Preparing For and Responding to a Ransomware Attack When You Have No IT Team.

Most Irish SMEs have no internal IT staff. Here is exactly what to do when ransomware hits — who to call, what to do first, and how to make decisions about reco

Preparing For and Responding to a Ransomware Attack When You Have No IT Team.

Most Irish SMEs do not have an IT department. They have an IT provider they call when something breaks. When ransomware hits at 7am on a Monday, there is no internal IT expert to take control. There is a business owner, a small team of staff, and a phone number for an IT provider who may have never managed a ransomware incident.

This is the reality for the majority of businesses in Donegal, Sligo, and the North-West. And it means the business owner themselves — or the most senior person present — has to make the first, most critical decisions with no prior experience of the scenario.

This article is specifically for that person. Not a general framework — a specific guide for what to do in the first few hours when you have no IT team and ransomware is on your screens.

Before It Happens: The Three Things to Sort Now

Know your IT provider's emergency number. Not their support email. Not their standard phone number that goes to voicemail outside business hours. Their emergency out-of-hours number. Call it now, before there is an incident, to confirm it reaches a person who can help with a critical incident. If it goes to voicemail, find a provider who has a genuine emergency line.

Know your cyber insurance claims number. Find your policy document. Write down the claims line number. Store it in your phone and on a printed card somewhere physical. If you do not have cyber insurance, getting it is one of the most impactful resilience investments available.

Know where your backups are and whether they were tested recently. Ask your IT provider: where are our backups stored, are they isolated from our main network, and when was the last restore test? If you do not have a clear answer to all three questions, ask for one this week.

The First Hour: What to Do

Step 1. Do not turn anything off. Disconnect it instead.

The instinct is to turn off infected computers. Do not. Turning off a device can destroy forensic evidence and, with some ransomware, can trigger additional destructive actions. Instead, physically disconnect infected devices from the network — unplug the ethernet cable, disable Wi-Fi. This limits spread without destroying evidence.

If you do not know which devices are infected, disconnect all of them. The disruption of having all devices offline is far less than the disruption of ransomware spreading to everything.

Step 2. Call your IT provider's emergency number immediately.

Tell them: ransomware has been detected. Devices have been isolated from the network. You need emergency assistance now. Ask for an estimated arrival time or remote connection time. Ask them to bring or access their incident response tools.

Step 3. Call your cyber insurer's claims line.

Tell them: you have experienced a ransomware attack and need to activate your incident response cover. They will assign an incident manager who will coordinate the technical response, legal notifications, and communications. Do not wait until you understand the full scope — call immediately, as early engagement is almost always better.

Step 4. Do not pay the ransom without advice.

You will see a ransom demand on the affected screens. Do not pay without speaking to your cyber insurer, your IT provider, and your legal adviser. Many ransoms are negotiable. Some ransomware is decryptable without payment. Your insurer has relationships with ransomware negotiators. Paying without advice often results in paying more than necessary or paying and not receiving a working decryption key.

Step 5. Preserve everything as evidence.

Take photographs of every screen showing the ransom message or encryption indicator. Note the exact time the incident was discovered and who discovered it. Write down every action taken and when. This documentation is required for insurance claims, police reports, and regulatory notifications.

Could the most senior person in your office tomorrow morning follow those five steps without any additional guidance? If not, the value of this article is in making them a laminated card on your office wall. Book a free 20-minute strategy call — we create custom ransomware response guides for Irish SMEs that are calibrated for businesses without IT teams.

Hours Two to Six: Managing the Response

Your IT provider is now engaged. Your insurer's incident manager is coordinating. Your role in this phase is management, not technical response.

Brief your staff. A short, factual communication: we are dealing with a technical security incident, systems are currently offline, please follow these specific instructions (what to do, what not to do), we will update you at a defined time.

Do not communicate externally about the incident until you have spoken with your insurer's team and, if relevant, your legal adviser. In particular, do not post on social media, do not respond to press enquiries, and do not discuss it in client meetings until you have an approved communication.

Begin assessing the scope. Which systems are affected? Which, if any, appear to be functioning? Is there any indication that data has been exfiltrated — copied to an external location — as well as encrypted? Your IT provider and the insurer's forensic team will be working on this, but you can contribute by identifying what data was on the affected systems.

Consider your regulatory notifications. If personal data may have been involved, the 72-hour GDPR notification clock to the Data Protection Commission is running. Discuss this with your legal adviser or your insurer's legal team — they will have experience of exactly this situation.

The Recovery Decision

The major recovery decision — restore from backup vs. pay the ransom vs. a hybrid approach — should not be made alone. It should be made with your IT provider's input on the recoverability of your backups, your insurer's input on the ransom negotiation options, and your legal adviser's input on any obligations.

The businesses that make this decision best are those who prepared: they know their backups work because they have tested them, they have a cyber insurer with incident response resources, and they have a rough recovery cost calculation done in advance.

What Next

  1. Find and write down the three numbers now: IT provider emergency, cyber insurer claims, NCSC Ireland. Store in your phone and on a physical card.

  2. Ask your IT provider directly: if ransomware activated tonight, would you have emergency response available? What would our first call look like?

  3. Print the five-step first-hour guide above, adapted for your specific contacts. Laminate it. Put it on the kitchen wall.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

[^1]: An Garda Síochána — National Cyber Crime Bureau [^2]: NCSC Ireland — Ransomware Guidance [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.