Why backups need more than copies

Backups alone don’t stop breaches. If backups are accessible, writable, or poorly protected, attackers or ransomware can delete or corrupt them. To reduce risk you must: encrypt backups, make some copies immutable, and separate recovery paths (air-gaps). Together these controls protect confidentiality, integrity and availability of recovery data.

How encrypted backups protect against breaches

Encryption secures backup data so that, even if an attacker gains storage access, files remain unreadable without keys. Proper encryption addresses two threats:

• Data theft: At-rest encryption prevents unauthorized disclosure if storage is exfiltrated or accessed.
• Tampering and ransomware: Combined with integrity checks and immutability, encryption prevents attackers from presenting readable, tampered backups.

Implement encryption end-to-end: client-side (before upload) plus transport (TLS). Use strong algorithms and protect keys with strict access controls or a dedicated key management service. Zero-knowledge or customer-controlled keys provide the highest confidentiality.

Immutable backups vs regular backups explained

Understanding immutability helps you choose the right retention model.

Regular backups

Regular backups can be modified or deleted by authorized users or compromised accounts. They are flexible for routine restores but vulnerable if those credentials are stolen.

Immutable backups

Immutable backups (write-once, read-many — WORM) cannot be altered or deleted for a defined retention period. This prevents ransomware or malicious actors from modifying or removing recovery points.

When to use each

• Keep recent regular backups for fast restores and versioning.
• Retain immutable copies for a longer window to guarantee recoverability after an attack.

Air-gapped backup options for SMBs

Air-gapping separates backup copies from production networks so threats there cannot reach all recovery points. SMBs have practical, cost-effective choices:

• Physical air-gap: Rotate external drives or tape offline and store them offsite. Simple and inexpensive but requires physical handling and tested procedures.
• Network air-gap (logical): Use a segregated network or VLAN with strict access rules; ensure backups can’t be written over that interface from production systems.
• Cloud air-gap patterns: Use a separate cloud account, separate credentials, or immutable object-lock features (providers like Wasabi or AWS S3 Object Lock). Keep keys and admin access isolated.
• Hybrid: Combine local fast restores, immutable cloud copies, and an offline copy for maximum resilience.

For SMBs, the simplest effective approach is: encrypted client-side backups to a cloud that supports immutability + a periodic offline copy.

How to secure backups from ransomware attacks

Mitigating ransomware is about prevention and ensuring recoverability. Key practices:

• Encrypt backups both in transit and at rest; limit who can access keys.
• Use immutable retention for a portion of backups to guard against in-place tampering.
• Isolate backup credentials and service accounts using least privilege and MFA.
• Segment networks and adopt air-gap patterns so production compromises can’t reach all copies.
• Monitor backup logs and alerts for unusual deletions or access patterns.
• Maintain documented recovery procedures and test them regularly (see below).

These steps align with guidance from cybersecurity authorities such as CISA and the European ENISA.

How to test ransomware recovery with air-gap backups

Testing is the only way to be confident your air-gap and immutable controls work under pressure. A simple test plan for SMBs:

1. Define scope and objectives: Which systems and files will you restore? Define RTO and RPO targets.
2. Create a safe test environment: Use an isolated network or sandbox to avoid impacting production.
3. Simulate a compromise: Mark a set of files as “corrupted” or replace them with encrypted copies to mimic ransomware.
4. Execute recovery from air-gapped/immutable copy: Restore selected files and systems using documented runbooks.
5. Validate integrity and functionality: Verify files open, applications run, and users can work.
6. Measure and document results: Record restore times, failures, issues and update runbooks accordingly.
7. Remediate gaps: Improve controls, increase retention, or adjust isolation based on findings.

Automate test schedules (quarterly or biannual) and include key stakeholders: IT, security, and business owners.

Practical checklist for immediate protection

• Enable client-side encryption or provider-side encryption with customer-managed keys.
• Configure immutable retention for critical data (legal, financial, customer records).
• Isolate backup accounts and protect with MFA and strict IAM rules.
• Keep an offline or off-account copy as an air-gapped fallback.
• Document and test recovery procedures regularly.

Conclusion

When combined, encryption, immutability and air-gap strategies significantly reduce the damage of a breach. That is how encrypted backups protect against breaches: they keep stolen data unreadable, preserve untampered recovery points, and ensure a separate path to restore operations. For small businesses, start with encrypted automated backups, add immutable copies, and maintain at least one isolated recovery option.

Learn more about practical backup options for small teams on our Backup for Small Business page and how AgooCloud’s managed service uses encryption and secure storage to help you recover quickly.

FAQ