Ransomware has become the single most destructive cyber threat facing UK businesses. The NCSC (National Cyber Security Centre) has repeatedly warned that ransomware attacks are increasing in both frequency and sophistication, targeting organisations of every size across every sector. According to the UK Government's Cyber Security Breaches Survey, ransomware now accounts for a significant proportion of the most disruptive cyber incidents reported by British businesses.
What makes modern ransomware particularly devastating is its evolving tactics. Today's ransomware does not simply encrypt your live data and demand payment. Sophisticated attacks now specifically target backup systems, deleting or encrypting backup files before activating the ransomware on production systems. The attackers understand that if they can destroy your backups alongside your live data, you have no choice but to pay the ransom — or lose everything.
Immutable backups are the technology response to this threat. By creating backup copies that literally cannot be modified or deleted — not by administrators, not by ransomware, not by anyone — immutable backups ensure that you always have a clean copy of your data to restore from, regardless of how sophisticated the attack.
Why Traditional Backups Are No Longer Enough
Traditional backup strategies were designed to protect against hardware failures, accidental deletions, and natural disasters. They work on the assumption that the backup infrastructure itself is safe — that if a server fails, the backup tapes or disks are intact and ready to restore from. This assumption is no longer valid in the age of targeted ransomware.
Modern ransomware groups — including those specifically targeting UK businesses such as LockBit, BlackCat (ALPHV), and Clop — follow a methodical attack pattern. They gain initial access (often through phishing emails or exploited vulnerabilities), spend days or weeks silently mapping the network, identify and compromise backup systems, delete or encrypt backup files and shadow copies, and only then deploy the encryption payload across production systems.
By the time you see the ransom note, your backups may already be destroyed. If your backup infrastructure uses standard storage that can be accessed and modified by network administrators (or by attackers who have stolen administrator credentials), then your backups are vulnerable to exactly the same attack as your production systems.
The classic 3-2-1 backup rule (three copies of data, on two different media types, with one copy offsite) remains a solid foundation for data protection. However, it does not address the ransomware threat if all three copies can be reached and encrypted by an attacker with compromised admin credentials. Immutable backups add a critical fourth dimension to the 3-2-1 rule: at least one copy must be immutable — completely unchangeable for a defined retention period, regardless of who requests the change.
What Makes a Backup Immutable?
An immutable backup is one that cannot be altered, deleted, or encrypted after it has been written — for a specified retention period. The immutability is enforced at the storage level, not by the backup software alone. This means that even if an attacker gains full administrator access to your backup server, they cannot modify or delete the immutable backup copies.
There are several technical approaches to achieving immutability, each with different characteristics.
Object Lock (S3-Compatible Cloud Storage)
Cloud storage services like Amazon S3, Azure Blob Storage, and Wasabi support object lock functionality that prevents objects from being deleted or overwritten for a specified retention period. Once data is written with object lock enabled, it is immutable until the retention period expires — even the storage account administrator cannot override this protection. This is one of the most popular approaches for UK businesses using cloud backup solutions.
WORM Storage (Write Once, Read Many)
WORM storage has been used in regulated industries for decades to ensure data integrity. Modern WORM implementations use either specialised hardware or software-defined storage that physically prevents data modification after writing. WORM compliance is often required in financial services, healthcare, and legal sectors for audit trail integrity.
Air-Gapped Backups
An air-gapped backup is physically disconnected from the network. Because there is no network path to the backup media, ransomware cannot reach it. Tape backup remains the most common air-gapped solution, though some businesses achieve air-gapping by physically disconnecting USB drives or portable storage after backup completion. The drawback is that air-gapped backups require manual handling and are typically less frequent than online backups.
Immutable Backup Benefits
- Ransomware cannot encrypt or delete backup data
- Compromised admin credentials cannot affect backups
- Guaranteed clean restore point always available
- Compliance with data retention regulations
- Protection against insider threats
- Audit-ready proof of data integrity
- Reduces pressure to pay ransom demands
Traditional Backup Risks
- Admin credentials can be used to delete backups
- Ransomware can encrypt backup files on network shares
- Shadow copies routinely deleted by ransomware
- Backup software APIs can be exploited
- No guarantee backup is clean at restore time
- Retention policies can be overridden by attackers
- Creates false sense of security
Implementing Immutable Backups for Your Business
Implementing immutable backups does not require replacing your entire backup infrastructure. Most modern backup solutions support immutability as a configuration option when paired with compatible storage. Here are the most common approaches for UK businesses.
Cloud-Based Immutable Backup
The most accessible approach for UK SMEs is to use a cloud backup solution that supports immutability. Products such as Veeam Backup and Replication (with S3-compatible object lock storage), Datto SIRIS and ALTO, Acronis Cyber Protect, and Druva offer immutable cloud backup capabilities. These solutions write backup data to cloud storage with object lock enabled, ensuring that backup copies cannot be tampered with.
For UK data residency requirements, ensure your chosen solution stores data in UK-based data centres. AWS has data centres in London (eu-west-2), Azure operates UK South (London) and UK West (Cardiff) regions, and providers like Wasabi offer UK-based storage options.
On-Premises Immutable Storage
For businesses that prefer or require on-premises backup storage, products such as ExaGrid provide tiered backup storage with a dedicated immutability tier. The immutable tier uses a non-network-facing architecture where backup data is written once and cannot be modified or deleted through any network-accessible interface. Even if the primary backup storage is compromised, the immutable tier remains protected.
| Solution Type | Immutability Method | UK Data Centre | Typical Cost (25 users) | Recovery Speed |
|---|---|---|---|---|
| Cloud backup (Veeam + S3) | Object Lock | AWS London / Azure UK South | £200–£500/month | Hours (depends on data volume) |
| Cloud BDR (Datto) | Proprietary cloud immutability | UK data centres available | £400–£800/month | Minutes (instant virtualisation) |
| On-premises (ExaGrid) | Tiered WORM storage | Your premises | £5,000–£15,000 (one-off) | Very fast (local restore) |
| Air-gapped tape | Physical disconnection | Your premises / offsite vault | £100–£300/month | Hours to days |
The NCSC Position on Backup Resilience
The NCSC explicitly recommends that UK organisations protect their backups against ransomware. Their guidance on mitigating ransomware attacks states that organisations should maintain offline backups that are not accessible from the network, test backup restores regularly, and ensure that backup credentials are separate from standard administrative accounts. Immutable backup technology directly addresses these recommendations by providing an additional layer of protection that remains effective even when other defences fail.
For UK businesses pursuing Cyber Essentials or Cyber Essentials Plus certification, demonstrating robust backup practices including immutability strengthens your overall security posture. Whilst Cyber Essentials does not explicitly mandate immutable backups, the scheme's emphasis on protecting against common cyber attacks aligns perfectly with the principles of immutable data protection.
The impact of immutable backups on ransomware recovery outcomes
Testing and Validating Your Immutable Backups
Immutable backups are only valuable if they can be successfully restored when needed. Regular testing is essential — not just verifying that backup jobs complete, but actually restoring data from immutable storage and confirming that applications work correctly with the restored data.
Schedule quarterly restore tests at minimum, and ideally monthly for business-critical systems. Document the test results, including restore times, data integrity verification, and any issues encountered. This documentation serves both as operational assurance and as evidence for compliance and insurance purposes — cyber insurance providers increasingly ask about backup testing practices when assessing claims.
Protect Your Business with Immutable Backups
Cloudswitched implements immutable backup solutions for UK businesses, ensuring your data is protected against ransomware, accidental deletion, and insider threats. From cloud-based immutable storage to on-premises WORM solutions, we design and manage backup infrastructure that gives you confidence in your ability to recover from any incident. Contact us for a backup resilience assessment.
ASSESS YOUR BACKUP RESILIENCE
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.