January 19, 2016

Last Updated on June 19, 2024

Editor’s Note: This post was originally published in January 2016 and has been updated for accuracy and comprehensiveness.
Yesterday I started hearing some unfortunate noises from the little external hard drive that I use for local backups of my laptop. These “last gasps” from the soon-to-be-replaced unit reminded me of how important backups are—and how easy it is to get them wrong. 
Backups are essential to both the availability and integrity of data. Are you sure you can recover after suffering data loss? Would you be able to replace your information system’s destroyed or corrupted data when you need to? It’s only a matter of time before you find out, one way or the other. 
Depending on what sensitive data you have, how it’s stored and accessed, and a host of other factors, backup scenarios, and associated technology can get complicated way beyond the scope of this blog post. But fundamentally, making sure your backups have your back still comes down to the old-school 3-2-1 rule.

View our free cybersecurity resources »

The 3-2-1 Rule

  • 3: Have at least three copies of your data (the original data plus two backups). The more copies of your data you have, the better the odds that you’ll have one when you need it.
  • 2: Keep those backups on two different media types (e.g., flash storage and network attached storage). This mitigates the risk that you’ll have similar failures on two similar media types.
  • 1: Store one of your three backups offsite. That is, very far away so that a large-scale disaster is less likely to take it out. This strategy is also known as off-site data protection, or vaulting. The public cloud is great option, and there are many remote backup services for this purpose. 

Isn’t it a bit of a comfort to know that not everything in the realm of IT is changing or getting more complicated? But despite the simplicity of the 3-2-1 rule, many organizations continue to ignore it and suffer needless and potentially costly data loss as a result.

Backup and Recovery Best Practices

You can do 3-2-1 backups in whatever way meets your business or personal needs. For example, an SMB could backup everyone’s laptop to a server and backup the server with an online backup service. This would cover you from most threat scenarios alone or in combination: device failure, viruses, damage, theft, data or volume/directory corruption… and the most deadly threat of all—human error.
If it’s not practical or affordable to fully implement this best practice, come as close as you can. For example, if you can’t use two different media types, at least keep the backups physically separate.
But backups are only half of the equation. The other half is recovery (i.e. testing your backups). Don’t be like my friend who kept taking snapshots of his virtual machines thinking these constituted backups. One day he had to restore to bare metal after a server detonation and guess what? Those snapshots contained only state data for the virtual machines. He’d lost everything.
Ensuring you have adequate backup/recovery capability also requires you to understand your recovery time objectives (RTO) and recovery point objectives (RPO) for different classes of data. RTO is basically how long it takes to recover the data. RPO is essentially how fine-grained your recovery capability is. If you lose a file you’re working on, for instance, is it OK if the closest backup is one hour old? One day old? Five days old? The shorter your RPO, the more frequently you need to do backups.

What’s Your Data Backup Policy?

If you’re looking to comply with an information security management system framework like ISO 27002, you’ll need to make and retain appropriate backups in line with a backup policy, and also test and be able to demonstrate your recovery capability.
If you choose to implement some version of the 3-2-1 rule, keep in mind the falling cost of online storage/backup has put a real-time or near real-time backup and mirroring solution within the reach of many SMBs. Services like CrashPlan offer features like encryption using your own keys, unlimited storage for a flat fee, and simplified backup management from mobile devices or the web. Network attached storage (NAS) for the home office/SMB has also come way down in price.
Put those two together and you’re covered! Then you can start refining your backup strategy based on retention requirements, disaster recovery needs, legal and compliance mandates and so on and on.
To talk over a backup/recovery strategy for your organization that cost-effectively meets your information security, disaster recovery and business continuity objectives, and other key requirements, contact Pivot Point Security.

For more information on data backup standards:

  • Here’s a complete explanation of the grandfather-father-son scheme for daily, weekly and monthly backups, including retention periods. 
  • Did you know that March 31st (the day before April Fool’s Day) is World Backup Day?


How well do you know your disaster recovery plan?

Chances are, you won't know how effective your plan is until you test it.
Download our Operational Testing of your Business Continuity Plan Whitepaper now!