Yes I had already read that post on securing any RDP access. We already require VPN for remote access but it did occur to me that someone cold possibly have brute forced the router password and connected that way so i have also set that to allow remote only from one IP address. Having said that our suspicion is that a member of staff opened an infected email. on both occasions the day before the attacks myself and several members of staff received the "from the HMRC" email. Also only four computers were encrypted, both servers the backup manager PC and one client. Anyway that is an aside as there is no way to know as everything has been restored from cloud backup. My concern was just that i had your AV set up the optimum way. I am also thinking of adding a USB disconnect utility so that the USB backup drive is connected just before the backups and disconnected just after they finish. My thinking is that the data would be safe if the drive was disconnected (logically not physically). Also is there any benefit from running a complete scan on a Sunday?
Any suggestions would be appreciated, thank you for your help.