<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=522217871302542&amp;ev=PageView&amp;noscript=1">

Why the 3-2-1 Rule for Backup by Itself Isn't Enough

Posted by Laura Vanassche on Sep 22, 2017 12:00:00 PM
Find me on:

Ensuring your clients’ data is secure and readily recoverable in the event of a breach or natural disaster is a top priority. Recent headlines showing the damage that ransomware and natural disasters, like Hurricane Harvey can inflict upon a network and its assets should motivate you to educate your clients to ensure backup policies are in place and effective.

Recent studies show the average cost of a lost or stolen record containing sensitive information in the United States is $225. While this may seem insignificant, the amount of data we capture and store has grown exponentially. The average number of records per data loss (in the U.S.) is 28,512, costing businesses $6.4 million per event. For U.S. businesses, this is almost double the global average of $3.38 million. This makes tried and tested backup policies critical to business continuity in case of an incident. Sixty percent of all small businesses that experience a data loss or corruption are not in business six months later.

What Is the 3-2-1 Rule?

The 3-2-1 rule is acknowledged as a Gold Standard in backup procedures. The 3-2-1 rule is a concept socialized by Peter Krogh in his book The DAM Book: Digital Asset Management for Photographers.

The 3-2-1 Rule explains you should have three copies of your data on two different types of storage media, with one copy offsite. For example, your primary storage is your computer hard drive, and you keep a backup copy on an external hard drive stored in the office closet. An additional copy should be kept in a cloud storage service like Dropbox or Carbonite.

Unfortunately, these steps alone may be inadequate. For those businesses affected by Harvey, perhaps cloud storage will save their business from months, even years of data loss. Nevertheless, this rule alone is not enough if the backups aren’t successful.

Beyond 3-2-1

Implementing 3-2-1 is important, but there are two additional steps needed. Often skipped, these steps are most important because they validate how effective the backup policy and procedures are.

First, you need to check the backup logs to ensure the backups are working. Checking this regularly is important on all sources – onsite and offsite. This can easily be executed in the form of an automated email or SMS stating whether the backup was successful or failed, sent in conjunction with whatever the backup schedule is for your network, whether it be weekly, daily or hourly.

According to Best Management Practices, authored by NIST, OWASP and ASTM, testing the backup by doing a partial restore on a regular basis is essential to count the backup system as effective and a legitimate safeguard. Be sure to test from backup solutions from all sources both onsite and offsite.

In the case of businesses affected by Harvey, the onsite copy is likely damaged, but the offsite copy would be available to restore the data. Many compliance requirements including SOX, HIPPA and PCI/DSS require these backup exercises as part of a successful audit and key to keeping in compliance.

Most importantly, detailed logs must be kept of the testing of any backup system including remediation and action items taken in the event that the system is not working during the test recoveries. Auditors and investigators are going to insist on seeing that due diligence was taken to ensure system in place were operational in the event of a loss where data cannot be recovered for any reason.

Corrupted Files

What happens if the files you’ve been backing up are corrupted? For dynamic data, you may consider a versioning strategy to enable a restore for a file at a point in time. This may not be relevant for all files in a given business, but addressing a versioning policy into the information lifecycle management (ILM) strategy can help prevent a complete loss when files are corrupted.

Have a Plan

Data loss prevention is vital to any business, and minimizing risk to the smallest percentage possible is the purpose of any disaster recovery or mitigation plan. The NIST Risk Management Framework outlines standard operating procedures (SOPs) to be part of an Incident Response (IR) Plan in case of an incident and a Disaster Recovery (DR) Plan in case of a disaster.

Disaster plans from different governing bodies share similar goals, but procedures of recovery can vary based on the nature of an event. Be sure to have plans defined and approved by management and SOPs in place to address each scenario. It’s recommended that your clients understand and practice them so that losses are minimized should an incident occur. Clearly defined solutions proven through testing and approved by managing officials are the best approach to minimized data loss in the case of an incident.

For more information on developing backup procedures, policies and the technologies to make it simple, contact our team of information management experts today at securityservices@techdata.com.




“Planning for Contingencies.” Management of Information Security. Cengage Learning, 2017.

Tags: Cloud, Cloud Backup