Ransomware: These 4 Best Practices Could Save you $4M
"Ransomware: These 4 Best Practices Could Save You $4M" is an Ordr whitepaper written in 2021 at the height of the ransomware surge — Colonial Pipeline, JBS, Kaseya — that puts the financial stakes in concrete terms and then walks through the four practices that Gartner analyst Brad LaPorte concluded, after hundreds of breach interviews, could prevent over 90% of ransomware attacks. It covers criminal tactics (DDoS, lateral movement, insider threats, double/triple extortion) before getting to the remediation framework.
What you'll learn
- Ransomware costs more than most organizations realize — and is massively underreported. The average ransomware attack cost $4.62M in 2021 (excluding the ransom itself), attacks were occurring every 11 seconds, and only 13% of incidents were actually being reported — meaning the real scale is likely 7x worse than public figures suggest.
- Over 90% of ransomware attacks are preventable through security fundamentals. Brad LaPorte's Gartner research found that the vast majority of breaches he analyzed were avoidable — the problem isn't sophistication, it's neglecting basics like MFA, patching, segmentation, and asset hardening.
- You need a governance plan before an incident, not during one. Ransomware escalates from issue to crisis within hours. A pre-defined RACI model covering all five phases (Prepare, Prevent, Detect, Remediate, Recover) with CEO, CISO, CIO, and board involvement is essential — because there's no time to figure out ownership mid-attack.
- Zero Trust and microsegmentation are the structural defenses that limit blast radius. Restricting access to only what's needed, enforcing MFA on privileged accounts, and segmenting devices so a compromised camera can't reach a critical manufacturing system are the controls that determine whether a breach becomes a contained incident or an organization-wide shutdown.
Access resource
Ransomware: These 4 Best Practices Could Save you $4M
- What are the 4 best practices?
- (1) Focus on security fundamentals and drill often; (2) establish ransomware response governance with a RACI model before an incident; (3) maintain continuous operational readiness by identifying and closing blind spots proactively; and (4) implement Zero Trust — restricting access, enforcing MFA, and monitoring for anomalous authentication.
- Why aren't backups enough as a recovery strategy?
- Experienced attackers specifically target backup systems and often delay activation of ransomware 90+ days to ensure backup archives are also compromised. Relying on backups as the primary defense can result in a recovery that immediately fails because the golden copy is already infected.
- How are criminals escalating beyond basic ransomware?
- Through "double" and "triple" extortion — demanding one ransom to unlock systems, a second to prevent public data release, and adding DDoS attacks as additional pressure. Criminals are also using Ransomware-as-a-Service (RaaS) platforms that let less experienced actors launch sophisticated attacks using professional criminal infrastructure.
- What role does IoT play in ransomware risk?
- IoT devices are easy entry points — many lack password controls, can't be updated, and are invisible to traditional security tools. Once compromised, they become beachheads for lateral movement into critical systems, which is why agentless visibility and segmentation of IoT/OT devices is a core part of ransomware defense.
This resource is published by ORDR, the connected asset security company. ORDR delivers AI-powered visibility, risk assessment, and automated protection for IoT, OT, and IoMT devices across healthcare, manufacturing, government, and financial environments. Browse all resources →