Immutable Backup: What It Is and Why UK MSPs Need It

21 April 2026 BOBcloud

Ransomware has changed the backup conversation for MSPs. It used to be enough to run nightly backups and test restores occasionally. Now, one of the first things sophisticated ransomware does is find and delete or encrypt backup data — specifically to prevent recovery and maximise the pressure to pay.

Immutable backup is the technical response to that problem. This article explains what immutable backup means, how it works in practice, and why it's becoming a standard requirement in MSP backup offerings — including for Cyber Essentials certification.

What Does Immutable Mean?

Immutable means unchangeable. An immutable backup is one that, once written, cannot be modified, overwritten, or deleted — by anyone, including an administrator — for a defined retention period.

The practical implication is significant. If ransomware compromises a client's network and gains admin-level access, it cannot delete or encrypt backup data stored in an immutable format. The backups are locked at the storage layer, not just protected by access controls that can be bypassed.

This is different from standard backup protection, which typically relies on:

  • Separate credentials for the backup system
  • Offsite or cloud storage
  • Network segmentation

These measures are all worthwhile, but none of them prevent an attacker who has obtained backup admin credentials from wiping the backup repository. Immutability does.

How Immutable Backup Works

Immutable backup uses a storage technology called WORM — Write Once, Read Many. Data written to WORM storage can be read and restored at any time, but it cannot be overwritten or deleted until the retention period expires.

The retention period is set at the time of writing. A common configuration is 30 days — meaning any backup written today will remain available for recovery for at least 30 days, regardless of what happens to the live environment or the backup management system.

Modern cloud storage platforms implement immutability through an object lock feature. Microsoft Azure and Wasabi both support object lock policies, which enforce immutability at the storage layer. This means the protection operates entirely independently of the backup software — even if the backup server itself is compromised, the data in immutable storage remains intact.

Why Ransomware Actors Target Backups

Understanding the threat helps explain why immutability matters. Modern ransomware operations are not opportunistic — they are planned. Before deploying their encryption payload, attackers typically spend days or weeks in a network, conducting reconnaissance and identifying:

  • Backup servers and their credentials
  • Backup storage locations, both local and cloud
  • Any monitoring or alerting that might detect deletion activity

Once they have this information, they delete or encrypt the backups first, then deploy the ransomware payload. When the victim discovers the attack, they find both their production data and their backups are gone. At that point, paying the ransom may be the only practical option.

Immutable storage closes this attack vector. Even with full admin access, an attacker cannot delete data that has been written to immutable storage — the storage layer rejects the request.

Immutable Backup and Cyber Essentials

UK MSPs helping clients pursue Cyber Essentials certification will find immutable backup increasingly relevant. While Cyber Essentials does not explicitly mandate immutable storage, the malware protection and backup requirements within the scheme are interpreted by assessors in ways that increasingly favour it.

Specifically, assessors may ask whether backup data is protected from being encrypted or deleted by ransomware. Immutable storage is the clearest technical answer to that question.

For clients pursuing Cyber Essentials Plus — which involves a hands-on technical assessment rather than just a self-assessment questionnaire — being able to demonstrate immutable backup protection is a meaningful differentiator compared to organisations relying solely on access controls.

What Good Looks Like for MSP Clients

A well-configured immutable backup setup for a typical MSP client would include:

Immutable cloud storage — backup data written to object storage with a retention lock of 30 days. Neither the client, the MSP, nor the storage provider can delete this data before the lock expires.

Separate backup credentials — the account used to manage backup jobs should not be the same account used for day-to-day operations, and should have multi-factor authentication enabled.

Offsite and air-gapped copies — the 3-2-1 rule remains relevant: three copies of data, on two different media types, with one copy offsite. Immutable cloud storage satisfies the offsite requirement and adds the immutability layer on top.

Regular tested restores — immutability protects the backup data but does not guarantee the data is recoverable. Regular restore tests verify that the backup is complete and that the recovery process works as expected.

Monitoring and alerting — backup jobs should be monitored for failures, and alerts should be sent when jobs do not complete within expected windows.

The MSP Commercial Angle

Immutable backup is not just a technical improvement — it is a commercial opportunity. Many MSPs are adding immutable backup as a premium tier in their backup service offering:

  • Standard backup — nightly cloud backup with standard retention
  • Immutable backup — cloud backup with object lock protection, suitable for clients with regulatory requirements or higher ransomware risk profiles

The additional cost of immutable storage (Wasabi's object lock pricing adds a small premium over standard storage) is easily justified to clients once they understand the protection it provides. And for clients in regulated sectors — legal, financial, healthcare, education — immutable backup is increasingly a procurement requirement rather than an optional extra.

Where BOBcloud Fits

BOBcloud's backup platform supports immutable storage configurations via Wasabi's object lock feature. UK MSPs can offer clients immutable backup protection without building or managing the underlying storage infrastructure.

If you're looking to add immutable backup to your service offering, start a free 30-day trial — no payment details required. Or find out more about the partner programme.