There is a brutal lesson that too many UK businesses have learned the hard way: having backups is not the same as being able to recover. Ransomware gangs worked out years ago that the backup is the thing standing between them and a paid ransom, so before they encrypt your live data they hunt down and destroy your backups first. An immutable backup is the direct answer to that move. This is the plain-English explanation of what it is and why it stopped being optional.
Start with the word: immutable
Immutable simply means "cannot be changed". An immutable backup is a copy of your data that, once written, cannot be altered or deleted by anyone, not by a user, not by an administrator, and crucially not by an attacker, for a period of time you set in advance. You can read it and you can restore from it, but until its retention clock runs out, nothing can touch it. It is locked, by design, against modification of any kind.
That single property changes the game. A normal backup can be encrypted or deleted by whoever, or whatever, has enough access to the system holding it. An immutable backup removes that possibility entirely for its locked window. Even an attacker who has stolen your highest-level admin credentials cannot delete it, because the storage itself refuses the instruction.
Why ransomware made it essential
To understand why this matters so much, you have to understand how modern ransomware operates. Attackers no longer just encrypt a few PCs and hope. They get into the network quietly, often weeks before they strike, and they spend that time finding and neutralising your defences, with your backups at the very top of the list. They know that if your backups survive, you simply restore and refuse to pay, so they delete or encrypt them first and only then trigger the attack on your live systems.
This is why so many organisations with a perfectly reasonable backup routine still ended up paying a ransom or losing data: the backups were online, reachable and deletable, so the attacker erased them along with everything else. Immutability breaks that chain. If the most recent backups cannot be deleted, the attacker's leverage collapses, because you can recover regardless of what they did to your live environment. That is the whole point, and it is why insurers and frameworks now effectively expect it.
- •Modern ransomware deliberately seeks out and destroys backups before encrypting live data
- •Online, deletable backups offer no protection once an attacker has admin access
- •Immutability means the most recent backups survive the attack no matter what
- •If your backups survive, the ransom loses its leverage
How a backup is made immutable
There are a few mechanisms, and you do not need to master them, just to recognise them. The most common in the cloud is object-lock, where backup data is stored as objects that the storage system itself refuses to modify or delete until their retention period expires. On-premises, the same idea is delivered through hardened, purpose-built backup appliances and storage that enforce a retention lock the operating system cannot override. Older approaches used genuinely offline media, classically tape taken out of the drive, which is unbeatably immutable precisely because nothing is connected to it.
The common thread is that the lock is enforced by the storage layer, not by software that an attacker could disable. That distinction is everything. A 'read-only' setting that an administrator can switch off is not immutability; true immutability is enforced below the level any compromised account can reach. We cover the engineering choices in real depth in immutable backup architectures, which is the technical companion to this explainer.
Immutability is necessary, not sufficient
An important caveat keeps businesses honest: an immutable backup you have never tested restoring from is still a gamble. Immutability guarantees the copy survives; it does not guarantee the copy is complete, correct, or quick to restore at the scale you need under pressure. Plenty of organisations discovered during a real incident that their untouched backups were missing a critical system or would take a fortnight to restore in full.
So immutability is one essential pillar, sitting alongside two others: keeping more than one copy in more than one place, which is the 3-2-1 backup rule, and actually rehearsing recovery so you know it works and how long it takes. Immutability stops the backup being destroyed; testing proves it can save you. You need both.
What this means for your business
If you take one thing away, make it this question to ask whoever runs your backups: "if an attacker gained full admin access tonight, could they delete our backups?" If the answer is yes, or "probably", you have ordinary backups, not protection against ransomware, and that gap is now the single most common reason UK businesses pay ransoms.
Closing it is usually straightforward and not especially expensive: immutable cloud object storage, a hardened backup appliance, or an offline copy, sized to how much recent data you cannot afford to lose. We design and operate ransomware-resilient backup with immutability built in through our backup and disaster recovery service, and it sits at the heart of ransomware protection more broadly.