Immutable backups explained in plain English
All dispatches
Backups and Business Continuity15 Sept 20256 min read

Immutable backups explained in plain English

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

In the current threat landscape, where ransomware groups target UK SMEs with increasing sophistication, the standard "backup" is no longer enough. Many businesses believe that as long as they have a copy of their data stored on an external drive or a standard cloud folder, they are safe. However, modern ransomware is designed to seek out and encrypt these connected backups alongside your primary files. If your backup is accessible to your network, it is vulnerable. This is where "Immutable Backups" move from being a technical buzzword to an essential pillar of your cyber resilience strategy. In this guide, we will break down exactly what immutable backups are, why they are the gold standard for data protection, and how UK businesses can implement them to satisfy regulatory requirements and survive a cyber-attack.

What Exactly is an Immutable Backup?

At its core, "immutable" simply means "unchangeable." An immutable backup is a copy of your data that is locked in a state that cannot be modified, encrypted, or deleted for a set period of time. Once the data is written to the storage media, it is "set in stone." Even if a cybercriminal gains administrative access to your network, their credentials—or even your own credentials—cannot alter or erase that backup until the retention period expires.

The Problem with Traditional Backups

Traditional backups are often "mutable," meaning they can be overwritten or deleted. If a ransomware actor gains access to your environment, their first move is often to find your backup software or storage repository and wipe it clean. This ensures that you have no choice but to pay the ransom to recover your files. By using immutable storage, you remove this leverage entirely. The data remains safe, untouched, and ready for restoration, effectively neutralizing the attacker’s most potent weapon.

How Immutability Works: The Technical Foundation

Immutability is typically achieved through one of two methods: WORM (Write Once, Read Many) technology or Object Lock policies.

WORM Storage

Historically, WORM was achieved through physical media like CDs or tapes that could literally only be written to once. Today, we use "logical" WORM, which is enforced by the storage system’s software. When your backup software sends data to the storage device, the device applies a "lock" that prevents any delete or modify commands from being processed.

Object Lock Policies

In the cloud, immutability is managed via "Object Lock" policies. When you store data in an S3-compatible cloud bucket, you can set a retention policy (e.g., 30, 60, or 90 days). During this window, the cloud provider’s API will reject any attempt to delete that data, even if the person making the request has root-level access to the account. This creates a "hardened" perimeter around your data that is physically separated from your production environment.

The UK Regulatory Context: GDPR and Resilience

For UK SMEs, data protection isn't just about business continuity; it is a legal requirement. Under the UK GDPR, businesses are mandated to implement "appropriate technical and organisational measures" to ensure the security of personal data.

Meeting ICO Expectations

The Information Commissioner’s Office (ICO) has become increasingly vocal about the importance of "restorability." They do not just look at whether you have a backup; they look at whether that backup is resilient against modern threats. If you suffer a data breach and the ICO finds that your backups were easily deleted by ransomware, you could be deemed to have failed in your duty to protect personal data, leading to severe fines and reputational damage.

Cyber Essentials Compliance

The UK government’s Cyber Essentials scheme focuses on five key controls. While backup is not explicitly one of the five, it falls under the broader requirement of "Secure Configuration" and "Malware Protection." Implementing immutable backups demonstrates a proactive, expert-level approach to cyber security that auditors and cyber insurance providers are increasingly demanding.

Developing an Immutable Backup Strategy

Implementing immutability is not just about buying a new piece of hardware; it is about architectural change. To build a robust strategy, you should follow these practical steps:

  1. Categorise Your Data: Not all data requires the same level of protection. Identify your "crown jewels"—the data that would cause the business to fail if lost—and prioritise these for immutable storage.
  2. Define Your Retention Windows: How long do you need to keep data? If you are a regulated business (e.g., in finance or law), you may have statutory retention periods. For general SMEs, a 30-day immutable window is often sufficient to identify and recover from a ransomware event before the infection is "backed up."
  3. Ensure Air-Gapping: Immutability is most effective when paired with an "air gap"—a physical or logical separation between your production network and your backup repository. This ensures that even if your entire Active Directory is compromised, the backup environment remains invisible to the attacker.
  4. Test Your Restores: An immutable backup is only useful if it works. Regularly simulate a restore process. If you have a disaster, you need to know exactly how long it will take to get your systems back online.

Overcoming Common Implementation Challenges

Moving to an immutable architecture can feel daunting for an SME, but the transition is manageable with the right partner.

The "Cost vs. Benefit" Balance

Immutable storage can be slightly more expensive than standard storage because it requires specific hardware or cloud features. However, compare this cost to the price of a ransomware demand, the cost of downtime, and the potential loss of client trust. For most UK SMEs, immutable backups are the most cost-effective insurance policy available.

Managing Storage Growth

Because you cannot delete immutable data until the retention period expires, your storage usage will grow. You need a managed solution that automatically manages these retention policies so that old backups are purged by the system once the "lock" expires, preventing your storage costs from spiralling out of control.

Key Takeaways

  • Immutable means unchangeable: It is the only way to ensure your backups cannot be encrypted or deleted by hackers.
  • Ransomware-proof your data: By removing the ability to delete backups, you render the attacker’s primary extortion tactic useless.
  • Regulatory peace of mind: Implementing immutability aligns with UK GDPR requirements and helps meet the high standards expected by the ICO.
  • Don't go it alone: Configuring immutable storage requires technical precision. Incorrectly set retention policies can lead to storage bloat or, worse, gaps in your protection.
  • Test, test, test: Technology is only as good as the process behind it. Regular restoration testing is the final piece of the puzzle.

Cyber security is not a "set and forget" task; it is a constant evolution. As threats become more aggressive, the tools we use to defend our businesses must become more rigid. Immutable backups provide that necessary rigidity, ensuring that while your systems might be vulnerable to an attack, your business’s future remains intact.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch

Related dispatches

The 3-2-1 backup rule for modern businesses
Backups and Business Continuity

The 3-2-1 backup rule for modern businesses

# The 3-2-1 backup rule for modern businesses For UK SMEs looking to stay ahead in the modern workplace, understanding backups and business continuity is funda...

How often should an SME test its disaster recovery plan?
Backups and Business Continuity

How often should an SME test its disaster recovery plan?

# How often should an SME test its disaster recovery plan? For UK SMEs looking to stay ahead in the modern workplace, understanding backups and business contin...

Ransomware recovery: Why cloud backups are your last line of defence
Backups and Business Continuity

Ransomware recovery: Why cloud backups are your last line of defence

# Ransomware recovery: Why cloud backups are your last line of defence For UK SMEs looking to stay ahead in the modern workplace, understanding backups and bus...