Immutable, Offline and Cloud Backups: The Last Line of Defence Against Ransomware and Human Error.

A Sligo retail business had backups. They ran every night to a network-attached storage device in the back office. When ransomware activated across their systems on a Thursday morning, the backups were encrypted alongside everything else. The NAS was connected to the same network. The ransomware found it. Three years of transaction records, customer data, and supplier information — gone.

This is the most common backup failure pattern in Irish SME ransomware incidents. The backup existed. It was connected. The attackers knew to look for it.

What Makes a Backup Actually Useful Against Ransomware?

A backup that is accessible from the same network as your primary systems can be encrypted by ransomware alongside those systems. A useful backup is one that the ransomware cannot reach — either because it is physically disconnected, stored in an immutable cloud location, or both.

The 3-2-1 rule has been the standard backup guidance for two decades: three copies of your data, on two different media, with one stored offsite. In a ransomware context, that rule needs updating. The offsite copy must also be either physically offline or immutably stored — meaning it cannot be overwritten or deleted even by a user with administrative access to your systems.

The Three Types of Backup Irish SMEs Should Know

Connected cloud backups are the most common type Irish SMEs use — services like Microsoft 365 backup, Google Workspace backup, or basic cloud storage synchronisation. They are convenient and automatic. They are also the most vulnerable: if ransomware encrypts your files and your cloud storage synchronises the encrypted versions over the originals, the cloud backup reflects the encrypted state. Many cloud backup services have versioning that can mitigate this, but versioning is not enabled by default on all platforms and is not a substitute for an isolated copy.

Immutable cloud backups are stored in a location where data cannot be modified or deleted for a defined retention period — even by an administrator. Services like AWS S3 Object Lock, Azure Immutable Blob Storage, and dedicated backup platforms with immutability features provide this. An immutable backup cannot be encrypted by ransomware because the ransomware cannot overwrite or delete the stored data. This is the most important backup type for ransomware defence.

Offline backups — physical media that is disconnected from all networks after the backup completes — provide absolute isolation. A USB drive or tape that is unplugged and stored offsite after each backup run cannot be reached by ransomware regardless of what access the attacker achieves. The limitation is practicality: for many Irish SMEs, daily physical media rotation is operationally challenging. A hybrid approach — immutable cloud backup as the primary defence, supplemented by periodic offline copies — is practical for most businesses.

Do you know whether your current backup is connected to the same network as your primary systems? This is the single most important question about your backup strategy — and most business owners do not know the answer. Book a free 20-minute strategy call — we can review your current backup configuration.

What Attackers Do to Backups Specifically

Modern ransomware operators understand backup strategies. The dwell time between initial access and ransomware activation — often two to four weeks — is partly spent locating and compromising backup systems. Common techniques include deleting Volume Shadow Copies (Windows' built-in snapshots), disabling backup agents, encrypting backup repositories that are network-accessible, and corrupting backup catalogues so restores fail even if the data appears intact.

This means the question is not only whether your backup is connected — it is also whether the attacker had enough time and access to compromise it during their dwell period. A backup that was healthy two weeks ago may not be healthy today if an attacker has been inside your network.

This is why testing your backup is as important as having it. A backup that has not been restored from is a backup with an unknown failure rate. Ransomware operators have destroyed businesses that believed they had working backups and discovered — only after the attack activated — that the backups were corrupted, incomplete, or otherwise unrestorable.

The Recovery Time Question

Backup strategy is not only about whether you can recover. It is about how quickly. For a Donegal professional services firm, the difference between a 24-hour recovery and a seven-day recovery is the difference between a difficult week and a business-threatening event.

Recovery time depends on two things: the recovery point objective — how recent is the backup you are restoring from, and how much work will need to be redone — and the recovery time objective — how long the restore process takes given the volume of data and the speed of the restore mechanism.

Cloud-based immutable backups from reputable platforms typically support recovery within hours for typical SME data volumes. Physical media recovery can take days, particularly if the media is stored offsite and must be physically retrieved. Knowing your recovery time before an incident allows you to make informed decisions. Discovering it during an incident, under pressure, is the worst time to find out it is longer than expected.

Why This Matters Right Now

The NCSC Ireland and the Data Protection Commission both reference backup and recovery capability as a core operational resilience requirement. Under NIS2, organisations in scope are required to maintain documented backup, disaster recovery, and crisis management procedures [^1]. Under GDPR, personal data must be protected against accidental loss, destruction, or damage — and the ability to restore data in a timely manner following a physical or technical incident is specifically referenced [^2].

Regardless of regulation, the practical case is simple. A tested, isolated backup is the difference between a ransomware attack costing you two days of disruption and a ransomware attack ending your business. The cost of getting this right is a fraction of the cost of getting it wrong.

What Next

1. Find out whether your backup is connected to your main network. Ask your IT provider directly: can this backup be reached by someone who has administrator access to our main systems? If the answer is yes, it can also be reached by ransomware.

2. Enable immutability on your cloud backup. If you use Microsoft 365, Azure, AWS, or a dedicated backup service, ask your IT provider to confirm whether immutable backup is configured and for how long data is protected.

3. Test a restore this month. Choose a sample of files — a folder from three months ago, an email archive, a key database. Ask your IT provider to restore them. Verify they are complete and usable. Document the time it took. This single test tells you more about your backup than any configuration review.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Ransomware 101: How Attacks Really Start in Irish SMEs
• How to Test Your Backups and Disaster Recovery Instead of Just Trusting They Work
• What Would One Week of IT Outage Actually Cost Your Business?

[^1]: NCSC Ireland — NIS2 Business Continuity Guidance [^2]: Data Protection Commission Ireland — GDPR Article 32 [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.