- Educate employees not to fall for phishing e-mails.
- Having up-to-date off-site backups so that if your systems do get compromised, you can restore your systems and get your data back without having to pay ransom.
In the meanwhile, backups that are physically offline are your first step. Then you should have offsite backups that are also offline.
Start by buying some new hard drives, and use Clonezilla or whatever is popular now to make copies of your existing drives. Put your old drives in the safe, and run on the new ones.
A backup that hasn't been tested is a prayer. You MUST test your backups, regularly. You must have sufficient spares to be able to stand a new system from scratch and your backups. That new system just has to function, it doesn't need to be as fast as the current one... it just has to actually be good enough to run things for long enough to get proper replacements up and running.
If it is a truly critical system, I.E. people will be harmed, or the business will go away if it stops working, it should not be on the internet, and it should have a backup system ready to start at the flip of a switch.
Data diodes are network gateways that can only transmit data in one direction. These should be used to ensure you can monitor a system, but never control it from the outside. (You set up a host inside the critical network to poll data, put it in a ring buffer, then send that buffer with forward error correction though the data diode to another server outside the network that reads the data, corrects for errors and dropped packets, and serves requests for data to the outside world)
Second - Copy on write file systems like BTRFS and ZFS further mitigate things when setup to retain snapshots/checkpoints of past data on disk. Since these can’t be modified by subsequent writing of encrypted data preventing ransomware from locking you out of your data.