At First Keystone Community Bank, we strive to empower our customers for success as often as possible. In today’s information age, success can often take many forms, including those that often go unseen in the eyes of our customers. Information technology systems that are thoughtfully and securely configured with a backup strategy allow businesses to run smoothly and efficiently, while protecting the sensitive information that passes through them from malicious third parties and ensuring regular and emergency access to this information, regardless of system outages.
We would like to take this opportunity to educate you on the standard data backup procedures of the industry and the steps you can take to ensure that your business’ data is recoverable in the event of a complete internal outage. Small-to-medium sized businesses (SMBs) are among the most vulnerable to be targeted by ransomware attacks, more than any other group in the US. This is partly because SMBs typically do not have the resources or time to set up and maintain secure and properly backed-up digital systems. And the payoff for individuals and organized collectives that are able to that compromise and gain access to those systems is usually high.
To help combat these risks, the United States Computer Emergency Readiness Team (US-CERT) recommends that any critical data used by an individual, organization, or government body should follow the ‘3-2-1 Backup Strategy’ to provide a restore point to reference, if the need arises. The basic tenants of this strategy are threefold:
- There should be ‘3’ backup copies of any protected data;
- These backups should be stored on ‘2’ different types of storage mediums, one of which should be “immutable”, and;
- ‘1’ copy of the backup data should be stored at an offsite location.
This time-tested strategy has been utilized since the early days of modern technology and is still considered best practice by most software and hardware institutions today.
Developing an inclusive data backup strategy starts with choosing which data to backup and how to create those backups. Protected data that is recommended to be backed up may include customer and/or vendor information, internal documents and procedures, internal application data, and employee files.
Some organizations utilize powerful physical servers to handle data-centric tasks that require full system backups, while others may choose to virtualize their workflow in the cloud to minimize infrastructure costs buy may require intensive software integrations to backup. Still, others may utilize cloud applications, such as Google’s GSuite services or Microsoft’s 365 Business Suite that require minimal action to backup. In each of these scenarios, it is important to remember that a successful backup strategy provides an avenue for the organization to fully recover operations in the event of a catastrophic outage.
After the scale of the backup strategy is determined, the method by which the backups will be created can be considered. For an organization that uses physical servers or on-site infrastructure, this may take the shape of full server system “snapshots” or restore points that can be quickly redeployed back onto new hardware. This may be accomplished by utilizing infrastructure software such as VMWare or Citrix. For organizations that utilize cloud computing, such as Amazon’s AWS (Amazon Web Services) or Microsoft’s Azure Environment, backup methods can take the form of mirrored environments that run in multiple geographic locations in the cloud or automatic mirror creation by a third party offsite. Other organizations may choose to create their backups from smaller cloud environments and store it on physical hard drives.
Businesses are encouraged to leverage as many of these methods as possible to ensure a smooth recovery, as long as they consider having ‘3’ copies of their data. One of the copies should be considered a ‘Primary’ backup and be regularly updated with the live environment so it is readily available to swap in if needed. The other two copies should be regularly updated but stored in at least ‘2’ different storage mediums, such as a remote backup in the cloud or on removeable storage media such as Hard Disk Drives (HDDs), Solid State Drives (SSDs), USB drives, CDs, or Magnetic Tape.
Any removeable storage media also meets the “immutable” recommendation, meaning that the data stored on it cannot be altered with digital access. It can only be altered through physical access to the media. And finally, ‘1’ of the copies should be stored in a different physical location than the other two copies. This ensures that if one of the physical locations cannot be accessed, the second location will still be available.
As with any IT system today, there are numerous considerations to be made when configuring a backup strategy that works for your specific business needs. Listed below are some resources from the US Government that contain further information on everything discussed in this post. You can also check out our Security Center to stay informed about information security. We hope that this has been informative for you and your business!
Huth, A., & Cebula, J. (2011). The Basics of Cloud Computing. Retrieved from US-CERT: https://www.cisa.gov/uscert/sites/default/files/publications/CloudComputingHuthCebula.pdf
Ruggiero, P., & Heckathorn, M. A. (2012). Data Backup Options. Retrieved from US-CERT: https://www.cisa.gov/uscert/sites/default/files/publications/data_backup_options.pdf
US-CERT. (2011). System Integrity Best Practices. Retrieved from US-CERT: https://www.cisa.gov/uscert/sites/default/files/publications/TIP11-075-01.pdf
US-CERT, M.-S. I. (2005). Malware Threats and Mitigation Strategies. Retrieved from US-CERT: https://www.cisa.gov/uscert/sites/default/files/publications/malware-threats-mitigation.pdf