I spent over seven years inside the ransomware response industry. I've watched hospitals get encrypted. I've watched law firms lose decades of files. I've watched small businesses cease to exist over a single phishing click.
One thing I learned: 95% of successful attacks exploit basic hygiene failures, not zero-days. The advanced persistent threats get the headlines; the credential reuse and unpatched VPN appliances do the actual damage. Here are the ten habits โ boring on purpose โ that prevent almost everything.
Why fundamentals beat tools
Every breached company I've worked with had security products. They had EDR. They had firewalls. They had cyber insurance. What they didn't have was the boring discipline to make those products useful. The attack surface that gets exploited is almost never the one a vendor sold a tool against.
1. MFA everywhere โ and not SMS
Multi-factor authentication is the single biggest defense against credential theft. But SMS-based 2FA is broken โ SIM-swap attacks have been industrialized for years.
Use an authenticator app (Authy, Aegis, 1Password) or hardware key (YubiKey). For business: every employee, every system, no exceptions. Microsoft 365 and Google Workspace let you enforce this org-wide. Do it.
2. Real password manager, real master password
You cannot remember 200 unique passwords. Stop trying. 1Password, Bitwarden, Dashlane โ any of them. The category leader doesn't matter. What matters is that every account gets a unique generated password.
One caveat: your master password is now the keys to the kingdom. Make it long (5+ random words), unique, and never reused anywhere else.
3. Patch within 48 hours of disclosure
Most ransomware groups exploit known vulnerabilities days to weeks after CVE disclosure. They scan the entire IPv4 space looking for unpatched systems. If you patch within 48 hours, you're in the top 5% of targets โ they'll just move on.
Set up automatic updates everywhere you can: workstations, servers, network appliances, IoT. The "we'll test it in staging first" excuse is what kept Equifax unpatched for two months. Don't be Equifax.
4. The 3-2-1 backup rule (and test the restore)
3 copies of important data. 2 different storage types. 1 off-site. This is non-negotiable for ransomware survival.
For personal: Time Machine + Backblaze + an external drive in a different physical location covers most threats. For business: immutable backups (write-once, can't be encrypted by ransomware) are now table stakes.
5. Least privilege by default
Nobody should be a local administrator on their workstation. Nobody should be a domain admin "just in case." Service accounts should have exactly the permissions needed to do their job, nothing more.
The first thing ransomware tries after landing is privilege escalation. If the compromised user has no rights worth escalating, the attack stalls.
6. Email paranoia, especially around links and attachments
Phishing remains the #1 initial access vector for ransomware. The current generation is good โ well-written, contextually relevant, sometimes AI-generated. Train yourself and your team to:
- Hover before clicking. Always.
- Treat any unexpected attachment as hostile until proven otherwise.
- Verify sensitive requests through a second channel (call the sender on a known number).
- Use a dedicated "throwaway" email for sign-ups to reduce attack surface on the real one.
7. Network segmentation (yes, even at home)
Your IoT devices have terrible security. Your guest visitors have unknown security. Both should be on a separate network from your main devices.
At home: most modern routers support VLANs or guest networks. Use them. Smart bulbs and Ring doorbells go on the IoT VLAN. Guests get the guest network. Your work laptop stays on the main one.
For business: a flat network where every device can see every other device is how ransomware encrypts the entire company in one night. Segment by function, enforce with firewall rules.
8. EDR, not just antivirus
Traditional antivirus (signature-based) is dead. Modern threats encrypt or polymorph themselves to evade signatures. You need EDR โ Endpoint Detection & Response โ which watches behavior instead of signatures.
For business: SentinelOne, CrowdStrike Falcon, Microsoft Defender for Endpoint. For personal: macOS built-in protections + a paid password manager + MFA gets you most of the way. Don't pay for "consumer antivirus" โ it's mostly dead.
9. Logs you actually review
Every breach investigation I've worked included this line in the report: "logs were present but unmonitored." Collecting logs is easy. Reviewing them is hard.
At minimum: enable login logging, set up alerts for "impossible travel" (login from two cities in one hour), and review weekly. Microsoft 365 and Google Workspace both have this built in. Most businesses just never enable it.
10. A written incident response plan you've actually drilled
When you discover ransomware on your network at 3 AM, you do not want to be improvising. You want a printed binder (yes, paper โ your computers may be encrypted) that tells you:
- Who to call (in order)
- Which systems to isolate (in order)
- What to preserve for forensics
- What to communicate to customers, employees, regulators
- Your cyber insurance contact + policy number
Update it twice a year. Tabletop-drill it once a year. It will pay for itself the first time you need it.
None of this is exciting. None of it requires a $200K product. All of it works.
If you'd like a security audit of your iOS app, your business network, or your dev/build pipeline, that's part of what djEnterprises consulting offers โ drawing on years inside the ransomware defense industry. Book a call.
- CISA โ StopRansomware guidance
- NIST โ Cybersecurity Framework 2.0
- Verizon โ Data Breach Investigations Report
- NSA & CISA โ Top Ten Cybersecurity Misconfigurations