In 2026, ransomware attacks represent the biggest cyber threat facing Dutch organisations. The impact of a successful attack goes beyond data loss: operational downtime, reputational damage, fines from regulators and, in some cases, the end of the organisation. An IT audit of ransomware resilience is therefore not a luxury but a necessity.
The first line of defence that an auditor assesses is prevention. Here the auditor looks at patch management: are known vulnerabilities remediated in a timely manner? Many ransomware attacks exploit vulnerabilities for which a patch had already been available for months. The auditor assesses whether there is a structured patching process and whether critical patches are installed within the defined timeframes.
Email security is a second area of preventive focus. The majority of ransomware attacks begin with a phishing email. The auditor checks whether there is adequate email filtering (SPF, DKIM, DMARC), whether attachments are scanned for malware, and whether employees are trained to recognise phishing.
Access control forms the third pillar. The auditor assesses whether the principle of least privilege has been applied, whether administrative accounts are separated from regular accounts, whether multi-factor authentication is enabled for all remote access and administrative access, and whether there is network segmentation that limits lateral movement.
Detection is at least as important as prevention. The auditor checks whether endpoint detection and response (EDR) has been implemented, whether a security operations center (SOC) or managed detection and response (MDR) service is active, and whether adequate logging and monitoring is in place to detect suspicious activity in good time.
Backup and recovery form the final line of defence. The auditor tests the 3-2-1 backup rule: at least three copies, on two different types of media, one of which is offsite. It is crucial that backups are protected against ransomware through immutable storage or air-gapped backups. Restore tests must demonstrate that data can actually be recovered.
The incident response plan specifically for ransomware is also assessed. Is there a decision tree for whether or not to pay a ransom? Are communication lines documented? Is there a relationship with an incident response team or forensic specialist? Is the plan exercised periodically?
Secure Audit systematically assesses the ransomware resilience of organisations in its IT audits and provides concrete recommendations for improvement. Contact us for a ransomware readiness assessment.
About the author
Partner | IT Auditor