Contact us

Your Backups Alone Won’t Save You From Ransomware

If your ransomware “strategy” is “we have backups,” you don’t have a strategy. You have a bedtime story you tell leadership so everyone can sleep at night, right up until the day your backups get encrypted, deleted, or simply can’t restore what the business actually needs.

Ransomware in Canada isn’t a movie plot anymore. It’s operational gravity. The National Cyber Threat Assessment 2025–2026 is blunt: ransomware remains the top cybercrime threat to Canada’s critical infrastructure, and extortion tactics are escalating. Meanwhile, the Canadian Centre for Cyber Security points out something most businesses don’t want to hear: basic cyber hygiene would prevent the vast majority of ransomware incidents.

At 010grp, we see the same pattern across Canadian SMBs: backups exist, but recovery isn’t real. So this article is a recovery-first playbook, the kind your IT team can execute, and your leadership team can actually understand.

The Backup Myth That Gets Canadian Businesses Ransomed

Myth: “Backups = we can recover.”
Reality: Backups are ingredients. Recovery is the recipe, the kitchen, and the rehearsal.

Here are the three most common ways “we have backups” collapses in the real world:

  • Backups are reachable. Modern ransomware crews actively hunt backup repositories and admin consoles. If the same credentials (or same identity provider) can reach production and backup infrastructure, assume attackers will reach both.
  • Backups are incomplete. You restored files, but not identity configs, SaaS data, app dependencies, certificates, DNS, encryption keys, or that one “temporary” server everyone depends on.
  • No one knows the order of operations. Restoring is not “click restore.” It’s identity, network, app tiers, access, endpoints, and validations… in the correct sequence.

Quick gut-check: when was your last full restore test to a clean environment? If your honest answer is “never” or “not in the last 90 days,” you don’t have a recovery plan. You have a hope plan.

The Recovery-First Stack: What Actually Works for Canadian SMBs

This approach aligns with Canada’s Baseline Cyber Security Controls for Small and Medium Organizations — the Cyber Centre’s practical “80/20” guidance for getting real risk reduction without enterprise bloat.

It also maps cleanly to how we build cyber protection programs at 010grp: assess the risk, lock down identity, engineer resilient recovery, then add 24/7 detection so you’re not finding out on Monday morning that you were owned on Saturday night.

1) Define “recover” like a business, not an IT shop

Before you buy another tool, define two numbers for every critical system:

  • RTO (Recovery Time Objective): how long can you be down before the business starts bleeding?
  • RPO (Recovery Point Objective): how much data can you lose before it becomes catastrophic?

This is business continuity in plain English. If leadership can’t answer these, everything else becomes theatre. If you need a simple explainer to share internally, our article The Importance Of a Business Disaster Recovery Plan breaks down why executives should care, and why “IT will figure it out” is a trap.

Where 010grp fits: our Disaster Recovery Planning (DRP) work turns RTO/RPO into an executable plan with recovery procedures, testing, and maintenance, not a dusty PDF that dies in SharePoint.

2) Treat identity as the real perimeter (because ransomware logs in)

Ransomware doesn’t need movie-hacker magic. Most of the time, it needs one compromised identity, one neglected admin path, and one weekend. That’s why we keep hammering the same message: attackers don’t break in — they log in. Start with our internal deep dives like Privileged Access Management (PAM) and One Email. One Wire. You’re Done. (because the finance workflow is a favourite entry point).

Here’s the strategy that actually holds up under pressure:

  • Enforce MFA everywhere — but don’t pretend all MFA is equal. Even CISA warns some MFA methods can be phished or fatigue-attacked and recommends phishing-resistant MFA for the accounts that matter most.
  • Kill standing admin rights. Admin should be just-in-time, audited, and time-boxed. That’s the whole point of PAM: less privilege, less blast radius.
  • Start the move away from passwords for high-risk users. Passkeys (FIDO2) are built to be phishing-resistant — see the FIDO Alliance passkeys overview and Microsoft’s Entra ID passkeys guidance. If you want an actionable rollout, read Stop Using Passwords: Your 30‑Day Passkey Plan.

Opinionated truth: “strong passwords” is not a modern defence. It’s a modern liability.

3) Build backups that ransomware can’t touch

We’re going to be direct: if your backups are accessible from the same network and identities as production, assume they’re compromised when the ransom note arrives.

Backups need separation and proof. CISA’s #StopRansomware Guide is clear: maintain offline, encrypted backups and regularly test restore procedures because ransomware routinely targets accessible backups.

Practical moves Canadian SMBs can actually execute:

  • Separate backup admin accounts (and protect them with the strongest authentication you’ve got).
  • Use immutability or an offline copy so a compromised admin can’t “clean up” your backups.
  • Restore-test on a schedule, not when you’re already on fire.
  • Back up SaaS data (Microsoft 365, Google Workspace, and key line-of-business platforms). “The cloud keeps it forever” is a myth — and we’ve seen it cost real money.

If you’re cloud-heavy, don’t skip our piece Your Cloud Isn’t Secure by Default (And Attackers Know It). Default settings and “someone else’s responsibility” thinking is exactly how Canadian organizations end up in incident response mode.

4) Add 24/7 detection, because ransomware loves weekends

Most hands-on intrusions escalate after hours. If nobody is watching logs at 2:00 a.m., your “mean time to detect” becomes “when staff show up and everything is broken.”

Recovery-first security still needs eyes on glass:

  • Centralize logs (identity, endpoint, firewall, VPN, and cloud audit logs).
  • Correlate what matters so “weird login + mass downloads + new admin” becomes one urgent story.
  • Respond fast, containment in minutes beats cleanup for months.

Want the tactical checklist? Read Your MFA Isn’t Enough: The 7 SIEM Moves Canadian SMBs Must Make Now and Don’t Be a Sitting Duck: Why Your Canadian Business Needs Managed SIEM Now.

This is exactly why we offer SIEM/SOC as a Service not as “more dashboards,” but as a real operating capability: monitoring, tuning, and response that doesn’t clock out at 5 p.m.

5) Write the legal + comms page now (before you need it)

In Canada, recovery isn’t only technical. If personal information may be involved, you need to know your obligations and your timeline. Under PIPEDA, organizations must assess whether a breach creates a real risk of significant harm and report/notify when required, the Office of the Privacy Commissioner lays it out in mandatory breach reporting guidance.

Operating in Québec? Law 25 raises the bar and includes privacy governance requirements and evaluations before communicating personal information outside Québec, see the Commission d’accès à l’information’s overview of key Law 25 changes.

Translation: your incident response plan needs a clear escalation path (privacy/legal/insurer/comms) and pre-approved language. Panic is expensive, and public silence is rarely your friend.

The 90-Minute Ransomware Recovery Drill (Do This This Month)

If you do nothing else from this article, do this drill. It turns “backup confidence” into “recovery proof.”

  1. Pick one crown-jewel system (finance, ERP, scheduling, patient records, whatever would stop revenue).
  2. Assume identity compromise (an admin account is owned). Write down what you disable first: accounts, tokens, remote access, API keys.
  3. Restore to a clean sandbox (not over top of production). Time it.
  4. Validate the business workflow (can payroll run? can orders process? can staff log in?).
  5. Document the blockers (DNS issues, certificates, app dependencies, licensing, missing data, vendor delays).
  6. Turn blockers into tickets with owners and deadlines. “We learned a lot” is not a remediation plan.

Need more practical Canadian guidance to complement your drill? The federal Get Cyber Safe Guide for Small Businesses and Protect your business against ransomware are worth bookmarking for leadership-friendly steps and awareness materials.

Bottom Line

Canadian SMBs don’t lose to ransomware because attackers are geniuses. They lose because recovery is untested, identity is messy, and monitoring is dark. The fix is not one shiny product. It’s a rhythm: assess, harden, back up, monitor, drill.

And if you’re still thinking “we’re too small to be targeted,” read Think Your Business is Too Small for a Cyberattack? Think Again. That mindset is the vulnerability.

If you want help building a recovery-first security rhythm without turning your team upside down, start with a straightforward look at our cyber protection services or reach out via our contact page.  A clear plan, built for Canadian realities.

Skip to content