How Cyber Essentials Plus Protects Against Ransomware

Ransomware has become the single most destructive cyber threat facing UK businesses. These attacks encrypt an organisation's files and demand payment — often in cryptocurrency — for the decryption key. The damage goes far beyond the ransom itself: business downtime, data loss, regulatory penalties, and reputational harm can be catastrophic. Cyber Essentials Plus provides a verified defence framework that directly addresses the most common ransomware attack vectors, significantly reducing your organisation's risk.

This guide explains how each of the five CE+ technical controls helps protect against ransomware, backed by real-world evidence of their effectiveness.

The UK Government's own Cyber Breaches Survey consistently reports that ransomware is among the top concerns for British businesses of all sizes. What makes ransomware particularly dangerous is its indiscriminate nature: attackers do not solely target large enterprises. Small and medium-sized businesses are increasingly in the crosshairs precisely because they tend to have weaker defences and fewer resources to recover. A growing number of ransomware gangs now operate on a “big game hunting” model alongside opportunistic spray-and-pray campaigns, meaning no organisation is too small to be targeted. Cyber Essentials Plus addresses this reality by establishing a baseline of technical controls that block the most common attack pathways used by ransomware operators.

The Ransomware Crisis in Numbers

The NCSC has consistently stated that Cyber Essentials controls, when properly implemented, protect against the vast majority of common cyber attacks — and ransomware is no exception. The scheme was specifically designed to address the techniques that attackers use most frequently.

How Ransomware Gets In

Understanding how ransomware enters an organisation is the key to understanding how CE+ stops it. The most common attack vectors are:

Every single major ransomware attack vector is addressed by one or more of the five Cyber Essentials Plus controls. Let us examine each control in detail.

Control 1: Firewalls — Blocking the Entry Points

Firewalls are your first line of defence against ransomware. They control what traffic can enter and leave your network, preventing attackers from reaching vulnerable systems.

How firewalls protect against ransomware:

• Block unauthorised inbound connections that attackers use to reach exposed services
• Prevent RDP exposure — exposed Remote Desktop Protocol is a favourite entry point for ransomware gangs
• Restrict outbound traffic to prevent ransomware from communicating with command-and-control servers
• Network segmentation limits the spread of ransomware if it does get in

For UK businesses, the firewall requirements under CE+ are particularly relevant given the increase in remote and hybrid working since the pandemic. Many organisations now have employees connecting from home networks, using personal routers that may not be configured securely. CE+ requires that all devices in scope, including those used remotely, have properly configured firewalls — whether hardware-based at the network perimeter or software-based on individual devices. This is especially important for blocking the RDP attacks that account for approximately 10% of all ransomware incidents.

Control 2: Secure Configuration — Reducing the Attack Surface

Secure configuration reduces the number of ways ransomware can gain a foothold on your systems. By removing unnecessary software, disabling unneeded services, and configuring systems securely, you eliminate the opportunities that attackers exploit.

Key secure configuration measures against ransomware:

• Disabling auto-run prevents malware from executing automatically from USB drives or downloads
• Removing unnecessary software eliminates potential vulnerabilities
• Disabling macro execution by default in Office applications blocks a major ransomware delivery mechanism
• Removing admin privileges from standard users prevents ransomware from gaining elevated access

Removing administrative privileges from standard user accounts is one of the single most effective defences against ransomware. Without admin rights, ransomware can only encrypt files the user has direct access to — it cannot install itself system-wide, modify system files, or spread across the network.

Another critical secure configuration measure is disabling Microsoft Office macros by default. A substantial proportion of ransomware arrives via phishing emails containing Word or Excel attachments with embedded malicious macros. When a user opens the document and enables macros, the code executes and downloads the ransomware payload. By configuring Office to block macros from the internet by default (a setting available via Group Policy), you eliminate this entire attack vector without affecting legitimate business documents. This single configuration change has been credited with preventing thousands of ransomware infections across UK organisations.

Control 3: User Access Control — Stopping Credential Theft

Ransomware gangs increasingly use stolen credentials to gain initial access to networks. They purchase leaked passwords from dark web marketplaces, use brute-force attacks, or steal credentials through phishing. MFA and proper access control make this dramatically harder.

The importance of multi-factor authentication in preventing ransomware cannot be overstated. Microsoft has reported that MFA blocks more than 99.9% of account compromise attacks. For UK organisations, this is particularly relevant given that compromised credentials account for approximately 20% of all ransomware incidents. The CE+ requirement for MFA on all cloud services and remote access points directly addresses this vector. Even if an attacker obtains a valid username and password through phishing or a data breach, MFA prevents them from using those credentials to gain access to your systems.

Control 4: Malware Protection — The Direct Defence

Anti-malware software is the most direct defence against ransomware. Modern endpoint protection solutions use a combination of signature-based detection, behavioural analysis, and machine learning to identify and block ransomware before it can execute.

CE+ requires that all devices have active, up-to-date malware protection. This means:

• Anti-malware software is installed on every device
• Real-time scanning is enabled
• Definitions are updated at least daily
• Users cannot disable the protection

The evolution of anti-malware technology has been a critical factor in the fight against ransomware. Legacy signature-based antivirus solutions could only detect known threats, meaning a new ransomware variant could evade detection until a signature was created. Modern endpoint detection and response (EDR) solutions analyse the behaviour of running processes in real time. If a process begins rapidly encrypting files, modifying file extensions, or attempting to delete shadow copies (a common ransomware tactic to prevent recovery), the EDR tool will flag and block the behaviour regardless of whether it recognises the specific malware. For UK businesses seeking CE+ certification, ensuring that your anti-malware solution includes behavioural analysis capabilities significantly strengthens your ransomware defences beyond the minimum certification requirements.

Control 5: Patch Management — Closing the Vulnerabilities

Many of the most devastating ransomware attacks exploited known vulnerabilities for which patches were already available. WannaCry exploited a Windows SMB vulnerability (EternalBlue) that Microsoft had patched two months before the attack. Organisations that had applied the patch were unaffected.

CE+ requires all security patches rated high or critical to be applied within 14 days. This directly prevents ransomware that exploits known vulnerabilities.

The WannaCry attack in 2017 remains the most striking example of why patching matters. It affected over 200,000 computers across 150 countries, including the NHS in the UK, where it caused widespread disruption to patient care. The vulnerability it exploited had been patched by Microsoft two months earlier. Every organisation that had applied the patch was unaffected. This single case demonstrates the enormous protective value of the CE+ patching requirement: had every NHS trust been compliant with the 14-day patching window, the attack would have had virtually no impact on the health service.

Ransomware Defence Effectiveness Scorecard

The following scorecard shows how effectively each CE+ control contributes to ransomware defence across different attack stages. These scores are based on analysis of real-world ransomware incidents affecting UK organisations and the degree to which each control mitigates the relevant attack techniques.

The Multi-Layered Defence

The real power of Cyber Essentials Plus against ransomware comes from the combination of all five controls working together. No single control is a silver bullet, but together they create multiple barriers that ransomware must overcome:

UK Ransomware Incidents by Attack Vector

The following chart shows the relative frequency of different ransomware attack vectors observed in UK incidents. This data underscores why the CE+ controls are so effective — the controls directly target the most commonly used attack methods.

CE+ Is Not Enough on Its Own

While Cyber Essentials Plus provides an excellent defence against ransomware, it is important to understand that no single certification makes you invulnerable. CE+ should be complemented with:

• Regular, tested backups following the 3-2-1 rule (3 copies, 2 media types, 1 off-site)
• Immutable backups that cannot be encrypted or deleted by ransomware
• An incident response plan that your team has practised
• Security awareness training to help staff recognise phishing attempts
• Email filtering with advanced threat protection
• Network monitoring for early detection of suspicious activity

The backup strategy deserves particular emphasis because it is your last line of defence if all other controls fail. The 3-2-1 backup rule is widely recommended: maintain three copies of your data, on two different media types, with one copy stored off-site. For ransomware protection specifically, at least one backup should be immutable, meaning it cannot be modified or deleted for a defined retention period. Modern ransomware variants actively seek out and encrypt or delete backup files, so ensuring that your backups are isolated from your production network is essential. Cloud-based backup solutions with immutability features are increasingly popular among UK businesses for precisely this reason.

The Insurance Connection

Cyber insurance providers have tightened their requirements dramatically in response to the ransomware epidemic. Many now require Cyber Essentials Plus as a minimum condition for coverage. Even where it is not mandatory, CE+ certification can result in lower premiums and broader coverage — because insurers recognise that certified organisations present a lower risk.

The relationship between CE+ certification and cyber insurance has become increasingly important for UK businesses. Several major UK insurers, including Hiscox, Beazley, and Coalition, now specifically ask about Cyber Essentials certification during the underwriting process. Some offer premium discounts of 25% or more for CE+ certified organisations, while others have made it a prerequisite for coverage above certain thresholds. In a market where cyber insurance premiums have risen sharply due to ransomware claims, the cost savings from CE+ certification can be substantial — often exceeding the cost of achieving the certification itself.

How Cloudswitched Helps

Cloudswitched provides a fully managed Cyber Essentials Plus certification service that builds a multi-layered defence against ransomware. We handle the entire process — from gap assessment and remediation to vulnerability testing, examination, and ongoing support. Beyond CE+, we can advise on backup strategies, incident response planning, and additional security measures to provide comprehensive ransomware protection.

Our managed CE+ service is designed to minimise disruption to your business whilst maximising your protection. We begin with a thorough gap analysis that identifies every area where your current defences fall short of the CE+ requirements. We then work systematically through each control — configuring firewalls, hardening devices, implementing MFA, deploying and configuring anti-malware, and establishing patch management processes. Throughout the process, we keep you informed of progress and handle all technical implementation, so your team can focus on running the business. When it comes to the formal assessment, we coordinate with the certification body and support you through the entire examination process.

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.