Why backups need more than copies

Backups alone don’t stop breaches. If backups are accessible, writable, or poorly protected, attackers and ransomware can delete or corrupt them. To reduce risk you must: encrypt backups, make some copies immutable, and separate recovery paths (air-gaps). Together these controls protect confidentiality, integrity and availability of recovery data.

How encrypted backups protect against breaches

Encryption secures backup data so that, even if an attacker gains storage access, files remain unreadable without the keys. Proper encryption addresses two main threats:

• Data theft: at-rest encryption (AES-256) prevents unauthorized disclosure if storage or snapshots are exfiltrated.
• Tampering & ransomware: when combined with integrity checks, immutability and key separation, encryption prevents attackers from making a usable copy.

Best practices:

• Use industry-standard encryption for data at rest (AES-256) and in transit (TLS 1.2+).
• Prefer customer-managed keys (CMK) or a KMS/HSM for key separation — this limits an attacker who compromises backup storage but not key management.
• Enable per-file checksums or cryptographic integrity checks so corrupt or altered files are detectable during recovery.

Immutable backups vs regular backups explained

Regular backups

Regular backups are readable and writable by the backup system for routine operations (prune, lifecycle, retention changes). They are efficient but can be vulnerable if attackers gain write access.

Immutable backups

Immutable backups are configured so stored objects cannot be modified or deleted for a defined retention period. Examples:

• S3 Object Lock (governance or compliance mode)
• WORM appliances and object stores offering write-once semantics
• Immutable snapshots on backup platforms (retention-locked backups)

Immutable backups are vital when you need guaranteed recovery points that ransomware cannot erase or alter.

When to use each

• Use regular backups for frequent, space-efficient snapshots and rapid restores.
• Use immutable backups for long-term retention and to protect against targeted deletion by attackers or ransomware.
• Combine both: keep recent frequent recoverable copies plus separate immutable vaults for critical data.

Air-gapped backup options for SMBs

An air-gap means a recovery copy is separated from the primary network so attackers cannot reach it. Practical SMB-friendly options:

• Offline drives: Regularly export verified backups to external drives and store them offline in a locked location.
• Removable media vaulting: Use removable media (tape or disk) and maintain an offsite vault rotation schedule.
• Cloud vaults with restricted access: Use immutable/cloud vault storage with separate credentials and KMS access controls.
• Isolated restore network: Keep a dedicated isolated network or recovery environment that is not connected to production until needed.

For SMBs that want cloud simplicity, consider a managed provider that offers immutable object storage, CMK support, and a separate recovery account or project to simulate an air-gap.

How to secure backups from ransomware attacks

1. Enforce role-based access control (least privilege) on backup configuration and storage.
2. Use MFA for admin and backup-restore accounts.
3. Separate credentials and key management for backups (use CMKs and rotate keys periodically).
4. Enable immutability for a portion of your backup estate (critical systems and long-term retention).
5. Keep offline or air-gapped copies for at least one recovery window (3-2-1-1 rule: 3 copies, 2 media types, 1 offsite, and 1 air-gapped).
6. Monitor backup logs and integrity checks for unusual deletions or failed writes.

How to test ransomware recovery (playbook)

Testing is the only reliable way to ensure recovery works. A small, repeatable drill:

1. Define objectives: RTO (time-to-restore) and RPO (acceptable data loss) for each system.
2. Select test data: Use representative datasets (not production directly) or snapshot a recent backup.
3. Isolate a recovery environment: Use an air-gapped or isolated network to restore without risk of reinfection.
4. Perform the restore: Restore files, databases, or full systems and validate integrity (hashes, application checks).
5. Validate applications: Boot critical services and run health checks or smoke tests.
6. Document time taken: Compare the actual RTO to the target and record lessons learned.
7. Update runbooks: Fix any gaps and repeat tests quarterly or after major changes.

Practical checklist for immediate protection

• Enable encryption in transit and at rest (TLS 1.2+ and AES-256).
• Use customer-managed keys (KMS/HSM) where possible.
• Enable immutability/WORM on critical backups (S3 Object Lock or equivalent).
• Implement an air-gapped copy (offline media or isolated cloud vault).
• Schedule and test restores quarterly; maintain runbooks.
• Limit and monitor access: RBAC + MFA for backup admins.
• Keep at least one long-retention immutable copy for compliance/ransomware recovery.

FAQ

Next steps & resources

For a backup solution designed for small businesses and individuals, see our product pages and policies:

• Backup for Small Business — managed plans and SMB guidance
• Backup for Individuals — secure, automatic personal backups
• Data Processing Agreement (DPA) — data controls and compliance
• Privacy Policy — how we protect personal data