+31 (0)43 30 88 400 | office@comex.eu
How to Build a Ransomware-Proof Backup Strategy
In the fight against ransomware, we too often see organizations lulled into a false sense of security by the idea that a standard backup strategy is sufficient. But with the evolution of ransomware – more complex, targeted, and devastating – a backup is only a strategy if it truly holds up under pressure. So the question is not whether you have a backup, but whether you have a recovery plan that can withstand a coordinated attack.
From Backup to Recovery Strategy
In many organizations, backups are primarily a compliance requirement: you have to have them. But too few companies think about the actual resilience of their backup plan. What happens if the attack goes so deep that the backup server itself is hit? If snapshots are erased? If encryption has been lurking unnoticed in the system for weeks?
A working backup is only one component. A recovery plan that is fast, reliable, and immune to manipulation makes the difference between days of downtime and being operational again within an hour.
Air Gapping and Immutability as a Foundation
Two concepts invariably return in every ransomware-proof architecture: air gapping and immutability.
Air gapping means keeping a physical or logically separated copy of your data, out of reach of networks and attackers. This can be done with removable media such as traditional tapes, or innovative Silent Bricks. No network connection means no active infection.
Immutability goes a step further. Here, data is “frozen” after storage: it cannot be overwritten or deleted, not even by an administrator. That sounds drastic, but it offers unprecedented security. Ransomware simply cannot spread further to these datasets.
Immutability comes in various forms, from software-based to hardware-based. The latter is the most reliable form. Take hardware WORM as an example; impossible for hackers to bypass. Data stored on a hardware WORM system such as the Silent Cubes, is safe and therefore does not need to be recovered in the event of ransomware.
The Role of Solutions like Silent Bricks and Veeam
Technology is crucial in this regard, but it must work together logically. Backup software such as Veeam makes it possible to set up automated workflows in which backups are written directly to immutable storage. Couple this with a system like Silent Brick, and you create a situation in which your backup is always separate and protected, physically and logically.
A typical scenario: a daily backup is written to a Silent Brick that is automatically ejected after completion. The next day, a new Brick is placed. This creates an air-gapped, immutable cycle that survives even advanced attacks.
Note: Silent Bricks are software independent and work with virtually all backup software from Commvault and Veeam to Rubrik.
Compliance is not an Afterthought
In addition to technical security, compliance also plays a major role. Consider regulations such as NIS2 and GDPR. These oblige organizations to demonstrably protect sensitive data. A backup strategy based on immutability and air gapping not only provides a technical advantage, but also makes you audit-proof. For example, the Silent Cube system from FAST LTA is certified by KPMG for audit-proof archiving.
What (Semi-)Public Organizations Can Learn
In the (semi-)public sector, where data is often extremely sensitive and must be retained for a long time, there is no room for half measures. Yet traditional tapes or fully cloud-based solutions are still often relied upon. The risk: slow recovery procedures, dependence on external providers, and lack of control.
A hybrid model, in which local, immutable backups are combined with the cloud for less critical workloads, offers the best of both worlds. You retain control over your critical data and at the same time meet modern security standards.
It Starts with a Different Premise
Zero Loss is the premise that drives this entire strategy. Accepting no data loss, allowing no weeks of downtime. It requires a different perspective, where you don’t think in terms of “do I have a backup”, but in terms of “can I recover, no matter what happens?”
Anyone who thinks from that point of view automatically arrives at a strategy that goes beyond just technology. It requires vision, processes, and collaboration between IT and security. But the result is worth it: real resilience. Or rather: being ransomware-proof.
