Is Your Backup Really Safe From Ransomware?

TL;DR: Cyber insurance forms now ask if your backups are immutable, which means locked so no one can change or delete them, even with stolen admin passwords. A lot of common backup setups do not qualify, even when owners assume they do. This post explains what immutable backup means, which setups fail the test, the questions to ask your IT provider, and what to do if your honest answer is no.

Cyber insurance applications now include a question that catches a lot of Louisville business owners off guard: do you keep immutable, air-gapped, or offline backups of your critical business data? Immutable backup sounds like a technical detail, but the reason it sits on the form is simple to understand.

Carriers added the question because ransomware crews figured out the fastest way to force a payment. They wipe your backups first, then encrypt everything else. Once your recovery copies are gone, paying the ransom is the only way left to get your data back. The FBI, CISA, and the Internet Crime Complaint Center have all flagged this as one of the most common moves in ransomware attacks today.

Here is the part that surprises people. If your backups can be deleted with the same admin login an attacker just stole, they do not protect you when it counts. That is exactly what the form is trying to find out. Below is what the question really means, and how to answer it honestly.

What does immutable backup mean?

An immutable backup is a copy of your data that no one can change or delete for a set period of time. That includes you, your IT provider, and anyone using stolen admin credentials. The backup platform locks the copy at the storage level, so no password can override it during the lock window.

That last point is the whole reason carriers care. Most backup systems can be erased by anyone with admin access. Immutability removes that risk by enforcing the lock in the storage itself. Some vendors call this object lock, WORM storage, or write-once-read-many. The name changes from product to product, but the control is the same. Once the data is written, it stays put until the clock runs out.

Why insurers started asking about your backups

Backups used to be a quiet line item. Now they sit near the top of the cyber insurance application, and the reason traces straight back to how ransomware has changed.

Attackers no longer just lock your files. They hunt for your backups first, because a business with clean recovery copies can restore its systems and walk away without paying. Wiping those copies takes that option off the table. The FBI’s guidance on ransomware points to tested, protected backups as one of the core defenses a business should have in place.

Insurers watched the claims pile up and adjusted. When a policy pays out a large ransomware claim, the carrier loses money. So they started screening for the controls that keep a business from needing to pay at all. Immutable backups are near the top of that list, right alongside multi-factor login and endpoint protection. Strong data backup and recovery is no longer a nice extra. On the insurance form, it is a requirement.

Which backup setups do not count as immutable?

Three common setups fail the immutability test, even though owners often think they pass. A network drive in your office, Microsoft 365 retention used as a backup, and a cloud backup with the immutability setting switched off all fall short, because each one can still be wiped by a stolen admin account.

Here is why each one comes up short.

A NAS or external drive in your office. A network-attached storage box in your server room is reachable from your network by design. If ransomware spreads across your systems, it can reach that box too. An attacker with domain admin access can wipe it clean. An external drive that stays plugged in has the same weakness. These devices have a place in a bigger backup plan, but on their own they do not answer the form’s question.

Microsoft 365 retention treated as a backup. Microsoft 365 includes retention features, and some businesses lean on them as their only safety net. They are not a backup in the way the form means. A global admin, or anyone who steals that login, can delete data and clear the retention holds. Under Microsoft’s shared responsibility model, protecting your own data is your job, not Microsoft’s. If native retention is your only defense, the honest answer to the question of immutability is no. We wrote more on why your cloud data is not as safe as you think if you want the fuller picture.

A cloud backup with immutability switched off. This is the most common gap of all. Many solid backup platforms include immutability as a feature, but the setting is not always on by default. Someone has to turn it on. You may be paying for a backup that looks strong on paper while the immutability toggle sits in the off position. You cannot tell from the outside without checking.

Three questions to send your IT provider before you sign

You do not need to become a backup expert to answer the form honestly. You need three clear answers from whoever manages your technology. Copy these into an email and send them before you check the box.

Question one: Are our backups immutable, and how long is the immutability window? Carrier guidance has tightened over the past two years. Most insurers now want a window of at least 14 days, and 30 days is increasingly the preferred floor. Attackers often sit inside a network for weeks before they trigger the attack, so a backup from yesterday may already be tainted. The window has to reach back far enough to give you a clean restore point from before the attacker arrived.

Question two: If our domain admin or Microsoft 365 global admin login were stolen tomorrow, could that account delete our backups? The right answer is no. If the answer is yes, or if your provider is not sure, your backups are not immutable in the way the form means.

Question three: Can you send a screenshot or vendor documentation showing immutability is turned on for our account? A provider who can hand you something concrete has done the work. If you get a verbal “yes, you’re covered” and nothing to back it up, treat that as a no until they can show you otherwise. A dependable IT partner will not flinch at these questions. They will welcome them.

What does a qualifying backup setup look like?

A backup that honestly satisfies the form has four things true at once: immutability turned on, backup credentials kept separate from your everyday admin accounts, a retention window long enough to outlast a slow attack, and a restore that has actually been tested in the past year. Miss any one of those, and the answer is still no.

Here is how each piece plays out in practice.

The platform needs immutability turned on, not just available. Vendors like Veeam, Datto, Rubrik, and Acronis all offer it, as do most cloud storage services that support object lock. A vendor name on the invoice does not answer the question by itself. The setting has to be on, scoped correctly, and tied to the right accounts.

The backup login needs to sit outside your regular admin accounts. If the same login that runs your Microsoft 365 also controls your backups, one stolen password reaches both. Keeping backup credentials separate breaks that chain.

The retention window needs real length. A backup that overwrites itself every 24 hours does nothing if an attacker has been in your systems for a week. CISA’s #StopRansomware Guide lists immutable, tested backups as a baseline control, and most insurers now line up with that position.

Restores have to be tested. A backup nobody has tried to recover in the past year is a guess, not a safety net. Many carriers now ask for the date of your last successful restore test, so it pays to have that answer ready. This is the kind of ongoing discipline that comes with real managed IT services, not a one-time setup.

What if your honest answer is no?

Put down what you actually have on the form, and use the renewal as the push to fix the gap. Start by asking your IT provider whether immutability can be turned on with your current platform. In many cases the feature is already there, and switching it on is a settings change, not a new purchase. That conversation can often be wrapped up in a few days.

If your provider cannot give a clear answer to the three questions above, that response tells you something important on its own. This area needs attention before your next renewal, even if the rest of your setup runs smoothly. Strong cybersecurity protection depends on the details, and backups are one of the biggest.

One thing to avoid at all costs: do not check “yes” just to dodge a higher premium. Cyber insurance applications work as warranty documents. If a forensic review after a claim finds your backups did not match what you declared, the carrier can rescind the policy. Coverage is then treated as if it never existed, and any earlier payouts can be clawed back. Checking “no” may cost you something at renewal, but that cost is known and manageable. A denied claim after a real attack is neither.

Answer the form honestly, then close the gap

The immutability question is not there to trip you up. It is there because backups an attacker can delete are the backups attackers go after first. Answer it based on what you truly have, not what you hope is running in the background.

If you are not sure where your backups stand, that is worth sorting out before your renewal date, not after a claim. A good provider can walk you through the configuration and give you a straight answer to all three questions. Want a clear read on whether your backups would pass the test? Reach out to our team and we will help you check.

Not sure your backups would survive an attack?

Most business owners find out their backups fall short at the worst possible moment, right when they need to restore. You do not have to wait for that. Z-JAK Technologies can review your current setup, confirm whether immutability is on, and give you an honest answer before your next insurance renewal. Schedule a quick call with us and get peace of mind about your recovery plan.

Frequently Asked Questions

What does immutable backup mean in plain English?

It is a backup that no one can change or delete for a set period, even with administrator access. The storage platform enforces the lock at the system level, so user permissions cannot override it. That protection is what keeps stolen admin credentials from wiping your recovery copies.

Is Microsoft 365 retention a real backup?

No. Native Microsoft 365 retention can be bypassed by a global admin, or by anyone who steals that login. Microsoft’s shared responsibility model places backup of your own data on you, the customer, separate from the retention it provides. If retention is your only protection, you are not covered the way the form expects.

How long should the immutability window be?

Most insurers and security frameworks point to a minimum of 14 days, and 30 days is increasingly the preferred floor. Some carriers want longer. A longer window matters because attackers often lurk inside a network for weeks, so you need a clean restore point from before they arrived.

Can my IT provider just turn immutability on?

Often, yes. If your backup platform already supports the feature and nobody has enabled it, this is a settings change rather than a new purchase. Ask for written confirmation once it is done, so you have proof for your insurance form and your own records.

What happens if I check “yes” on the form when I should not?

The carrier can rescind your policy after a claim, which voids your coverage as if it never existed. Any earlier payouts under the same policy term can also be clawed back. Misrepresentation is one of the most common reasons cyber insurance claims get denied, so honesty on the form protects you.