Who advises these public agencies? It only requires a few simple policies to reduce risk by 99% but instead they pay PWC probably more than the ransom for 157 pages of generalities and management speak.
A few practical steps, none of which in are in that useless tome.
Block Powershell from running through GPs, no standard user needs it. We did it 3 years ago and nobody even noticed yet.
Stop all emails containing pre 2007 Office formats. If suppliers and customers have not updated since Office 2003 we don't want their emails.
Sack anyone who ever types in an elevated credential into a user endpoint.
Segment your networks
Tapes in a safe are a lot harder to get at than disk to disk backups.
Separate your hypervisor infrastructure and backups from the user network and don't bind hypervisor management to user side NICs.
Use 2 macro execution policies. Users with brains can enable a macro (<5%) and the ones who can't find their rear with both hands simply cannot execute macros.
Apply updates. If the vendor can't supply them get out of their bed and find a new one, not tomorrow or next year. NOW.
Use LAPS because users are idiots.
VLANS are as secure as your switches are.
No user is a local admin. If their software won't run without LA rights then get rid mercilessly. Not that we have found many software items out of 5000 users around the globe that had a problem. A real problem that is as opposed to the user or supplier telling us it won't work.
If your backup is spinning on disks that aren't air spaced from the network you should assume you will have no backups.
All of the above is based on bitter experience. Weirdly I found it a lot easier to persuade the board to spend the money after all the data was gone ( including the virtual tapes). They were totally disinterested until that day arrived. 6 months of downtime recovering data from tapes for 100 offices around the world finally convinced them I was not exaggerating the risks.Of course this excludes the tapes which were left in autoloaders as it was too much trouble to keep taking them out each day. They were all formatted for us by the nice guy in Russia who demanded £xxm.