One of the most famous cyber attacks to have happened in the UK disrupted more than 80 hospital trusts, reportedly cost the NHS £92 million and caused more than 19,000 medical appointments to have to be cancelled.

This was the WannaCry ransomware attack, which targeted the NHS in 2017. And it is not just large public sector organisations that attackers are targeting with ransomware – charities and small businesses have also been hit to devastating effect.

But, the good news is, with a little forethought and practice, companies can protect themselves from these increasingly visible types of attack.

Ransomware is malicious software (also known as malware) which, if it gets on to your technology, prevents access to data and even the device - phone or laptop - itself. Attackers can do this as simply as copying your data remotely and then deleting the information from your system. They can also encrypt data which is still on your device but prevents you from accessing the information. The idea is that the bad actors (the attackers) are holding your data or computer to ransom, with the incentive that if you pay you will get the data or computer back.

The ransomware software can get installed on your technology in a variety of ways, but the simplest method criminals use is through email. Typically, there will be some form of attachment, or a link to a malicious site, which when accessed would start the ransomware to lock down your systems. Once on one device, ransomware is often able to then spread to others on your network or in your home, through sharing files for example.

Often people wonder if the best thing to do is to just pay the ransom and get your data or system back. This is driven by being uncertain about what to do in response to a ransomware attack, and desire to get your business back on its feet as quickly as possible, but with limited technical resources or expertise to do so. But it has been shown that even if you pay there is no guarantee you will get your data back, you system may still be infected and you could be targeted again in future as you have demonstrated you are willing to pay. One of the more challenging issues, is that it has been shown that any funds which are paid often got to criminal gangs to finance other criminal activity: human trafficking, the drug trade, child exploitation and even terrorism.

But there are steps that companies can take to protect themselves and be resilient in the face of these types of attack. These steps are practical and can be done by any size of business. The National Cyber Security Centre (NCSC) has lots of guidance and support on this area, but here are some simple steps.

Make Regular Backups: The first step is as simple as putting your most important files somewhere else on a regular basis. This can be as easy and copying them to a USB drive (ensuring it is encrypted) and putting it somewhere for safe keeping. Importantly you should also check that you can restore the data you have backed up. You do not want to be in a situation where you need that stored data, but for some reason it has become corrupted, or does not capture everything you thought was important.

Stop it coming in: The best thing to do here is to really invest effort in educating your staff to be aware of malicious emails or bad websites. This will have added benefits of preventing other types of attack too. But a well educated and supported workforce is the first line of defence for cyber security. An important aspect of this is letting key people know if they think something bad has happened so that it can be dealt with quickly before it spreads.

Know what to do in an emergency: If you do get hit, your business needs to know what to do straight away. This is very important if you handle personal information under GDPR. Know who you are going to call to help you, reporting it to the police so they can help, keeping your clients up to date and supported, and handling any media interest is all vitally important. Spending a couple of hours thinking about what you would do if a ransomware attack happened will make a real difference if it ever does.

The NCSC guidance has further information and more detailed steps. But regardless of your company size, or your industry, you can take action now to protect your business and your customers. Cyber security is part of a company’s brand whether they want it to be or not, and by following these simple steps you can start to take control of your own protection.