid, mass file encryption—it stops the ransomware before it completes its task and automatically restores any files that may have been affected in the seconds leading up to the detection.
It’s the combination that completes the circle: if prevention fails and ransomware starts to act, detection stops it. And if anything is lost in those few seconds, the backup recovers it.
Fast recovery with defined RTO
One of the most frustrating limitations of traditional backup systems is that recovery time is unknown until an incident occurs. Acronis allows you to define and validate real-world recovery times through disaster recovery features that include the ability to boot systems in the cloud while restoring the physical infrastructure, maintaining operations even during the recovery process.
Centralized visibility of all protection
From a single dashboard, the IT team can view the status of all backups, active security alerts, protected devices, and those with pending issues. No switching between tools, no manual data cross-referencing.
This centralization is not just about convenience: it’s what makes it possible for a small team to have real visibility into the security status of the entire organization.
The minimum viable plan for an SME starting from scratch
If your test result was low and you need to prioritize, this is the logical order of action:
First: isolated and automatic backups. This is the most important step and the one with the greatest impact on the ability to survive a ransomware attack. Implement a solution that stores backups outside the production network, at least daily for critical systems.
Second: Test the restore process. Before considering the backup system complete, perform a full restore test. Document the time it takes and any problems you encounter. This will give you the actual RTO, not the theoretical one.
Third: Enable MFA on all critical access points. This is one of the most impactful measures with the lowest implementation cost. VPN, email, admin panels, cloud systems: all of them.
Fourth: automated patch management. It reduces the window of exposure to known vulnerabilities without relying on manual processes that inevitably cause delays.
Fifth: a documented and practiced response plan. It doesn’t have to be a hundred-page document. It has to be something the team knows and can execute under pressure.
Conclusion: the right question is not “will they attack us?”
The right question is, “How long would it take us to get back up and running if we were attacked tomorrow?” And the honest answer to that question should determine the urgency with which your company addresses its backup and recovery strategy.
Ransomware doesn’t discriminate based on size. Small and medium-sized businesses (SMEs) are frequent targets precisely because they possess valuable data and, in many cases, weaker defenses than large corporations. And the cost of an unmanaged incident—in downtime, data loss, reputational damage, and potential regulatory penalties—far outweighs the investment in adequate protection.
Tools like Acronis exist precisely to make that protection accessible, manageable, and real: not just a backup that exists on some server, but a verified guarantee that when something happens, your company has the ability to recover.
