Published:

A cloud backup is not automatically ransomware-resistant.
That is the first point SMEs need to make peace with.
Cloud can be useful. Cloud can be resilient. But resilience against destructive ransomware depends on how the backup platform is configured, how access is separated, how versions are protected and how privileged actions are monitored.
That is why the NCSC’s cloud-backup principles are so useful. They turn a vague promise of “safe in the cloud” into practical questions an SME can actually ask.
Why “cloud” does not mean “safe from ransomware”
If an attacker can use the same identity path, the same privileged access or the same destructive controls to damage both the live environment and the backup environment, the backup may not be as resilient as you think.
The real issue is not where the backup sits. It is how difficult it is to destroy, deny or tamper with it.
The five principles in plain English
1. Backups should resist destructive actions
A backup service should not be easy to wipe, overwrite or dismantle through one bad action or one compromised admin path.
2. It should not be possible to deny all customer access
An SME should be able to verify that there is not a single easy route by which all legitimate access can be locked out.
3. Clean earlier versions should remain restorable
If later versions become corrupted, the platform should still allow recovery from a prior clean point.
4. Key management should be robust
Protection at rest is only useful if the associated key handling is designed properly and not treated casually.
5. Significant changes and privileged actions should trigger alerts
If something important changes, especially around privileged access or destructive controls, someone should know.
The identity problem in backup resilience
For SMEs, this is often the most overlooked point.
If the same compromised admin identity can potentially affect the live tenant and the backup posture, resilience is weaker than it appears. That is why identity separation, restore approval and privileged access design matter so much.
What SMEs should verify with any backup platform
Ask practical questions such as:
can backups be made resilient to deletion or destructive changes?
is there separation between backup administration and day-to-day tenant administration?
can earlier clean versions still be restored?
are privileged or high-impact changes alerted?
who would know if the backup posture changed unexpectedly?
A short due-diligence checklist
Before relying on any cloud backup platform, an SME should be able to explain:
who administers it
how access is separated
how version recovery works
how alerting works
how restore confidence is tested
That is a much better sign of resilience than simply hearing the words “cloud backup”.
Final thought
Ransomware-resistant backup is a design question, not a label.
For a small business, the goal is not to become a backup specialist. It is to make sure the recovery path is harder to tamper with, harder to lock away and easier to trust when something goes wrong.

Managed IT Services
Joiner, Mover, Leaver Automation: A Guide for SMEs

Modern Workplace
What Defensible IT Looks Like for a Microsoft 365 SME

Managed IT Services
What a Monthly IT Review Should Include for a 10-25 User SME

Backup & Disaster Recovery
7 Questions to Ask a Managed IT Provider About Security, Backup and Accountibility

Cyber Security