Ransomware isn’t a rare event anymore—it’s practically inevitable. It’s not about if your organisation will face an attack, but when. This shift means security leaders need to rethink how they approach backup and recovery.
The old way of handling backups—scheduled jobs, restore points, and tape rotations—just doesn’t cut it anymore. Cyber attackers have stepped up their game, and it’s time your defences did too. In this blog, we’ll cover five key rules every security leader should follow to make sure backups remain a reliable last line of defence against today’s threats.
Backup Has Become a Primary Target
Backup and recovery used to be IT's responsibility, mainly focused on fixing hardware issues and user mistakes. But with ransomware on the rise, these tasks are now a key part of incident response and risk management.
Today’s attackers don’t just go after your production systems—they target your backups first, encrypting or deleting them before launching their main attack. This shift leaves organisations vulnerable at the worst possible time, just when recovery is needed most.
A lot of security leaders assume their backup solutions are ready for ransomware, but many haven’t checked key features like immutability, segmentation, or fast recovery. The result? Recovery delays, ransom payments, and compliance issues that could’ve been avoided.
Why These Rules Matter Now
Backup security is more important than ever, and here’s why:
Ransomware is getting smarter and easier to access. With Ransomware-as-a-Service, more people—even with limited skills—can launch harmful attacks using readily available tools.
Hybrid environments need stronger recovery plans. Your data is spread across on-prem servers, cloud platforms, and SaaS apps like Microsoft 365—each requiring its own protection strategy.
Immutable, segmented backups are now a must. Regulations like GDPR and NIS2 expect you to prove your data is secure, available, and reliable.
Cyber insurance is tightening up. Without solid, validated recovery plans, insurers are less likely to cover you. They want assurance you can bounce back quickly and safely.
The pressure to show you’re prepared to recover quickly has never been greater.
The 5 New Rules of Backup
Rule 1: Assume Your Backups Will Be Targeted
Backup systems aren’t just your safety net—they’re part of your threat surface. Attackers actively look for ways to compromise backups, scouting for admin credentials, network access, and deletion permissions.
That’s why your backups need the same security measures as production systems: multi-factor authentication, network segmentation, privileged access management, and constant monitoring. Treat your backup environment like it’s one of your most critical systems—it is.
Rule 2: Immutability Is a Must-Have
Immutability means once a backup is written, it can’t be altered, deleted, or encrypted—not even by administrators—during a set retention period. Think of it as putting your data in a vault that ransomware and insiders can’t touch.
Immutability is typically delivered through WORM (Write Once, Read Many) technology or cloud object storage with immutability settings. This ensures that if attackers compromise your production systems, your recovery copies remain clean and trustworthy.
It’s also a compliance advantage: immutable backups provide auditors with proof of tamper-proof data retention. We’ve broken down immutability in more detail in [this blog].
Rule 3: Keep Backups Separate and Air-Gapped
Separating backups from your main systems limits the damage if your primary environment is compromised. This means using different networks, unique admin credentials, and isolated storage that attackers can’t access from production systems.
Cloud-based air-gapping is a solid option—backups are stored in isolated cloud regions or tenants with their own authentication. The goal is simple: make sure attackers can’t use compromised production credentials to reach your backups.
Rule 4: Test Recovery Like It’s the Real Thing
Don’t just back up—prove you can recover. Include backup recovery in your ransomware response drills. Regular testing helps you find gaps, verify your recovery time objectives, and give your team confidence during an actual incident.
Automated testing tools can even run recovery simulations without disrupting production, so you’re always validating your backups and recovery processes.
Rule 5: Don’t Forget SaaS and Cloud Systems
Platforms like Microsoft 365, Google Workspace, and other cloud services follow shared responsibility models. The provider ensures platform uptime, but protecting your data is on you.
Native retention tools aren’t enough—they lack long-term retention, detailed recovery options, and immutability. Third-party backup solutions fill these gaps, offering proper versioning, point-in-time recovery, and compliance-ready retention policies. Don’t leave your SaaS data unprotected!
Taking Ownership of Backup as a Security Control
The threat landscape has outgrown traditional backup methods. If your backups aren't ransomware-resilient, they’re not effective—or compliant—when you need them most.
Backup isn’t just an IT task; it’s a critical part of your security strategy. These five simple rules can help you modernise your approach and build stronger resilience against today’s threats.
Want to see how it works in practice?
Join our live webinar, ‘How to Build Disaster Recovery Against Ransomware Attacks‘ and learn from real-world examples how to create a backup strategy that stands up to modern attacks.
