For criminals, ransomware is big business.

The methodology is simple: attackers target a company with malware which encrypts their data, then send a request for money, usually in the form of Bitcoin or another difficult-to-trace cryptocurrency. Should the company refuse to pay up, their data will remain encrypted and inaccessible. Or it might even be shared publicly on the internet.

Given the potential damage both financial and reputational that might result, it’s no wonder that many companies choose to pay the ransom.

Kaspersky Lab noted a thirteen-fold increase in ransomware attacks in the first quarter of 2017 compared to the previous year. With the average cost of a ransomware attack sitting at over $1,000, the danger is a significant one . . . and no company is safe.

Victims range from small businesses to huge organizations, such as the UK’s National Health Service and aeronautical engineering firm Boeing. Whatever the size of your company, protecting data against ransomware is every bit as essential as physically protecting your premises from burglars.

Here are four things you can do to ensure that you are effectively protected against ransomware.

Backup everything, often

A robust backup plan can make all the difference to a company hit by a ransomware attack.

Rolling back to a previous version may make it possible to avoid paying the ransom and resume normal operations. But beware. Ransomware is becoming increasingly sophisticated. Many new viruses are designed to seek out backups and encrypt those as well.

To avoid this worst-case scenario ensure that you employ a backup solution with versioning or one that is physically disconnected from your system, like a cloud backup solution.

Train your staff

Every staff member in your organization is a potential entry point for malware. Many attacks still succeed largely due to human error.

Indeed the “WannaCry” attack which struck Boeing was transmitted by means of a zipped file attached to an email. In order for the malware to take effect, an employee within the organization had to unzip and run the file.

Train your employees to identify fake emails and encourage a culture of double-checking the origin of any suspicious attachments. Also, establish robust procedures for employees to follow when they think they might have exposed a device to malware. A swift response can isolate the machine in question and potentially save thousands of dollars in damages.

Stay up to date

There are many reasons to keep the operating systems, browsers and plugins up to date. Ransomware prevention is just one of them.

Many ransomware attackers gain entry to a system via weaknesses inherent in out-of-date plugins and other tech. By recommending (or, better yet, enforcing) updates, you can stay ahead of the criminals and keep your sensitive data secure.

Employ ransomware protection

Last, but by no means least, you should ensure that every machine (even personal devices used for work purposes) in your organization is running malware protection software from a reputable provider. While no program can prevent every single attack, most will be able to guard against a whole raft of common exploits.

If the worst does happen . . .

If you are subject to a ransomware attack and cannot recover your data from backup, your options are limited.

Paying the ransom might seem like the most sensible course of action, but there have been numerous cases in which doing so didn’t yield a decryption key. If that happens, you’ve only added an extra cost to an already-expensive situation.

An expert might be able to help you mitigate the damage, but it is vastly preferable to avoid attacks in the first place. The time to act is now—protect your data and ensure that your company doesn’t end up on the long list of ransomware victims.