Ohio has nearly one million small businesses, making up 99.6% of all businesses in the state and employing 43.8% of Ohio workers. Most of them are running with some version of IT support, some version of antivirus, and some version of a backup — and most of them have never tested whether any of it would actually work when ransomware hits.
Ransomware was implicated in 88% of SMB breaches in 2025 per Verizon DBIR — more than twice the rate for enterprises. Small businesses experienced a 49% cyberattack rate in 2026, with average losses reaching $254,000 per breach. 60% of companies attacked close within six months.
Ohio businesses aren't exempt from these numbers. In 2025, Kettering Health — a major Ohio health system — experienced a system-wide outage from a cyberattack that canceled elective procedures and took its call center offline. That was a large health system with significant IT resources. For an Ohio SMB with two IT staff and no dedicated security operations, the exposure is proportionally more severe.
The question isn't whether Ohio SMBs face ransomware risk. They do. The question is whether you're actually prepared — or whether you have the appearance of preparation without the substance.
This scorecard is designed to answer that question honestly.
How to Use This Scorecard
For each section, answer the questions as accurately as possible — not as you intend to answer them, and not based on what you've purchased. Based on what you can verify is actually working right now.
Each section produces a readiness rating: Ready, Partial, or Not Ready. The honest assessment of where you land tells you where the priority remediation work is.
Section 1: Detection and Monitoring
The first question in any ransomware readiness assessment is whether you would know an attack was happening before the ransom note appears.
The average breach dwell time globally is 194 days per IBM — attackers spend months inside networks before deploying ransomware. That dwell time exists because organizations aren't detecting the early-stage indicators: unusual login patterns, lateral movement between systems, large data transfers, and privilege escalation attempts.
Answer these questions:
Do you have endpoint detection and response deployed across 100% of your managed endpoints — not antivirus, specifically EDR? Yes / Partially / No
Is someone reviewing EDR alerts continuously — not just during business hours? Yes / No
Do you have a SIEM or log aggregation platform collecting events from endpoints, identity systems, and network infrastructure? Yes / No
Would you know if a user account was logging in from an unusual location at 3am? Yes / Probably Not / No
Is your email security configured with DMARC, DKIM, and SPF — the authentication records that reduce phishing delivery rates? Yes / Not Sure / No
Scoring:
Why this matters: Ransomware that deploys in an environment with active 24/7 detection gets caught before encryption begins. Ransomware that deploys in an environment where nobody is watching until Monday morning has hours or days to encrypt before anyone responds.
Section 2: Identity and Access Controls
Most ransomware attacks begin with compromised credentials. Nearly 60% of breaches involve a human element — phishing, credential theft, or social engineering — per Verizon DBIR 2025. Attackers don't break through defenses. They log in with stolen passwords.
Answer these questions:
Is MFA enforced — not just enabled — on email, VPN, cloud platforms, and administrative accounts? Yes / Partially / No
Are privileged accounts — accounts with administrative access to systems — separate from everyday user accounts? Yes / No
When an employee leaves, are their accounts and access credentials revoked within 24 hours? Yes / Usually / No
Do users have only the access they need for their specific role — or do most users have broad access to most systems? Role-based / Broad
Is there an account lockout policy after repeated failed login attempts? Yes / Not Sure / No
Scoring:
Why this matters: MFA alone blocks approximately 99% of automated credential-based attacks according to Microsoft research. An environment where MFA isn't enforced on email and VPN is an environment where a single phished password gives an attacker full network access.
Section 3: Backup and Recovery
When ransomware encrypts your systems, your recovery path is determined by whether your backups work — not whether you believe they work.
93% of companies that experience prolonged data loss go bankrupt. For an Ohio SMB, a ransomware event without working backups isn't a setback. It's a business-ending event.
Answer these questions:
Are your backups stored in a location that ransomware cannot reach — offline, immutable, or air-gapped from your production network? Yes / No
When was the last time you ran a restoration test — actually restored data from backup to confirm it works? Within 6 months / Over 6 months ago / Never
Are your backups encrypted? Yes / Not Sure / No
Does your backup cover cloud data — Microsoft 365, cloud applications — in addition to on-premises systems? Yes / Partially / No
Do you have a documented recovery time objective — how long it would take to restore operations after a ransomware event? Yes / No
Scoring:
Why this matters: Backups stored on the same network as production systems get encrypted by ransomware. Backups that have never been tested frequently fail during actual recovery. Either failure leaves you with no recovery path except paying the ransom — with no guarantee the attacker provides working decryption keys.
Section 4: Patch and Vulnerability Management
The Verizon DBIR 2025 found a median patch time of 32 days and that organizations only remediate approximately 54% of known vulnerabilities. Exploitation of vulnerabilities for initial access rose 34% year over year.
Unpatched vulnerabilities are the entry points ransomware operators exploit after credential theft. A system running software with a known critical vulnerability that hasn't been patched in 60 days is an open door.
Answer these questions:
Are critical security patches deployed within 72 hours of release across all managed systems? Yes / Usually / No
Do you run regular vulnerability scans to identify unpatched systems and misconfigured settings? Yes / Occasionally / No
Are there systems in your environment running end-of-life software — operating systems or applications that no longer receive security updates? No / Some / Yes
Do you have a defined process for identifying and remediating vulnerabilities — not just patch deployment, but tracking what's open and what's been fixed? Yes / No
Are remote access systems — VPN, RDP, remote monitoring tools — included in your patch management process? Yes / Not Sure / No
Scoring:
Why this matters: Ransomware operators use automated scanning tools that find unpatched vulnerabilities across millions of systems simultaneously. A critical vulnerability unpatched for 30+ days will be found. The question is whether it gets exploited before you patch it.
Section 5: Incident Response Readiness
When ransomware hits, the first 30 minutes determine whether it spreads to your entire environment or gets contained to a few systems. That containment depends entirely on whether anyone knows what to do — and how fast they can act.
Answer these questions:
Do you have a written incident response plan that defines what to do when a ransomware attack is detected? Yes / No
Does your team know who to call first when a ransomware event is suspected — and is that contact available outside business hours? Yes / Not Sure / No
Has your incident response plan been tested in the last 12 months through a tabletop exercise? Yes / No
Do you have a cyber insurance policy with incident response support? Yes / No
If ransomware encrypted your systems right now, could you restore operations within 24 hours from clean backups? Yes / Probably / No
Scoring:
Why this matters: Ohio's breach notification law requires notification to affected individuals within 45 days of discovery. An incident response plan that defines the detection, containment, and notification process ensures you meet that obligation rather than discovering you've missed it while still recovering operations.
Section 6: Ohio Safe Harbor Qualification
Ohio's Data Protection Act — ORC § 1354 — provides an affirmative defense against tort claims arising from data breaches for organizations that maintain a written cybersecurity program reasonably conforming to a recognized framework: NIST CSF, NIST SP 800-171, ISO 27001, HIPAA Security Rule, or PCI-DSS.
The safe harbor is only available if the program is documented and demonstrably implemented — not claimed without evidence.
Answer these questions:
Do you have a written cybersecurity program aligned to a recognized framework? Yes / No
Is that program documented with evidence of implementation — risk assessment, policy framework, control evidence? Yes / Partially / No
Is the program reviewed and updated at least annually or when your environment changes? Yes / No
Does your IT provider produce compliance documentation that supports the safe harbor requirement? Yes / No
Scoring:
Why this matters: A ransomware event that exposes customer or employee data creates litigation exposure in addition to operational damage. Ohio Safe Harbor eliminates that tort exposure for organizations with documented, implemented cybersecurity programs. The cost of building the program is significantly lower than the cost of defending litigation without the safe harbor.
Your Overall Readiness Assessment
Count your section ratings:
5-6 sections Ready: Your organization has the foundational ransomware readiness infrastructure in place. Focus on continuous improvement — closing partial items, testing regularly, and maintaining documentation.
3-4 sections Ready: You have meaningful protection in some areas with significant gaps in others. Priority remediation should focus on backup integrity and detection capability first — these determine whether a ransomware event is recoverable or catastrophic.
0-2 sections Ready: Your organization carries significant ransomware exposure. The gap between your current posture and a defensible security program is large enough that a ransomware event in the near term would likely be a business-ending event rather than a recoverable incident.
The Most Common Ohio SMB Gaps
Based on the assessment patterns consistent with the Verizon DBIR and IBM data:
EDR coverage gaps — most Ohio SMBs have antivirus, not EDR. The detection capability difference is significant.
Untested backups — backups are configured but never restored. The first restoration attempt is during a ransomware recovery.
No after-hours monitoring — ransomware deploys at 2am. Nobody watching means hours of uncontested encryption.
MFA not enforced everywhere — email and VPN without MFA enforcement are the primary entry points.
No written incident response plan — when ransomware hits, nobody knows who calls who or what to do first.
Each of these is addressable. None requires enterprise-level investment. All of them require a security provider that treats prevention as the operating model rather than incident response as the primary service.
To understand what a prevention-first managed security program looks like for Ohio SMBs, visit the Managed Security service page.
To track data breach incidents affecting Ohio businesses and understand the threat landscape specific to your state, the Ohio Breach Tracker gives you current visibility into Ohio-specific breach activity.
The 2026 Cybersecurity Buyer's Guide covers the security program fundamentals every Ohio SMB should understand before evaluating any managed security partner.