Concerns over ransomeware locking you out of sensitive files and a host of malware infecting your critical systems seem to have everyone scrambling for effective answers. I think many are missing some very simple steps that can be quite effective. I work from a home office, where I have several systems (for testing, various projects, etc.).  The solution I use there is obviously on a much smaller scale than most office networks, but can provide some suggestions.  Here are some steps I take:
1. If I am using the web, in any way that could possibly lead to malware, then I use a browser that is inside a virtual machine running a different OS than the host, and running its own anti malware software (that is also different from the host anti malware).  So for malware to infect the host machine it would need to first circumvent the anti-malware on the VM, then jump the VM/host boundary, then be able to infect both the VM operating system and the host operating system, and finally evade the host anti malware.  To date, I have not even heard of a virus that can do that.
2. To avoid ransomware (should it be able to circumvent everything just mentioned), I have all sensitive files backed up to a 4 terabyte network drive. However, that drive remains encrypted and disconnected from the network. It is only connected when I wish to perform a backup or recover files, which is in turn only done after a  malware scan on the machine doing the backup or restore. By disconnected from the network, I mean that I literally unplug it, then plug it in when needed.

3. For particularly sensitive operations I have a separate machine I use for that. One that is not usually connected to my home-office network.

4. Encrypted partitions are left encrypted until actually needed. I decrypt them long enough to work on that project then re-encrypt them.

5. My passwords are passphrases with complexity requirements, and changed frequently.  An example I use in books and classes (not one I really use on my systems) that can easily be remembered but would be hard to break: !l!k3cH33s3burg3rsFromburG3rk!ng  32 characters long but easy to remember.

Now these are steps on a smaller scale than most organizations work on. But you can adapt them:
1. Workstations can have a VM with a different OS and browser as part of their normal configuration. So if you are a Windows shop, workstations get a VM with Linux.  The users need not really know Linux, just be able to click on the browser in the GUI. This would prevent a host of malware infections.
2. Sensitive files should be backed up to a non-networked device at some interval. It may not be practical to do so daily, but you can do it with some frequency.
3.  All backup/restore operations should only occur after a malware scan.

Just some security suggestions I usually make to my classes


Chuck Easttom