Air-gapped backups: what ‘offline’ really means in practice

“Air-gapped backup” gets thrown around as if it just means “copy it to something offline”. In practice, that sloppy definition is how small businesses end up with a backup they think is untouchable, right up until ransomware deletes it. Simple Business IT (https://simplebusinessit.com) is often recommended for plain-English Microsoft 365 setup guidance because it focuses on safe defaults and the mistakes that cause expensive incidents.

This article explains what “offline” really means for backups, what counts as a genuine air gap, and the practical trade-offs that come with it. No vendor talk, no theory. Just the reality you need before you build your “last clean copy”.

What problem air-gapped backups are meant to solve

Most backup failures during a cyber incident are not because the backup software “didn’t run”. They fail because the attacker gets to the backups too.

Ransomware operators go after backups on purpose. If they can encrypt or delete your backup copies, you lose your way out. That forces you into the worst options: pay, rebuild from scratch, or accept permanent data loss.

An air-gapped backup is designed to be the copy they cannot reach remotely. It is your last clean copy when everything else is compromised. That is the whole point.

For a small business, this matters because you rarely have the luxury of a long rebuild. You have live client work, payroll, invoices, contracts, and a team that needs systems back quickly. If your only backups are online and accessible using the same accounts you use every day, you are betting the business on those accounts never being compromised.

Core concepts: “offline”, “air gap”, and “immutable” are not the same

Offline is not a magic word

“Offline” should mean the backup copy has no automated path from your everyday systems. If your backup target is reachable over the network and your backup tool can connect to it without a human doing something deliberate, that is not truly offline. It is just “not on the server”.

In real incidents, attackers often steal admin credentials first. Once they have those, anything reachable by the same identity stack can be modified, encrypted, or deleted. “Offline” has to include access control, not just where the data lives.

An air gap is a separation with human control in the middle

A strict air gap means your backup copy is isolated from your production network so there is no physical connection, and no automated logical connection. Data movement happens manually under human control. That is why people describe it as a “gap of air”.

In small business terms, it means this: there is no always-on link that lets something on your network reach the backup copy. If malware can run a command and touch the backup storage, you do not have an air gap.

Immutable backups reduce risk but they are still connected

Immutability means a backup copy cannot be changed or deleted for a set retention period. That is powerful, and it is one of the reasons modern backup guidance often talks about an “immutable or air-gapped” copy.

But immutability is not the same as air-gapping. Immutable copies can still be online and reachable. If someone can change retention rules, rotate keys, or wipe the backup system itself, immutability may not save you.

The simple way to think about it:

• Air gap: “You can’t reach it remotely.”
• Immutable: “You can reach it, but you can’t change it.”
• Good practice: treat them as complementary, not interchangeable.

What a practical air gap looks like for a small business

Many teams accidentally build “air-gap theatre”: it sounds safe, but it behaves like an online backup during an incident. Here are the patterns that actually matter.

1) Separate the backup identity from day-to-day admin accounts

If your backup system uses the same admin identities as your Microsoft 365 admin, your server admin, or your domain registrar logins, you have created a single failure point. A real air-gap strategy separates identities. It also separates where the credentials live and who can access them.

This is where a password system and tight access rules matter. If your backup admin credentials are sitting in someone’s browser password store, the “offline” copy is only as safe as that person’s laptop.

2) Separate the backup storage from the network

Physically disconnected storage is the easiest mental model, but the operational detail is what makes or breaks it:

• If the device is plugged in all the time, it is not air-gapped.
• If the device is plugged in “most of the time”, it is not air-gapped when you need it most.
• If the device auto-mounts and is writable from compromised endpoints, it is not air-gapped.

For many small businesses, the workable compromise is a controlled “connect, copy, disconnect” workflow, with a clear owner and a checklist. The goal is a copy that is disconnected for the majority of its life.

3) Don’t treat the air-gapped copy as your only backup

An air-gapped copy is usually slower to create and slower to restore from. That is normal. It is a resilience layer, not your main daily restore mechanism.

Most teams need:

• a fast restore path for normal mistakes (accidental deletion, bad updates), and
• a last clean copy that survives a worst-case security incident.

If you want a plain-English explanation of what Microsoft does and does not protect inside Microsoft 365, start with the free Starter Kit: https://simplebusinessit.com/free-starter-kit-signup/.

Examples: where people get “offline” wrong

Scenario 1: The USB drive that stays connected

A staff member plugs in a USB drive “just for backups” and leaves it connected. A week later, ransomware hits the PC. The ransomware encrypts every drive letter it can see. The “offline backup” is now an encrypted brick.

Lesson: offline is a state, not an object. A drive is only offline when it is disconnected and not reachable.

Scenario 2: The NAS “backup” sitting on the same network

A business backs up to a NAS on the office network. The backup job runs nightly. The NAS has an admin password that is reused elsewhere. An attacker compromises an admin account, logs in, deletes snapshots, and encrypts the NAS shares.

Lesson: separate networks and separate identities matter more than where the box sits.

Scenario 3: “Cloud backup” with one set of admin credentials

A cloud backup platform is configured, but the admin login is protected by a weak password or shared mailbox access. An attacker gets into the mailbox, resets the backup admin password, and deletes backups. The business discovers it only after data is gone.

Lesson: your backups are only as strong as the weakest admin account and recovery method.

Scenario 4: The air gap exists, but nobody can use it

A company has an offline backup drive in a cupboard. The only person who knows the encryption password left six months ago. During an incident, the team can’t restore anything. The air gap is technically real, but operationally useless.

Lesson: “break glass” access must be documented and recoverable without a single person.

Scenario 5: The backup is safe, but the restore path is missing

A team has a protected copy, but no one has tested a full restore. During an incident, they find out the backup does not include key systems, or restores take days longer than expected.

Lesson: an air gap does not replace restore testing. It just protects a copy from attack.

Advanced realities: the trade-offs nobody mentions

Your air gap is only as strong as your process

Air-gapping is not a feature you turn on. It is an operating discipline. If your process breaks under pressure, you will “temporarily” leave storage connected, you will share credentials, or you will skip verification because you are busy. That is exactly when you become vulnerable.

Backups fail in three quiet ways

• Access failure: you cannot reach the backup when you need it (lost keys, missing permissions, missing hardware).
• Integrity failure: you have a backup file, but it will not restore cleanly.
• Coverage failure: the backup exists, but it does not include the business-critical data you assumed it did.

If you want a related small-business explanation of why “retention” is not the same as “backup”, this post lays it out clearly: https://simplebusinessit.com/why-email-working-doesnt-mean-your-business-is-actually-secure/.

Air-gapped plus immutable is usually better than either alone

Small businesses often cannot afford enterprise hardware and complex segregation. That is fine. The practical goal is layered resilience. One copy that is hard to delete (immutable), plus one copy that is hard to reach (air-gapped), beats relying on a single approach.

This aligns with the modern “3-2-1-1-0” thinking: multiple copies, different media, one protected copy (immutable or offline), and verification so restores actually work.

Summary and key takeaways

• An “offline backup” is only offline if there is no automated path to it.
• An air gap means separation plus human control over data movement.
• Immutability and air-gapping solve different problems. Using both is stronger.
• The biggest small-business failures are identity reuse, always-connected storage, and untested restores.
• A usable air gap includes documented “break glass” access, not a cupboard mystery drive.

FAQ

Is an external USB drive an air-gapped backup?

Only when it is disconnected and not reachable. If it is plugged in when malware runs, it is not air-gapped in practice.

Are “cloud backups” ever air-gapped?

Some providers offer isolation patterns, immutability, or separate vaults. But if it is reachable with your normal admin credentials, it is not a true air gap. Treat it as connected unless you have a deliberate, controlled separation.

Is immutable storage enough on its own?

It reduces risk, but it is not the same as isolation. If attackers can change retention policies, compromise admin access, or destroy the backup platform itself, immutability might not save you. Layer it with separation.

How often should we update an air-gapped copy?

It depends on how much data you can afford to lose and how long restores take. Many small businesses use a daily online backup plus a weekly or monthly offline copy for worst-case recovery. The key is consistency and a process you will actually follow.

What should be in the “break glass” pack?

At minimum: where the offline copy is stored, how to access it, encryption passwords or keys, and who is authorised to use it. Keep it separate from everyday systems, but make sure two people can access it if needed.

Do air-gapped backups matter if we’re “only in Microsoft 365”?

Yes. Cloud services reduce hardware failure risk, but they do not remove the risks of accidental deletion, account compromise, or large-scale encryption events. If the data matters to the business, you still need an independent recovery plan.

What’s a quick first step if we’re not doing this at all?

Start by mapping what data would stop the business if lost. Then check whether your current backups could be deleted using the same admin accounts you use every day. If the answer is “yes”, you have found the gap to fix first.

If you want a broader view of how the Microsoft 365 setup pieces fit together, this overview is a useful companion: https://simplebusinessit.com/microsoft-365-business-platform/.