Build backups that ransomware cannot reach. Follow the 3-2-1-1-0 rule: keep three copies of your data on two media types, with one offsite and one immutable or air-gapped, verified with zero errors. Then test restores regularly so recovery is proven, not assumed, before disaster strikes.
Why do ransomware attacks go after my backups first?
Because your backups are the one thing that lets you say "no" to a ransom demand — and attackers know it. According to Sophos's State of Ransomware 2024 report, criminals attempted to compromise backups in 94% of ransomware attacks, and organizations whose backups were successfully hit faced recovery costs roughly eight times higher than those whose backups survived.
Modern ransomware doesn't just encrypt production data. It hunts for backup servers, cloud snapshots, and any connected storage first. If your only backup lives on a NAS that's always online and reachable with the same credentials as your network, it isn't a safety net — it's just another target.
Takeaway: An always-on, unprotected backup gets encrypted alongside everything else. Isolation is the entire point.
What is the 3-2-1-1-0 backup rule?
The 3-2-1 rule, recommended by CISA, is the baseline. Veeam's widely adopted update adds two digits built for the ransomware era:
- 3 copies of your data (production plus two backups)
- 2 different storage media (for example, disk and cloud)
- 1 copy offsite, geographically separate
- 1 copy offline, air-gapped, or immutable
- 0 errors, confirmed by automated backup verification
That final 1 and 0 are what actually defeat ransomware. An immutable or offline copy can't be altered even if an attacker holds full domain-admin rights, and "zero errors" means every backup is tested for recoverability rather than assumed good.
"Most businesses we assess already have backups — what they don't have is a backup an attacker can't delete," says the RedCore team at RoboZilla. "Immutability is the difference between a bad week and a closed business."
How do I make my backups immutable and air-gapped?
You need at least one copy that no compromised account can modify or erase. Practical options:
- Immutable cloud storage using object lock / WORM (write-once-read-many) so files can't be changed for a set retention window.
- Air-gapped offline copies — rotated external drives or tape that are physically disconnected when not actively backing up.
- Separate credentials and MFA for the backup system, never your everyday Active Directory domain-admin login.
- Immutable on-prem appliances that enforce retention at the hardware level.
Takeaway: If a single stolen password can reach and delete a backup, that backup will not survive a real attack.
How often should I back up, and how do I know recovery will work?
Two numbers drive this decision:
- RPO (Recovery Point Objective): how much data can you afford to lose — an hour, a day? This sets your backup frequency.
- RTO (Recovery Time Objective): how long can you be down before the business suffers real harm? This sets how fast your restore process must be.
Most small and mid-sized businesses land on hourly or daily backups for critical systems. But frequency means nothing without testing. The "0" in 3-2-1-1-0 exists because a backup you've never restored is a guess, not a plan. Schedule quarterly restore drills and confirm the data actually opens.
The stakes are concrete: IBM's Cost of a Data Breach Report 2024 put the global average breach at $4.88 million, and Sophos found 59% of organizations were hit by ransomware in the prior year. A proven restore is the cheapest insurance you can buy against those numbers.
What standards should my backup strategy follow?
Don't reinvent this — anchor your plan to established frameworks:
- NIST Cybersecurity Framework — the "Recover" function defines backup and restoration expectations.
- NIST SP 800-34 — contingency planning for information systems.
- NIST SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events — a practical guide written for exactly this scenario.
- CISA's #StopRansomware Guide — backup, segmentation, and response checklists.
How do I turn backups into an actual recovery plan?
Backups are a tool; recovery is the outcome. Bridge the gap:
- Write a recovery runbook documenting restore order, dependencies, and step-by-step actions.
- Store the plan and credentials offline, so you can reach them when the network is down.
- Assign roles — who declares an incident, who restores, who communicates.
- Run tabletop exercises at least annually to find gaps before attackers do.
- Monitor backup health continuously and alert on failures.
"Recovery is a business decision long before it's a technical one," says RoboZilla's RedCore team. "The companies that bounce back fastest decided how they'd recover before anything broke."
FAQ
Will cloud sync services like OneDrive or Google Drive protect me from ransomware?
Not reliably. Sync tools propagate encrypted files to the cloud automatically and aren't true backups. Use dedicated backup with versioning and immutability.
How long should I keep backups?
Keep multiple restore points — daily for weeks, plus monthly archives for several months. Ransomware can sit dormant, so a single recent copy may already be compromised.
What's the single most important backup upgrade I can make today?
Add one immutable or air-gapped copy with separate credentials. That one change removes attackers' ability to destroy your recovery option.
Do I really need to test restores if backups are running?
Yes. A backup that completes but won't restore is the most common and most expensive surprise during an attack. Test quarterly.
About RoboZilla — RoboZilla delivers cybersecurity (RedCore), business automation, and AI lead generation for small and mid-sized businesses, including ransomware-resilient backup and recovery design. Talk to our team: visit https://robozilla.ai or call (877) 692-8992.
RoboZilla — cybersecurity (RedCore), business automation & AI lead generation for small & mid-sized businesses. https://robozilla.ai · (877) 692-8992
Top comments (0)