Well, what is "enough" protection for one company, may not be nearly enough for another... it all depends on the amount of money at stakes behind the data you are protecting. But here are some general recommendations:
1. Any separate storage device that is not directly write-accessible from compromised servers by industry-standard protocols (SMB, NFS) is "good enough" protection from CryptoLocker. But the storage device should use its own set of credentials (not from local directory, and not local accounts of the storage device). Additionally, you want that storage device located off-site. Cloud Connect service provider is ideal for this, and we actually have a recent success story
posted on this forum where Cloud Connect saved the user from CryptoLocker.
2. I personally always recommend using tape whenever possible as the last line of defense. Even if it just a monthly export. Tape is true read-only storage that is also much more reliable than disk. I saw tape backups saving companies from worst disasters so many times... and, I also saw every line of comprehensive disk-based protection strategy failing miserably, leaving users with unrecoverable data loss.