Ransomware has fundamentally changed the backup conversation for UK businesses. It is no longer sufficient to simply have backups — you need backups that cannot be compromised, encrypted, or deleted by an attacker who has gained access to your network. Traditional backup approaches, where backup data sits on a network-connected storage device or in a cloud repository accessible via standard credentials, are increasingly vulnerable to sophisticated ransomware attacks that specifically target backup systems before encrypting production data.
Air-gapped backups represent the ultimate line of defence against this threat. An air-gapped backup is a copy of your data that is physically or logically isolated from your network, making it impossible for ransomware — or any network-based attack — to reach, modify, or destroy the backup. If everything else fails — if your servers are encrypted, your cloud backups are compromised, and your online recovery options are exhausted — an air-gapped backup gives you a guaranteed path to recovery.
This guide explains what air-gapped backups are, why they have become essential for UK businesses, how different air-gap technologies work, and how to implement an air-gapped backup strategy that provides maximum protection without creating unmanageable operational complexity.
Why Traditional Backups Are No Longer Enough
The ransomware threat landscape has evolved dramatically since the early days of indiscriminate attacks. Modern ransomware operators — many of them organised criminal gangs operating out of Eastern Europe and Russia — conduct targeted, methodical attacks that can unfold over weeks or months. They gain initial access through phishing emails, vulnerable remote access points, or compromised credentials, then move laterally through the network, escalating privileges and mapping the environment before deploying ransomware.
Critically, these attackers now specifically seek out and compromise backup systems as part of their attack methodology. They look for backup servers, identify backup schedules, compromise backup administrator credentials, and either encrypt or delete backup data before deploying ransomware to production systems. The goal is to eliminate every recovery option, leaving the victim with no choice but to pay the ransom.
This means that a backup stored on a network-attached storage device, a backup server connected to your domain, or a cloud backup accessible via credentials that an attacker could steal, is no longer a guaranteed recovery path. If the attacker can reach your backup, they will destroy it. Only data that is physically or logically unreachable from the compromised network remains safe.
The National Cyber Security Centre (NCSC) explicitly recommends that UK organisations maintain an offline or air-gapped backup as part of their ransomware defence strategy. Their guidance states that organisations should "keep an offline backup of your data, in a location that is separate from your network and systems." The NCSC also recommends that this backup is tested regularly to ensure it can be used for recovery. For businesses seeking Cyber Essentials Plus certification, demonstrating a robust backup strategy including offline or air-gapped copies strengthens the overall security assessment.
What Is an Air-Gapped Backup?
An air-gapped backup is a copy of your data that is isolated from your network and systems by an "air gap" — a physical or logical separation that prevents any network-based access to the backup data. The term originates from military and government security practices, where classified systems are physically disconnected from all networks to prevent unauthorised access.
In the context of business data protection, air-gapping can be achieved through several methods, each offering different levels of isolation, convenience, and cost. The three primary approaches are physical air gaps (using removable media that is disconnected and stored separately), logical air gaps (using technology that makes backup data immutable and inaccessible to network-connected systems), and cloud-based immutable storage (using cloud features that prevent any modification or deletion of stored data, even by administrators).
Air-Gapped Backup: Protected
- Physically or logically isolated from network
- Cannot be encrypted by ransomware
- Cannot be deleted by compromised admin accounts
- Provides guaranteed recovery path
- Meets NCSC and Cyber Essentials requirements
- Survives total network compromise
- Independent of production infrastructure
- Time-locked retention prevents premature deletion
Network-Connected Backup: Vulnerable
- Accessible from the network via standard protocols
- Can be encrypted by ransomware alongside production data
- Admin credentials can be used to delete backups
- No recovery if attacker targets backup systems
- May not satisfy regulatory requirements
- Compromised when the network is compromised
- Depends on production infrastructure
- Backups can be silently corrupted over time
Air-Gap Technologies Compared
Understanding the different air-gap technologies helps you choose the approach that best fits your business requirements, budget, and operational capabilities. Each method has distinct advantages and trade-offs.
| Method | Isolation Level | Automation | Cost | Best For |
|---|---|---|---|---|
| Removable USB/HDD (rotated off-site) | Physical — highest | Manual rotation required | Low (£200-£500) | Very small businesses |
| RDX Cartridges | Physical — high | Semi-automated | Medium (£500-£2,000) | SMEs with structured processes |
| LTO Tape | Physical — highest | Automated with tape library | High (£3,000-£15,000) | Larger businesses, compliance-driven |
| Immutable Cloud Storage (S3 Object Lock) | Logical — high | Fully automated | Medium (per-GB pricing) | Cloud-first businesses |
| Veeam Hardened Repository | Logical — high | Fully automated | Medium-High | Virtualised environments |
| Datto / BCDR Appliance | Logical — high | Fully automated | High (subscription model) | MSP-managed environments |
Implementing a Physical Air Gap
A physical air gap provides the strongest isolation because the backup media is completely disconnected from all systems and networks when not actively being written to. The most common physical air-gap methods for UK businesses are rotating external drives and LTO tape.
For smaller UK businesses, a rotating set of external USB hard drives or RDX cartridges provides a simple and affordable physical air gap. The process works as follows: maintain at least three external drives in rotation. Each day (or each backup cycle), connect one drive to the backup server, run the backup, then disconnect the drive and store it in a secure location — ideally a fire-rated safe on-site and a secondary copy at an off-site location such as a bank safe deposit box or a director's home. The following day, use the next drive in the rotation. This ensures that even if one drive is connected during an attack, the other two drives are safely disconnected and available for recovery.
For larger organisations or those with more demanding compliance requirements, LTO tape remains the gold standard for physical air-gapped backup. Modern LTO-9 tapes store up to 18TB of native data (45TB compressed) per cartridge, with transfer speeds sufficient for enterprise backup windows. Tape libraries automate the backup process, and cartridges are physically removed and stored off-site for maximum protection. Many UK financial services firms, legal practices, and healthcare organisations use LTO tape specifically because it satisfies regulatory requirements for offline data protection.
Implementing a Logical Air Gap
A logical air gap uses technology rather than physical disconnection to isolate backup data. While not as absolute as a physical air gap, a properly implemented logical air gap provides strong protection against ransomware and is significantly easier to automate and manage.
The most common logical air-gap technologies for UK businesses include immutable cloud storage (such as AWS S3 Object Lock or Azure Immutable Blob Storage), which allows data to be written once and prevents any modification or deletion for a defined retention period. Even if an attacker compromises your AWS or Azure credentials, they cannot delete or modify data protected by immutability policies. The retention period is enforced at the platform level, making it immune to credential-based attacks.
Veeam's Hardened Linux Repository is another popular logical air-gap option for businesses with virtualised environments. This approach uses a dedicated Linux server configured with no SSH access and immutable backup flags, ensuring that backup data cannot be modified or deleted from the network. The server accepts backup data only through the Veeam backup engine and rejects all other access attempts.
The 3-2-1-1-0 Backup Rule
The traditional 3-2-1 backup rule (three copies, two media types, one off-site) has evolved to address the ransomware threat. The modern best practice for UK businesses is the 3-2-1-1-0 rule: three copies of your data, on two different media types, with one copy off-site, one copy air-gapped or immutable, and zero errors (verified through regular testing).
The addition of the air-gapped copy and the zero-errors requirement reflects the current threat landscape. The air-gapped copy ensures recovery even in the worst-case scenario, while the zero-errors requirement emphasises that untested backups are unreliable backups. A backup that has never been restored is a hope, not a strategy.
Testing Your Air-Gapped Backups
An air-gapped backup that has never been tested is a liability disguised as a safety net. Regular testing is essential to verify that backup data is complete, uncorrupted, and restorable within your recovery time objectives.
Conduct restore tests at least quarterly. For physical air-gapped media, this means connecting the backup drive or loading the tape, initiating a restore of representative data (a mixture of files, databases, and application data), and verifying that the restored data is complete and usable. For logical air-gap solutions, initiate a restore from the immutable storage to a test environment and verify data integrity.
Document the results of every test, including the time taken to restore, any errors encountered, and the actions taken to resolve them. This documentation serves dual purposes: it confirms that your backup strategy works, and it provides evidence for compliance audits and regulatory reviews. The ICO and other regulatory bodies look favourably on organisations that can demonstrate a tested and documented backup strategy.
Protect Your Data with Air-Gapped Backups
Cloudswitched designs and implements air-gapped backup solutions for UK businesses of all sizes. From rotating physical media for small offices to enterprise-grade immutable cloud storage and LTO tape libraries, we tailor the solution to your data volumes, compliance requirements, and budget. Do not wait for a ransomware attack to discover that your backups are vulnerable.
Secure Your Backups Today
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.