Cybersecurity

Business Backup & Avoiding Ransomware

Ransomware attacks encrypt your business data and demand payment for its return. A properly designed backup strategy — with offsite copies, tested recovery, and clear RTOs — is the most reliable way to recover without paying a ransom.

NH

Nathan Hill-Haimes

Technical Director

7 min read·Mar 2026

Nathan Hill-Haimes Technical Director 7 min read · Mar 2026

Backup is the part of managed cybersecurity most businesses assume is handled until the day they need it. This guide explains how ransomware attacks your backups, what a defensible backup design looks like, and the testing step almost everyone skips.

Why does ransomware go after your backups first?

Modern ransomware does not just encrypt live data and stop. It hunts for backup files and deletes or encrypts them before triggering the final payload, so that by the time staff notice anything wrong, the recovery copies are already gone. This is why on-site-only backup, while better than nothing, offers weak protection against current ransomware campaigns.

The UK Government's Cyber Security Breaches Survey 2025 confirms ransomware remains one of the most financially damaging threats to British SMEs, with total recovery costs — downtime, remediation and reputational harm — regularly running into six figures. The ransom itself, where paid, is rarely the largest line item.

The practical lesson: a backup an attacker can reach with stolen admin credentials is not a backup. It has to be separated and tamper-proof.

What is the 3-2-1 backup rule and does it still work?

The 3-2-1 rule still holds for ransomware resilience: keep 3 copies of your data, on 2 different media types, with 1 copy offsite. For ransomware specifically, that offsite copy must also be immutable — it cannot be altered or deleted, even by an administrator account.

  • 3 copies — the primary plus two backups
  • 2 media types — for example local NAS and cloud object storage
  • 1 offsite copy — physically or logically separated from production, and immutable

Cloud backup platforms such as Veeam, Acronis and Microsoft Azure Backup all support immutability. Microsoft documents immutable, WORM-protected storage that blocks any process — including ransomware — from overwriting backup data. Without immutability, a compromised admin account wipes your cloud copy as easily as your local files.

How do RTO and RPO decide which backup you need?

Two figures drive every backup decision. Recovery Time Objective (RTO) is how long the business can run without its systems before the impact becomes severe. Recovery Point Objective (RPO) is how much data you can afford to lose. Define both before you choose any technology — they dictate the answer.

MetricQuestion it answersTypical SME targetWhat it forces
RTOHow long can we be down?30 min – 4 hoursFaster restore tech, warm standby
RPOHow much data can we lose?15 min – 1 hourContinuous or near-continuous backup

A professional services firm might accept a four-hour RTO; a manufacturer running live ERP might need 30 minutes. A daily backup to tape satisfies neither figure for most modern businesses. RTOs under four hours typically need continuous data protection (CDP) or near-continuous snapshot replication.

How should backup frequency map to data risk?

Not all data deserves the same policy. Financial records, CRM data and operational databases usually warrant hourly or continuous backups. Email archives and static document stores often tolerate a daily window. Run a data classification exercise first, then set frequency per tier — applying one blanket policy across the whole estate wastes money on some data and underprotects the rest.

What are air-gapped and immutable backups?

An air-gapped backup is physically or logically disconnected from your network, so no live software process can reach it. Traditional tape ejected from the drive and stored offsite is one form. Modern equivalents use object storage with write-once-read-many (WORM) policies that stop ransomware overwriting or deleting backup data.

Many SMEs now run a hybrid model: hourly cloud snapshots under WORM policies for fast recovery, plus a weekly encrypted tape rotation to a secure offsite facility for deep archive. That combination gives speed at the top tier and genuine air-gap protection at the deepest retention tier. For Microsoft estates specifically, our Microsoft 365 backup approach covers the SaaS data most businesses wrongly assume Microsoft backs up for them.

Why is testing recovery the step most businesses skip?

A backup that has never been restored is an assumption, not a recovery capability. The NCSC's backup guidance is explicit that organisations should test recovery regularly, ideally with a tabletop exercise that runs a ransomware scenario from detection through to restored operations.

In practice, a credible test programme means:

  • Restoring a random sample of files to verify integrity
  • Periodically running a full system restore to an isolated test environment
  • Recording the actual recovery time achieved against the RTO target
  • Confirming the recovery team can execute without the primary IT contact present

Businesses routinely discover on their first real test that recovery takes three times longer than expected, or that a dependency — a licence server, an Active Directory connection — was never in the backup scope. Better to learn that in a drill than during an incident.

Where does backup sit in a wider ransomware defence?

Backup is your last line of defence, not your only one. A layered design also includes email security to block phishing — the most common ransomware entry point — endpoint detection and response to catch malicious behaviour before encryption starts, network segmentation to limit lateral movement, and privileged access controls so ransomware cannot reach backup systems on stolen admin credentials.

This is where prevention and recovery connect. Phishing protection stops the initial intrusion, while managed detection and response — Microsoft Defender for Endpoint monitored by AMVIA's in-house 24/7 SOC — aims to catch ransomware activity before it touches production data. AMVIA designs backup architectures around realistic RTO and RPO targets, including immutable cloud configurations, as one accountable, security-first, Microsoft-certified provider.

What should you do if ransomware hits?

If ransomware executes, the immediate priorities are: isolate affected systems from the network, preserve forensic evidence before wiping anything, report to the NCSC and — where personal data is involved — to the ICO within 72 hours under UK GDPR, then trigger your incident response plan.

Do not pay the ransom without legal and cybersecurity advice. Payment does not guarantee a working decryption key, and it can attract regulatory scrutiny. The ICO's personal data breach guidance sets out the 72-hour notification duty in detail.

Is Your Backup Ransomware-Ready?

Most businesses only discover backup gaps during an incident. AMVIA can review your current setup and confirm whether it would genuinely protect you from a ransomware attack.

Frequently Asked Questions