The Reality of Ransomware: Lessons from the Frontlines

Written by Andrew Joy

We deal with cybersecurity incidents regularly, and the past year has been no exception. We’ve assisted multiple organisations facing catastrophic cyber-attacks—incidents that, without rapid intervention, could have led to business closures. While we always strive for full recovery, the impact of these attacks is profound. 

One recent conversation with Joseph Ross from the Cyber Resilience Centre for the Southwest reinforced how difficult it can be to make businesses truly understand the real dangers cybercriminals pose. That’s why I wanted to share some of the key lessons we’ve learned, not just from handling attacks but also from helping businesses strengthen their defences before disaster strikes. 

Nexus Premium Service Desk

Andrew Joy

As Head of Technical at Nexus, no two days are ever the same. I work closely with my colleagues across the technical department, assisting with day-to-day challenges and refining our internal processes. I also collaborate with our Projects team to ensure they have everything they need to deliver successfully. Beyond that, I engage with almost every department at Nexus, including Commercial, Marketing, Accounts, and Administration—making my role both dynamic and rewarding. Each day brings its own unique challenges, keeping things fresh and exciting. 

The Growing Threat of Cybercrime

Cyberattacks are no longer rare, nor are they only aimed at large corporations. We’ve seen a significant increase in incidents, mirroring global trends where cybercriminals, from organised gangs to state-backed hackers, are ramping up their operations.

In the last 12 months alone, we’ve dealt with multiple major ransomware attacks that would have been business-ending events without our intervention. The reality is simple: no organisation is immune.

What Happens in a Ransomware Attack?

When ransomware hits, business stops.

  • Your data is encrypted and inaccessible.
  • Your IT infrastructure — servers, storage, laptops, desktops, firewalls — becomes compromised.
  • Even cloud data could be infected, waiting to trigger further damage.
  • You may have been compromised for weeks or months before noticing, making it difficult to find a clean backup.

For business leaders, the stress of a cyber-attack is overwhelming. One business owner I spoke with during an attack asked me, “Do I still have a business?”

At the start of the day, I feared the answer was no. By midday, I still didn’t know. That’s the brutal reality of ransomware.

It was a devastating moment. This business employed over 50 people, and if it collapsed, the impact would have rippled through their employees, customers, and community. The stakes weren’t just financial, they were personal.

The emotional toll of an attack can be life-changing. Some business owners never fully recover from the stress, and for many, it fundamentally alters who they are. Cybercrime isn’t just about data, it’s about livelihoods.

What to Expect if You’re Hit

1. It’s Your Incident – You Make the Decisions

Nexus will provide expert guidance, but ultimately, the key decisions are yours.

2. Insurance Matters – But It’s Not a Quick Fix

Contact your insurer immediately. Understand what’s covered, what isn’t, and what excess applies. Be prepared: recovery is expensive, not just in IT costs but also in lost business and reputation damage.

3. Backups Are Your Lifeline

Where are your backups stored? Are they viable? Without them, data recovery may be impossible. But even if you have backups, how far back do you need to go to find a ‘clean’ one?

4. Recovery is More Than Restoring Data

Rebuilding your infrastructure takes time. You may need to:

  • Wipe and rebuild every desktop, laptop, and server.
  • Restore your line-of-business tools and deal with data loss since your last good backup.
  • Analyse your environment to find out how the attackers got in.
  • Close security gaps—was it an open firewall port? A misconfigured VPN? A phishing email? If you don’t know, everything needs checking.

You may know how it occurred by forensic analysis of your environment and can then close the gap that caused allowed entry. However, if you don’t know how it happened then you might need to review every device you have and its configuration.

All the while, the world keeps turning, but your operations and revenue are likely on full hold. Your reputation and cash-flow take an immediate hit.

5. Security Tools Alone Won’t Save You – Configuration Matters

If they were, the attack wouldn’t have succeeded. Having security solutions in place isn’t a silver bullet, how they are configured matters. Poor setup can leave critical gaps, making an attack inevitable. A firewall might be in place, but if it’s accessible from the internet with a default or commonly known username and password, it’s as good as open. Ask yourself these questions:

  • Do you have Extended Detection and Response (XDR)?
  • Do you use Security Operations Centre (SOC) monitoring?
  • Are your security tools deployed and configured correctly?
  • When was the last time your cybersecurity solution was updated?

One company we helped had an expensive system in place but hadn’t installed security patches for four years, some of which were critical and mandatory.

Misconfigured security is no security at all. Are you confident yours is set up correctly?

6. If a Breach Happens, You Must Report It

If your organisation suffers a data breach, you may be legally required to report it to the Information Commissioner’s Office (ICO) within 72 hours. Failing to do so could result in significant fines and reputational damage. The clock starts ticking the moment you become aware of the breach. A breach should be reported if it could lead to:

  • Financial loss (e.g., identity theft, fraud).
  • Discrimination or reputational damage.
  • Loss of confidentiality (e.g. personal details exposed).
  • Other significant harm to individuals.

If the breach does not pose a risk to individuals’ rights, you do not have to report it, but you must document it internally.

Ask yourself:

  • Can you quickly determine what data has been exposed?
  • Do you have an incident response plan in place?
  • Are you prepared to assess whether a breach meets reporting thresholds?

Even the best security can’t prevent every attack, but a well-prepared response can limit the damage and ensure compliance. Are you ready?

Key Lessons from the Frontlines

1. Structured Communication is Crucial

We’ve refined how we communicate during incidents to ensure clear, structured updates for business leaders and stakeholders. This reduces stress and prevents confusion.

2. Insurance-Appointed IT Can Delay Recovery

When you contact your insurer, they will likely appoint their own IT firm. Be prepared for potential challenges:

  • Some firms recommend paying the ransom to stop data leaks.
  • Some delay recovery as they insist on forensic investigations – this can add days to your business recovery.
  • Some refuse to reconnect IT systems until they complete external security scans, sometimes adding days of potentially unjustified downtime.

It’s important that you involve your insurance company as soon as possible but being aware of these potential conversations can ease the situation.

3. Document Everything

Take screenshots of ransom notes, log key actions, and maintain detailed records. This helps with insurance claims and legal processes.

How to Protect Your Business Before an Attack

Prevention is always better than cure. The following list is nowhere near comprehensive and assumes that you already have the basics, such as Multi Factor Authentication (MFA) in place and enforced. However, as a starting point you and your IT team should:

1. Review Your Security Solutions

  • Traditional antivirus is no longer enough—invest in EDR/XDR solutions.
  • Conduct regular phishing simulations to train staff.

At Nexus we simulate phishing emails to our customers, not to try and catch them out, but to help them understand what they can and importantly CAN’T trust. Many attacks start from someone clicking a link they shouldn’t, and it cascades from there.

2. Lock Down Your IT Environment

  • Configure Conditional Access to halt suspicious and out-of-area logins with Microsoft 365
  • Restrict remote access – are there tight controls on your network from outside?
  • Ensure firewalls are configured correctly—are legacy ports still open?

3. Eliminate Local Admin Access

A single click on a malicious link shouldn’t give attackers free rein over your system.

4. Keep Everything Patched & Updated

It’s important that your environment is kept up to date and patched; this doesn’t just apply to making sure that your machines receive windows updates, but all your hardware does as well.

  • Ensure servers, firewalls, and security tools are up to date.
  • Plan for Windows 10 end-of-life in October 2025—unsupported systems are a huge risk.

5. Test Your Backups—Don’t Just Assume They Work

If you experience a ransomware event, the first thing the attackers go after is the backups. So, ask yourself:

  • Are my backups air-gapped, encrypted and immutable?
  • Have I tested a full disaster recovery (DR) scenario?
  • Would an attacker be able to delete my backups?

6. Check Your Insurance Coverage

Cyber insurance can be a safety net, but only if you meet the policy’s security requirements. Insurers are becoming stricter, and failing to comply with specific conditions could mean your claim is denied.

One of our clients had a policy requiring every site to have a Next-Gen Firewall. They met this requirement—but many businesses wouldn’t.

Common policy requirements include:

  • Multi-Factor Authentication (MFA) on all critical systems
  • Regular patching and software updates
  • Endpoint Detection & Response (EDR) solutions
  • Security awareness training for employees
  • Encrypted backups stored offsite

Failing to comply, even unknowingly, could leave you without financial protection after an attack. Have you reviewed your policy’s fine print? Are you meeting your insurer’s security conditions?

Final Thoughts

Cybercrime is indiscriminate. It doesn’t matter what industry you’re in or how big (or small) your company is, you are a target. Attackers don’t care about your business, only the money they can make from it.

The best defence? Preparation. Invest in security, train your staff, test your backups, and review your insurance. Hope for the best, but plan for the worst. Because when ransomware strikes, the businesses that survive are the ones who were ready.

You don’t have to do it alone. A trusted IT partner like Nexus can help you strengthen your defences, monitor for threats, and respond effectively if the worst happens. Whether it’s implementing proactive security measures, ensuring your systems are correctly configured, or helping you recover after an attack, having expert support can make all the difference.

Call 01392 205095 or email hello@nexusos.co.uk

get in touch
Nexus Logo
Nexus Open Systems Ltd. is registered in England & Wales at Vale House, Pynes Hill, Exeter, UK, EX2 5AZ
Company Registration No: 03603046
VAT Registration 203 9709 14

What we do

Why Nexus

About us

Contact us

Get in touch

01392 205095

Send an email

Exeter Office

© Copyright 2025 Nexus Open Systems Ltd

Legal |

Privacy & data protection |

Cookies |

Terms & Conditions |

Pay a bill |

Complaints procedure

ISO 27001 Badge
Cyber Essentials Plus Logo
Crown Commercial Service for G Cloud