Back to Blog
Cyber Essentials Plus

How Cyber Essentials Plus Protects Against Ransomware

CloudSwitched Team2026-06-28
How Cyber Essentials Plus Protects Against Ransomware
Try CE+ Readiness AssessmentDownload Cyber Essentials Plus Preparation Guide

Ransomware has become the single most destructive cyber threat facing UK businesses. These attacks encrypt an organisation's files and demand payment — often in cryptocurrency — for the decryption key. The damage goes far beyond the ransom itself: business downtime, data loss, regulatory penalties, and reputational harm can be catastrophic. Cyber Essentials Plus provides a verified defence framework that directly addresses the most common ransomware attack vectors, significantly reducing your organisation's risk.

This guide explains how each of the five CE+ technical controls helps protect against ransomware, backed by real-world evidence of their effectiveness.

The Ransomware Crisis in Numbers

85%
increase in ransomware attacks on UK businesses since 2022
£1.6M
average total cost of a ransomware attack for a UK SME
21 days
average downtime after a ransomware attack

The NCSC has consistently stated that Cyber Essentials controls, when properly implemented, protect against the vast majority of common cyber attacks — and ransomware is no exception. The scheme was specifically designed to address the techniques that attackers use most frequently.

How Ransomware Gets In

Understanding how ransomware enters an organisation is the key to understanding how CE+ stops it. The most common attack vectors are:

Attack Vector % of Ransomware Attacks CE+ Control That Blocks It
Phishing emails with malicious attachments 45% Malware Protection + Secure Configuration
Exploiting unpatched vulnerabilities 25% Patch Management + Firewalls
Compromised credentials (stolen passwords) 20% User Access Control (MFA)
Exposed RDP or remote access services 10% Firewalls + User Access Control

Every single major ransomware attack vector is addressed by one or more of the five Cyber Essentials Plus controls. Let us examine each control in detail.

Control 1: Firewalls — Blocking the Entry Points

Firewalls are your first line of defence against ransomware. They control what traffic can enter and leave your network, preventing attackers from reaching vulnerable systems.

How firewalls protect against ransomware:

  • Block unauthorised inbound connections that attackers use to reach exposed services
  • Prevent RDP exposure — exposed Remote Desktop Protocol is a favourite entry point for ransomware gangs
  • Restrict outbound traffic to prevent ransomware from communicating with command-and-control servers
  • Network segmentation limits the spread of ransomware if it does get in
Real-World Example: In many high-profile ransomware attacks, including those by the Conti and LockBit groups, the initial entry point was an exposed RDP service on the internet. A properly configured firewall blocking direct RDP access would have prevented these attacks entirely.

Control 2: Secure Configuration — Reducing the Attack Surface

Secure configuration reduces the number of ways ransomware can gain a foothold on your systems. By removing unnecessary software, disabling unneeded services, and configuring systems securely, you eliminate the opportunities that attackers exploit.

Key secure configuration measures against ransomware:

  • Disabling auto-run prevents malware from executing automatically from USB drives or downloads
  • Removing unnecessary software eliminates potential vulnerabilities
  • Disabling macro execution by default in Office applications blocks a major ransomware delivery mechanism
  • Removing admin privileges from standard users prevents ransomware from gaining elevated access
85%
of ransomware requires admin privileges to encrypt files system-wide

Removing administrative privileges from standard user accounts is one of the single most effective defences against ransomware. Without admin rights, ransomware can only encrypt files the user has direct access to — it cannot install itself system-wide, modify system files, or spread across the network.

Control 3: User Access Control — Stopping Credential Theft

Ransomware gangs increasingly use stolen credentials to gain initial access to networks. They purchase leaked passwords from dark web marketplaces, use brute-force attacks, or steal credentials through phishing. MFA and proper access control make this dramatically harder.

Without Access Controls

  • Stolen password = immediate access
  • Admin accounts used for daily work
  • No MFA means single point of failure
  • Shared accounts hide the attacker's trail
  • Excessive permissions = wider blast radius

With CE+ Access Controls

  • MFA blocks 99.9% of credential attacks
  • Separate admin accounts limit damage
  • Least privilege restricts ransomware spread
  • Individual accounts provide audit trail
  • Limited permissions = contained impact

Control 4: Malware Protection — The Direct Defence

Anti-malware software is the most direct defence against ransomware. Modern endpoint protection solutions use a combination of signature-based detection, behavioural analysis, and machine learning to identify and block ransomware before it can execute.

CE+ requires that all devices have active, up-to-date malware protection. This means:

  • Anti-malware software is installed on every device
  • Real-time scanning is enabled
  • Definitions are updated at least daily
  • Users cannot disable the protection
Key Point: Modern endpoint protection does far more than traditional antivirus. Solutions like Microsoft Defender for Business, CrowdStrike, and SentinelOne use behavioural analysis to detect ransomware based on its actions (e.g., rapidly encrypting files) even if the specific ransomware variant has never been seen before.

Control 5: Patch Management — Closing the Vulnerabilities

Many of the most devastating ransomware attacks exploited known vulnerabilities for which patches were already available. WannaCry exploited a Windows SMB vulnerability (EternalBlue) that Microsoft had patched two months before the attack. Organisations that had applied the patch were unaffected.

CE+ requires all security patches rated high or critical to be applied within 14 days. This directly prevents ransomware that exploits known vulnerabilities.

WannaCry (2017) — exploited MS17-010 Patch available 60 days prior
NotPetya (2017) — exploited same vulnerability Patch available 90 days prior
MOVEit (2023) — zero-day SQL injection Patch released within days

The Multi-Layered Defence

The real power of Cyber Essentials Plus against ransomware comes from the combination of all five controls working together. No single control is a silver bullet, but together they create multiple barriers that ransomware must overcome:

Ransomware Stage What the Attacker Needs CE+ Control That Blocks It
1. Initial Access Entry into the network Firewalls block exposed services; MFA blocks stolen credentials
2. Execution Running the ransomware payload Malware protection detects and blocks; secure configuration prevents auto-run
3. Privilege Escalation Gaining admin rights User access control removes admin rights from standard accounts
4. Lateral Movement Spreading across the network Patch management closes exploit paths; firewalls segment the network
5. Encryption Encrypting files for ransom Limited user permissions restrict what can be encrypted; malware protection detects encryption behaviour

CE+ Is Not Enough on Its Own

While Cyber Essentials Plus provides an excellent defence against ransomware, it is important to understand that no single certification makes you invulnerable. CE+ should be complemented with:

  • Regular, tested backups following the 3-2-1 rule (3 copies, 2 media types, 1 off-site)
  • Immutable backups that cannot be encrypted or deleted by ransomware
  • An incident response plan that your team has practised
  • Security awareness training to help staff recognise phishing attempts
  • Email filtering with advanced threat protection
  • Network monitoring for early detection of suspicious activity
Important: CE+ significantly reduces the likelihood of a successful ransomware attack, but no security measure can guarantee 100% protection. The combination of CE+ controls with proper backup practices and incident response planning provides the most comprehensive defence.

The Insurance Connection

Cyber insurance providers have tightened their requirements dramatically in response to the ransomware epidemic. Many now require Cyber Essentials Plus as a minimum condition for coverage. Even where it is not mandatory, CE+ certification can result in lower premiums and broader coverage — because insurers recognise that certified organisations present a lower risk.

25–40%
potential reduction in cyber insurance premiums with CE+ certification

How Cloudswitched Helps

Cloudswitched provides a fully managed Cyber Essentials Plus certification service that builds a multi-layered defence against ransomware. We handle the entire process — from gap assessment and remediation to vulnerability testing, examination, and ongoing support. Beyond CE+, we can advise on backup strategies, incident response planning, and additional security measures to provide comprehensive ransomware protection.

Ready to Get Certified?

Cloudswitched handles your entire Cyber Essentials Plus certification end-to-end. Build a verified, multi-layered defence against ransomware and other common cyber threats.

View CE+ Services
Tags:Cyber Essentials PlusRansomwareThreat Protection
CloudSwitched
CloudSwitched

Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.

Try CE+ Readiness AssessmentDownload Cyber Essentials Plus Preparation GuideAll ToolsAll Resources

Newsletter sign up form - it's quick and easy