← Back to all posts

Ransomware Doesn't Care About Your Compliance Certificates

March 5, 2026

Ransomware Doesn't Care About Your Compliance Certificates

Ransomware Doesn't Care About Your Compliance Certificates

Last year, I worked with a financial services firm that had invested heavily in compliance. ISO 27001 certified. SOC 2 Type II audited. All the frameworks, all the checklists, all the certificates on the wall.

They got hit with ransomware anyway.

Not because they were negligent. Not because they didn't care about security. But because compliance isn't security, and ransomware protection strategy requires more than checking boxes. This is why a solid ransomware protection strategy matters—it keeps attackers from turning compliance theatre into real consequences.

The attackers didn't care about their ISO certificate. They didn't ask for their audit reports. They just encrypted everything and demanded payment.

Here's what actually works against ransomware—and why your compliance program might be giving you a false sense of security.

The Compliance Trap

There's a dangerous belief in business that compliance equals security. If we get certified, we're secure. If we pass the audit, we're safe.

But compliance frameworks are minimum viable security. They're designed to:

  • Provide a baseline standard
  • Satisfy regulatory requirements
  • Demonstrate due diligence

They're not designed to:

  • Stop determined attackers
  • Protect against emerging threats
  • Adapt to your specific risks

A compliant organisation can absolutely be breached. I've seen it happen.

How Ransomware Actually Works

To defend against ransomware, you need to understand how it works. Not the technical details (though those matter), but the operational reality.

Here's the typical attack chain:

Step 1: Initial Access

The attackers get in somehow:

  • Phishing email with a malicious attachment
  • Exploited vulnerability in public-facing software
  • Compromised credentials (often from a previous breach)
  • Remote access tool left exposed

Compliance frameworks tell you to patch systems and train users. Good advice. But patches take time, and users click things.

Step 2: Reconnaissance

Once inside, the attackers look around. They map your network. They identify:

  • Domain controllers
  • Backup systems
  • Critical file servers
  • Security tools they need to disable

They take their time. Weeks, sometimes months. They want to understand your environment before they strike.

Most compliance programs don't test for "attacker dwell time detection." Can you spot an intruder who's been quiet for 60 days?

Step 3: Privilege Escalation

The attackers need admin rights to deploy ransomware effectively. They:

  • Exploit unpatched vulnerabilities
  • Use credential dumping tools
  • Move laterally to find admin accounts
  • Compromise backup admin accounts specifically

This is where many compliance programs fall short. They check that you have privileged access management, but don't test whether it actually stops an determined attacker.

Step 4: Deployment

When they're ready, the attackers:

  • Disable or delete backups
  • Deploy ransomware to as many systems as possible
  • Leave ransom notes
  • Sometimes exfiltrate data first (double extortion)

This happens fast—often overnight. By the time you notice, it's too late.

ransomware protection strategy: What Actually Works in Practice

If compliance checklists aren't enough, what is? Here's the ransomware protection strategy I recommend based on incident response work:

Layer 1: Prevent Initial Access

Yes, prevention matters—even if it's not perfect.

Email security:

  • Advanced threat protection that catches malicious attachments
  • Link protection and sandboxing
  • User reporting tools (make it easy to report suspicious emails)

Vulnerability management:

  • Patch critical vulnerabilities quickly (days, not weeks)
  • Asset inventory (you can't patch what you don't know about)
  • Attack surface reduction (remove unnecessary services)

Identity protection:

  • MFA on everything (I know I sound like a broken record, but this stops most credential attacks)
  • Leaked credential monitoring
  • Privileged account protection

Layer 2: Detect Intrusions Early

Assume they'll get in. Can you catch them before they deploy ransomware?

Endpoint detection and response (EDR):

  • Behavioural analysis (not just signatures)
  • 24/7 monitoring (in-house or outsourced)
  • Automated response capabilities

Network monitoring:

  • Anomaly detection
  • Lateral movement detection
  • Command and control communication detection

Log analysis:

  • Centralised logging
  • Regular review (not just automated alerts)
  • Retention for at least 90 days

The key metric: mean time to detect (MTTD). Most businesses take months to detect intrusions. You need to get that down to days or hours.

Layer 3: Limit Blast Radius

When ransomware hits, how much damage can it do?

Network segmentation:

  • Separate critical systems
  • Restrict lateral movement
  • Micro-segmentation where possible

Least privilege:

  • Users only have access to what they need
  • Admin accounts are separate and limited
  • Service accounts have minimal permissions

Application control:

  • Whitelist allowed applications
  • Block unknown executables
  • Prevent macro execution from untrusted sources

Layer 4: Recovery Capability

This is the big one. Can you recover without paying the ransom?

Immutable backups:

  • Backups that can't be deleted or modified by attackers
  • Air-gapped or offline copies
  • Regular testing (a backup you can't restore is worthless)

Incident response plan:

  • Documented procedures
  • Pre-established relationships with IR firms
  • Communication templates
  • Legal and regulatory notification procedures

Recovery testing:

  • Regular restore drills
  • Documentation of recovery time
  • Identification of critical systems (restore these first)

Securing your workplace? You're probably your family's IT person too.

The same principles that protect enterprise data—backups, access control, detection—work just as well at home. But most families have none of it.

Get my Personal Security Quick-Start Guide — the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.

Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.

Get The Free Guide →

The Backup Mistake That Kills Businesses

I need to talk about backups specifically, because this is where businesses fail most often.

Mistake 1: Online-Only Backups

Your backups are stored in the cloud. That's great! Except your admin credentials can log into that cloud console. And if attackers have those credentials, they can delete your backups.

Solution: Immutable backups. Once written, they can't be modified or deleted—not even by admins.

Mistake 2: No Offline/Air-Gapped Copies

All your backups are connected to your network. When ransomware spreads, it finds and encrypts your backup servers too.

Solution: Regular offline backups. Tape. Disconnected drives. Something the attackers can't reach from your network.

Mistake 3: Never Testing Restores

You assume your backups work. You've never actually tried to restore from them.

When ransomware hits, you discover:

  • The backup has been failing for 3 months
  • The restore process takes 5 days, not 5 hours
  • Critical data wasn't included in the backup scope
  • The backup is corrupted

Solution: Regular restore testing. Documented procedures. Time your recoveries so you know how long it actually takes.

Mistake 4: Slow Recovery Times

You have 50TB of data backed up. Great! Your internet connection can restore it at 100Mbps. That's... 46 days.

Solution: Understand your recovery time objective (RTO). If you need to be back online in 24 hours, you need a restore method that can achieve that. This might mean local copies, faster connections, or priority restoration of critical systems first.

The Pay-or-Don't-Pay Question

When ransomware hits, you'll face a terrible decision: pay the ransom or try to recover without it.

I can't make that decision for you. But I can tell you what to consider:

Reasons to pay:

  • No viable backups exist
  • Business would fail without rapid recovery
  • Cyber insurance covers it (check your policy)
  • Decryption is guaranteed (rarely true)

Reasons not to pay:

  • No guarantee you'll get your data back
  • You're funding criminal organisations
  • You become a target for future attacks
  • Legal and regulatory complications
  • Moral/ethical concerns

The only good answer: Have backups that work, so you don't have to make this choice under pressure.

Compliance Has Its Place (But Know Its Limits)

I'm not saying compliance is worthless. It serves important purposes:

  • Demonstrates due diligence to regulators
  • Provides a baseline security framework
  • Helps with cyber insurance
  • Gives customers confidence

But don't confuse the certificate with actual security. You can be compliant and vulnerable. You can pass an audit and still get ransomwared.

Real security requires:

  • Going beyond compliance minimums
  • Testing your defences (penetration testing, red teaming)
  • Continuous monitoring and improvement
  • Incident response preparation
  • Regular backup testing

What Small Businesses Can Do Today

You don't need enterprise budgets for effective ransomware protection strategy. Here's what I'd do with limited resources:

Today:

  • Enable MFA on everything
  • Check your backup status (are they actually running?)
  • Patch critical vulnerabilities

This week:

  • Test a restore from backup
  • Document your critical systems
  • Set up a password manager if you don't have one

This month:

  • Implement EDR on all endpoints
  • Review and restrict admin privileges
  • Create a basic incident response plan

This quarter:

  • Conduct a tabletop exercise (practice your response)
  • Get cyber insurance (and read the policy)
  • Consider immutable backup solutions
  • Train staff on phishing recognition

The Human Element

Technical controls matter. But ransomware often succeeds because of human factors:

  • Someone clicks a phishing link
  • An admin account has a weak password
  • A vendor's credentials are compromised
  • Someone disables security tools because they're "annoying"

Technical controls can only do so much. You need:

  • Security-aware culture
  • Easy ways to do the right thing
  • Quick reporting of suspicious activity
  • No-blame post-incident reviews

If people are afraid to report mistakes, you'll never hear about problems until it's too late.

The Bottom Line

Your compliance certificates look nice on the wall. They might help with regulators and customers. But they won't stop ransomware.

What stops ransomware:

  • MFA on every account
  • Working, tested, immutable backups
  • Early detection and response
  • Network segmentation
  • Least privilege access
  • Security-aware culture

If you only remember one thing from this article: Test your backups. A backup you can't restore is just false hope.

And if you want to learn more about building a proper incident response capability, check out our guide to incident response planning. Because when ransomware hits, you'll be glad you prepared.

Mathew Clark
Founder, SecureInSeconds
Currently: Running backup restore tests and timing them (4 hours 23 minutes for critical systems—not bad)

Further Reading: