Ransomware protection: How SME employees can protect against attacks

Published on 31/05/2022 by Laura Burgess

Employees can play as critical a role as ransomware protection in safeguarding companies from ransomware attacks and the consequences. But do small to midsize enterprises (SMEs) provide staff with sufficient training and resources to combat these cyber threats?

The header image depicts an office employee and a security guard for ransomware protection

How knowledgeable are employees about ransomware attacks in Australia? Cybercriminals can easily target employees using fraudulent emails (or phishing), which contain a file attachment or link to a malicious website. An employee may unknowingly install malware by innocently clicking on a link. Whilst staff don’t need to become experts in cybersecurity, they should at least be able to spot ransomware scams and know how easily malware can infiltrate systems. But what are companies using as ransomware protection?

In the first article on cybersecurity, Software Advice looked at how much ransomware costs SMEs financially and the other ways it impacts businesses. Here, we look at whether SMEs are prepared for ransomware attacks. Are companies providing adequate employee training on cybersecurity measures? We surveyed 202 IT specialists from businesses of 250 employees or fewer. The full survey methodology can be found at the bottom of this article. 

How long does it take SMEs to detect a ransomware attack?

Whether companies have the best cybersecurity measures in place or not, they should always assume they will one day be the victim of a ransomware attack. If an organisation does end up compromised, detecting intrusion as early as possible may be the best chance at damage control. A combined total of 73% of IT professionals surveyed by Software Advice said their company would be able to quickly detect a ransomware attack should it happen (26% said they could detect it ‘near real-time’ and 47% said ‘within hours’).

Bar graph showing how quickly SMEs detect ransomware attacks

Hackers are most likely still active at weekends because they know that fewer IT workers are present in the workplace. 65% of survey takers said their company is prepared should a ransomware attack occur on the weekend or during bank holidays. Nearly 1 in 5 of survey respondents (or 18%) said their company is not prepared for a potential attack at these times, whilst 17% said they are not sure. Weekends and holidays are attractive time frames to target potential victims so companies should actively monitor for any potential attacks, with staff remaining on standby.

How to detect a cyberattack

Employees can do the following to recognise a potential attack:

  1. Identify mysterious emails (phishing attacks)
  2. Note unusual password activity
  3. Avoid clicking on suspicious pop-ups
  4. Report whether the network is running slower than usual
  5. Keep cybersecurity software up to date 

Around 1 in 6 SMEs don’t yet provide cybersecurity training for employees

Employees are the biggest threat to a business when it comes to ransomware attacks, most likely because they are unaware of what they should and shouldn’t be doing. According to the IT professionals surveyed by Software Advice, a combined total of 16% said their company does not provide employees with training on how to recognise or flag potential ransomware attacks (13% said their company doesn’t provide any cybersecurity training but plans to, whilst 3% said there are no plans to implement it).

Bar graph showing if SMEs provide employee training on potential ransomware attacks

Companies can use security awareness training software to educate employees and increase the overall security measures within the organisation. Security training tools have features that can simulate phishing threats/attacks and regularly test employees on their cybersecurity knowledge. Businesses can create video-based training modules for workers to monitor and analyse their responses and look at what areas of employee cybersecurity training need to be improved.

The benefits of implementing security training tools include:

  • Teaching employees ransomware awareness
  • Preventing staff from making simple mistakes 
  • Reducing the likeliness of a threat 
  • Preventing downtime for employees
  • Saving the company’s reputation

Do SMEs have a continuity plan should a ransomware attack occur?

A business continuity plan (BCP) is designed to help an organisation continue operating in the event of any security threats or other disruptions. Examples of these emergencies include weather incidents like bushfires, technological outages, supply chain disruptions, or cyberattacks. Software Advice found that seven out of 10 SMEs have a cybersecurity continuity plan should a ransomware attack occur.

Pie chart showing whether SMEs have a continuity plan for a ransomware attack

The government body Australian Cyber Security Centre (ACSC) responded to over 1500 cybersecurity incidents between 1 July 2020 and 30 June 2021. The ACSC says that even though many of these incidences could have been avoided with good cybersecurity practices, all organisations should have a cyber incidence response plan ready. This is a fast and effective way to do damage control should an attack occur. The response plan should be regularly tested, reviewed, and in line with a company’s business continuity plan.

What are the risks of paying for a ransomware attack?

The ACSC strongly advises ransomware victims to report attacks to the organisation’s hotline and never pay a ransom demand. This is because it’s not always guaranteed that an organisation will retrieve the stolen data even if they attempt to pay for it. But the Australian government also wants to tighten its cybersecurity regulations and change how businesses respond to cyberattacks.

Australia’s Ransomware Action Plan

In October 2021, the government released its Ransomware Action Plan in response to increasing national cybercriminal activity. The initiative focuses on resilience and protection against attacks and how Aussies can strengthen their responses to an attack. The plan provides information on where ransomware attack victims can get help, and how companies can disrupt and deter cybercriminals. It also provides better education and protection against cybercrime for organisations across Australia.

39% of the IT professionals surveyed by Software Advice also agree that one of the biggest risks to negotiating or paying a ransom fee means it does not necessarily guarantee that the data will be released back. A further one in five survey respondents (21%) said they think that the biggest risk of paying is that an attacker may still release data to the public anyway.

Bar graph showing the biggest threats to SMEs paying off a ransomware attack

Paying for a ransomware attack is a complicated situation, which requires careful decision-making by a business owner if they do decide to take matters into their own hands. New legislation in Australia (part of the Ransomware Action Plan) mentions that in 2022 it plans to criminalise ransomware payments and may hold company directors accountable if they do.

Companies should be mindful that making ransomware payments may make them liable for committing a criminal offence and organisations should check for the latest updates and contact the ACSC for advice or to report an incident. The message is clear and consistent from the ACSC and Department of Home Affairs for victims of a ransomware attack: companies and individuals should not pay a ransom.

How can employee training programs complement ransomware protection?

Employee negligence plays a key role in company data breaches, therefore it is essential to implement and tailor cybersecurity education training. According to the IT professionals we surveyed, nearly 1 in 5 employees at their company do not know who to report a ransomware attack to when it occurs (a combined group of 19% of respondents either said “no” or they were “not sure”).

Infographic highlighting how many employees know who to report a ransomware attack to should it occur

A ransomware training program can save money and time for a business. If a company has an in-house IT department, the IT professionals can help create an educational program for employees. Investing in training can pay dividends by reducing the risk of an expensive cyberattack. 

What to include in a ransomware training program

  1. The basics of ransomware: ensure employees know about the dangers of ransomware and how their actions can impact company security as the result of a cyberattack. 
  2. How to recognise a phishing email or social media message: security awareness training tools can be used to regularly test employees and teach them how to check for red flags. This may include emails or messages that contain poor spelling and grammar, an unusual sender email address, requests for personal information, and links that direct employees to a website that is different from what initially appeared. 
  3. How to report and respond to a potential threat: besides detecting a possible ransomware attack, employees should know how to report a threat when it occurs. Staff should be trained to avoid opening any suspicious emails and to forward them directly to their IT department instead. The IT experts can take appropriate action before any damage occurs.

What are the key takeaways?

As cybercriminals are becoming smarter and finding new ways to attack companies, ransomware prevention is imperative and the first course of action should be to train employees. A tailored cybersecurity training program can teach staff about safe web use, handling private business data, and ensuring client data is secure. 

A training awareness program not only lowers the risks of cyber threats against an organisation and financial damage resulting from an attack, it can also reduce stress levels amongst employees by giving them the confidence to use and follow cybersecurity procedures.

Looking for cybersecurity software? Check out our catalogue!


To collect this data, Software Advice interviewed 202 professionals in March 2022 in Australia. The candidates had to fulfil the following criteria: 

  • Australian resident
  • Between the ages of 18 and 65 
  • Employed full- or part-time at a company with 2 to 250 employees 
  • Works in the IT department of their company 
  • Able to identify the definition of ransomware as ‘Malware that locks files or computers and asks for money to unlock them’

This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the author

Laura is a Content Analyst, researching and giving insight on tech trends to help SMEs. Graduate of Bath Spa University, UK. Based in Barcelona after years of living in Australia.

Laura is a Content Analyst, researching and giving insight on tech trends to help SMEs. Graduate of Bath Spa University, UK. Based in Barcelona after years of living in Australia.