Now Hiring: IT Support Engineer

News

88% of ransomware attacks hit small businesses. Is yours ready? A plain-English 10-point checklist for Houston and Woodlands business owners — from Mako Logics.

Is Your Small Business Ready for a Ransomware Attack?
IT NEWS

Ransomware Readiness Checklist for Houston Small Businesses | Mako Logics

by April 1, 2026

The Attack Nobody Saw Coming — Until It Was Too Late

It was a Tuesday morning in The Woodlands. A small accounting firm’s office manager opened an email that looked like it came from a vendor they’d worked with for years. The attachment looked like an invoice. She opened it.

By 11am, every file on the firm’s shared server was encrypted. A ransom note appeared on every screen. The firm had no tested backup. No incident response plan. No one monitoring their network. Recovery took three weeks and cost more than the ransom itself — in lost billing hours, emergency IT fees, and client trust that couldn’t be easily repaired.

This isn’t a hypothetical. Stories like this play out in Houston-area businesses every month. And the attackers aren’t targeting large enterprises — they’re targeting exactly the kind of business you run.

In 2025, small and mid-sized businesses accounted for 88% of ransomware attacks. Attackers have done the math: smaller businesses have thinner defenses, smaller IT teams, and a higher likelihood of paying quickly to get operations back online. If your business runs on computers — and it does — ransomware is a threat you need to take seriously before anything happens.

The good news: preparedness is not complicated. This 10-point checklist covers everything a small business in Houston or The Woodlands can do right now to dramatically reduce both the risk of an attack and the damage if one gets through.

Why Houston Small Businesses Are Prime Targets

Before the checklist, a word on why this matters locally.

The Houston metro area is home to one of the most diverse small business economies in the country — energy-adjacent services, legal and accounting firms, healthcare practices, construction companies, real estate offices, and thousands of professional service businesses. Many of these firms handle sensitive client data: financial records, personal information, health records, contracts.

That data has value. Ransomware groups know which sectors are in Houston and which ones are most likely to pay to keep their operations running. The combination of sensitive data, time pressure, and typically lean IT infrastructure makes Houston-area small businesses attractive targets.

Geography also matters in another way. When a hurricane or major storm event disrupts operations, businesses scrambling to restore systems are more vulnerable — distracted, stretched, and more likely to click something they shouldn’t.

The checklist below doesn’t require a cybersecurity degree. It requires 30 minutes of honest assessment.

The 10-Point Ransomware Readiness Checklist

Work through each item and answer honestly. If you’re not sure of the answer to any of them, that’s important information in itself.

1. Are your backups current — and stored somewhere separate from your main systems?

A backup that lives on the same network as your primary data will be encrypted right along with everything else in a ransomware attack. For a backup to actually save you, it needs to exist somewhere the ransomware can’t reach: an offline drive, a secure offsite location, or a cloud backup service with versioning and immutability enabled.

Ask yourself: When did your last backup run? Where is it stored? If your main network went down right now, could you restore from that backup without accessing anything on your primary network?

If the answer to any of those is “I’m not sure,” this is your highest priority.

2. Do you follow the 3-2-1 backup rule?

The 3-2-1 rule is the security industry’s minimum standard for backup resilience:

  • 3 copies of your data
  • 2 different storage types (e.g., local drive and cloud)
  • 1 copy stored completely offsite or offline

Many small businesses have one backup — usually to a drive connected to the same server. That’s not 3-2-1. If you’re not sure whether your current backup strategy meets this standard, it’s worth a conversation with your IT provider.

3. When did you last test your restore process?

A backup you’ve never tested is a backup you can’t trust.

Many businesses discover their backups were misconfigured or incomplete only when they need them — which is the worst possible time to find out. A tested restore process means you’ve actually pulled files from your backup, confirmed they’re complete and uncorrupted, and timed how long a full recovery would take.

This should happen at least once a year for small businesses. Quarterly is better.

4. Is every device running current endpoint protection?

Standard antivirus is not enough in 2026. Modern ransomware is designed to evade signature-based detection. What you need is endpoint detection and response (EDR) — software that monitors device behavior in real time, flags unusual activity (like files being rapidly encrypted), and can isolate a compromised device before the damage spreads.

Check every device your team uses, including laptops that employees take home or use remotely. A single unprotected device is a potential entry point for your entire network.

5. Are software and OS patches applied within 72 hours of release?

Unpatched software is one of the most common vectors for ransomware. When Microsoft, Adobe, or any other vendor releases a security patch, it’s often because a vulnerability has already been discovered and, in some cases, is already being exploited.

The window between a patch release and widespread exploitation is shrinking. Businesses that apply patches within 72 hours are dramatically less exposed than those running on a 30-day or “whenever we get to it” schedule.

Ask your IT team or provider: Is patching automated? Do you have a documented patch management process? How quickly are critical security patches applied?

6. Do your employees know how to recognize a phishing email?

Most ransomware doesn’t arrive through a technical exploit — it arrives because someone clicked a link or opened an attachment they shouldn’t have. Phishing emails in 2026 are significantly more convincing than they were five years ago. AI-generated phishing messages mimic the writing style of real vendors, colleagues, and executives with near-perfect accuracy.

Employee security awareness training doesn’t need to be lengthy or expensive. It does need to be regular. A 15-minute annual training session is not enough. Monthly brief reminders, simulated phishing tests, and a clear internal process for reporting suspicious emails make a measurable difference.

The single most important habit you can build in your team: before clicking any link or opening any attachment, pause and verify the source through a separate channel.

7. Is multi-factor authentication enabled on all business accounts?

Multi-factor authentication (MFA) means that logging into your email, your cloud storage, your accounting software, or any other business system requires more than just a password — it requires a second form of verification, like a code sent to a phone.

MFA doesn’t prevent ransomware directly, but it dramatically reduces the risk of credential theft — which is often the first step in a ransomware chain. Attackers who gain access to a business email account can use it to move laterally, reset passwords, and get deep into a system before deploying the ransomware payload.

If MFA is not enabled on Microsoft 365, Google Workspace, your VPN, your bank, and any other business-critical platform, enabling it today is the single highest-impact action on this list.

8. Do you have a written incident response plan?

An incident response plan is a document — it doesn’t need to be long — that answers the following questions before anything goes wrong:

  • Who do we call first if we suspect an attack?
  • What do we do immediately (isolate devices? shut down the network?)?
  • Who is responsible for communicating with clients and vendors?
  • What is our recovery priority order?
  • Do we have cyber insurance, and what does it cover?

Businesses that have even a basic written plan recover significantly faster than those that don’t. The reason is simple: when ransomware hits, the last thing you want to do is make high-stakes decisions under pressure. A plan made in advance, when you’re calm and informed, is always better than one improvised in a crisis.

9. Are vendor and third-party access permissions reviewed regularly?

Supply chain attacks — where ransomware enters through a vendor or third-party software rather than directly — are one of the fastest-growing attack vectors for small businesses. Every vendor, contractor, or software platform with access to your systems is a potential entry point.

Ask yourself: Do you know who has remote access to your network right now? When did you last review and revoke access for vendors you no longer work with? Are third-party tools and integrations running on the minimum permissions necessary to do their job?

Quarterly access reviews catch the dormant accounts and forgotten integrations that attackers love to exploit.

10. Is someone actively monitoring your network 24/7?

All nine items above are important. But none of them replace continuous monitoring.

Ransomware attacks rarely happen all at once. Attackers often gain access to a network days or weeks before deploying the ransomware — moving quietly, escalating privileges, identifying the most valuable data, and disabling backup systems first. A business with 24/7 network monitoring has a chance to catch that activity before the payload fires. A business without it won’t know anything is wrong until files are already encrypted.

For small businesses in Houston that don’t have an internal IT team, managed IT services that include 24/7 monitoring are the practical answer. The cost of monitoring is a fraction of the cost of recovery.

Not sure how your business scores on this checklist? Mako Logics offers a free cybersecurity risk review for Houston and Woodlands-area small businesses. We’ll look honestly at your current setup and tell you exactly where you stand — no obligation, no pressure. We’ve been helping local businesses stay secure for over 20 years.

Schedule your free security review →

What to Do If You Suspect You’re Already Under Attack

If ransomware is actively running on your network right now, every second matters. Here’s what to do:

Step 1 — Isolate immediately. Disconnect affected machines from the network. Unplug ethernet cables. Turn off Wi-Fi on affected devices. Do not shut the machines fully off — you may preserve forensic evidence by leaving them powered on but disconnected.

Step 2 — Don’t pay the ransom yet. Payment does not guarantee you’ll get your data back. Many businesses pay and receive a partial decryption key, or nothing at all. Call your IT provider and, if you have cyber insurance, your insurance carrier before making any payment decision.

Step 3 — Call your IT provider. If you have a managed IT provider, they should have a 24/7 line. Call it now. If you don’t have one, the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov is the correct federal reporting channel and can direct you to resources.

Step 4 — Preserve evidence. Before cleaning systems, take screenshots of the ransom note. Document which systems were affected and when. This matters for insurance claims, law enforcement reports, and understanding how the attack entered.

Step 5 — Communicate carefully. Depending on the data involved, you may have legal notification obligations — to clients, to regulators, or both. Your attorney should be involved early. Don’t issue public communications until you understand the scope of the incident.

Step 6 — Begin recovery from clean backups. If your backups are clean, current, and tested, this is when they pay off. Work with your IT provider to restore from the most recent clean backup, starting with the systems your business depends on most.

The businesses that recover quickly from ransomware have two things in common: tested backups and a plan made before anything went wrong.

Frequently Asked Questions from Houston Business Owners

Should I pay the ransomware demand? The FBI, CISA, and most cybersecurity professionals advise against paying ransoms. Payment funds criminal organizations, does not guarantee full data recovery, and marks your business as a paying target for future attacks. That said, for some businesses facing complete operational shutdown, the calculus is more complicated. Before making any decision, involve your IT provider, your cyber insurance carrier, and legal counsel.

Can ransomware infect cloud storage like OneDrive or Google Drive? Yes. Most cloud storage platforms that sync with local devices will sync the encrypted files right along with the originals, effectively spreading the damage. The protection is versioning: OneDrive, Google Drive, and most enterprise cloud storage platforms maintain previous file versions for a period of time, allowing rollback. This only works if versioning is enabled and the retention window hasn’t expired. Ask your IT provider whether your cloud storage is configured for ransomware resilience.

How long does ransomware recovery take for a small business? Without tested backups, recovery can take weeks to months, and data may never be fully restored. With current, tested backups and a response plan in place, most small businesses can restore core operations within 24 to 72 hours. The difference between those two outcomes is almost entirely determined by decisions made before the attack happened.

Does my business insurance cover a ransomware attack? Standard general liability and property insurance typically does not cover ransomware. Cyber liability insurance does — but coverage varies significantly by policy. Common inclusions are ransom payment reimbursement, business interruption coverage, notification costs, and legal fees. If you don’t have a cyber liability policy, it’s worth a conversation with your insurance broker. If you do have one, read it carefully to understand what triggers coverage and what the claims process looks like.

What’s the best first step if my business has never done any of this? Start with two things: backups and MFA. If you have current, tested, offsite backups and MFA enabled on every business account, you’ve addressed the two highest-impact vulnerabilities for most small businesses. Everything else on this checklist builds from there. And if you’d like a professional assessment of your current posture, Mako Logics offers that at no charge for businesses in the Houston area.

The Bottom Line

Ransomware is not a technology problem you can solve by buying one product or checking one box. It’s an ongoing risk that requires a layered approach — backups, access controls, employee awareness, patching, monitoring, and a plan for when something goes wrong anyway.

Most small businesses in Houston don’t have all ten items on this checklist fully addressed. That’s not a failure — it’s a starting point. The businesses that get hit hardest are the ones that never looked at the list at all.

Work through these ten items with your IT team or provider. Find the gaps. Close them in priority order. And if you’d like a local team to walk through this with you, Mako Logics has been doing exactly that for businesses across Houston and The Woodlands for over 20 years.

Get your free cybersecurity risk review from Mako Logics →

No obligation. No jargon. Just a straight answer from a team that knows this area and takes your security seriously.

Mako Logics provides managed IT services and cybersecurity solutions for small businesses across Houston, The Woodlands, Conroe, Katy, Sugar Land, and the greater Houston area. Learn about our cybersecurity services →

Tags: