Business Backup & Avoiding Ransomware

Why ransomware targets your backups first

Most ransomware variants don't simply encrypt your live data and stop — they actively search for backup files before triggering the final encryption payload. By the time staff notice anything is wrong, local backups may already be compromised. This is why traditional on-site backup solutions, whilst better than no backup at all, offer limited protection against modern ransomware campaigns.

According to the UK government's Cyber Security Breaches Survey, ransomware remains one of the most financially damaging threats facing British SMEs, with average recovery costs — including downtime, remediation and reputational harm — frequently exceeding six figures. The payment itself, where organisations choose to pay, is rarely the largest cost.

The 3-2-1 backup rule and why it still matters

The 3-2-1 rule is a well-established framework that remains highly relevant for ransomware resilience:

• 3 copies of your data — the primary copy and two backups
• 2 different media types — for example, local NAS and cloud storage
• 1 offsite copy — physically or logically separated from your primary environment

For ransomware protection specifically, the offsite copy must also be immutable — meaning it cannot be modified or deleted, even by an administrator account. Cloud backup solutions from providers such as Veeam, Acronis and Microsoft Azure Backup all support immutability options. Without it, a compromised admin account can wipe your cloud backup just as easily as your local data.

Understanding Recovery Time Objectives and Recovery Point Objectives

Before choosing a backup solution, every business should define two figures:

• Recovery Time Objective (RTO): How long can your business operate without access to its data or systems before the impact becomes severe? For a professional services firm, this might be four hours. For a manufacturing operation with live ERP systems, it might be 30 minutes.
• Recovery Point Objective (RPO): How much data can you afford to lose? If your RPO is one hour, your backup solution must capture changes at least every 60 minutes.

These figures drive the technology decision. A daily backup to tape satisfies neither figure for most modern businesses. Continuous data protection (CDP) or near-continuous snapshot replication is typically required for RTOs under four hours.

Mapping backup frequency to risk

Financial data, CRM records and operational databases typically warrant hourly or continuous backups. Email archives and static document stores may tolerate a daily backup window. The key is to perform a data classification exercise rather than applying a single policy across the entire estate.

Air-gapped and immutable backups explained

An air-gapped backup is one that is physically or logically disconnected from your network. Traditional tape backups ejected from a drive and stored offsite are a form of air gap. Modern cloud-based equivalents use object storage with write-once-read-many (WORM) policies, preventing any software process — including ransomware — from overwriting or deleting backup data.

Some organisations are now implementing a hybrid approach: hourly cloud snapshots with WORM policies, plus a weekly encrypted tape rotation to a secure offsite facility. This approach satisfies both speed of recovery (cloud) and depth of archive (tape), whilst providing genuine air-gap protection at the deepest retention tier.

Testing your recovery — the step most businesses skip

A backup that has never been successfully restored is an untested assumption, not a recovery capability. The NCSC recommends that organisations test recovery procedures at least quarterly, ideally including a full tabletop exercise that simulates a ransomware scenario from initial detection through to restored operations.

In practice, this means:

• Selecting a random sample of files and restoring them to verify integrity
• Periodically performing a full system restore to an isolated test environment
• Documenting the actual recovery time achieved versus the RTO target
• Confirming that staff responsible for recovery know the procedure and can execute it without the primary IT contact being available

Many businesses discover during their first test that recovery takes three times longer than expected, or that critical dependencies — a licence server, an Active Directory connection — were not included in the backup scope.

Backup as part of a wider ransomware defence

Backup strategy is your last line of defence, not your only one. A layered approach includes email security to block phishing (the most common ransomware entry point), endpoint detection and response (EDR) to catch malicious behaviour before encryption begins, network segmentation to limit lateral movement, and privileged access controls to prevent ransomware from reaching backup systems using stolen admin credentials.

AMVIA works with UK SMEs to design and implement backup architectures that meet realistic RTO and RPO requirements, including immutable cloud backup configurations and managed detection and response services that aim to catch ransomware activity before it reaches production data.

What to do if you are hit

If ransomware does execute, the immediate priorities are: isolate affected systems from the network, preserve forensic evidence before wiping, report to the NCSC and — where applicable — the ICO within 72 hours under UK GDPR, and engage your incident response plan. Do not pay the ransom without taking legal and cybersecurity advice; payment does not guarantee decryption and may trigger regulatory scrutiny.