3, 2, 1, GO! Make backups of your data!

With the recent proliferation of ransomware, a type of malware that encrypts your data and holds it hostage until payment is received, what should be done to protect valuable data?

One of the best defences against this threat is having a good backup strategy. This protects your data against all sorts of unpleasant mishaps. How frequently you make them, what you make them to, where they are stored, as well as deploying the automation required to maintain said backup regimen is also crucial. We should all be familiar with making backups, but there is a useful rule of thumb called the “3-2-1 rule”.

A good backup regimen could mean the difference between surviving a catastrophic event such as ransomware or shutting down the business. Let’s use an example file called “Important_stuff.txt” to explain how this all works.

3 Different copies!

For an effective backup plan, you should have at least 3 different copies of this file. A good example would be:

  • One on a workstation, stored locally for editing or on a local server, for ease of access.
  • One stored on a cloud backup solution.
  • One stored on a long-term storage such as a drive array, replicated offsite, or even an old school tape drive.

This diversity of backups is there to ensure your documents are available with added redundancy. If the hard drive on your workstation fails, you have a backup on the server. Server down? The cloud copy is still an option.

If the ransomware did its thing while the server share was mounted to your workstation, it might also be encrypted. Here the cloud copy would save the day.

This is the reason why having 3 different copies is a good idea.


2 Different forms of media!

In the example given above, we had 3 copies of our file. The type of media this file is saved to is also important. The hard drive of the workstation and the external share are the fundamentally the same, but the cloud storage is different, as is the tape drive and the disk.

The different media rule most probably harkens back to the days of tape drive backups. If your backup regimen lacked diversity and consisted of only tape drives, it was vulnerable to a failure of the tape drive reader.

This scenario is where the main hard drive fails and the tape drive reader ALSO fails. As tape drives were a long-term storage option, it wouldn’t be uncommon for a new tape drive reader to become hard to source. This means trying to find a new or functioning reader could become difficult making your backups are inaccessible.

The takeaway is that media diversity is equally important. You could store “Important_stuff.txt” on multiple different media, just as long as all your eggs aren’t all in the same technological basket.

Having a diversity of media helps reduce the chances that all possible avenues of recovery will be inaccessible through equipment failure.

1 Copy stored offsite!

One copy of the backup should be stored offsite. If the head office burns down, it won’t matter how many backups you had. In our example, storing “Important_stuff.txt” on a tape drive and having it in a safety deposit box at your bank would negate the “office-burning-down” scenario as well as the perfect storm of ransomware encrypting everything.

Offsite copies will help mitigate a localized event.


A word on security.

You should make all best efforts to secure these backups. For an attacker, “Important_stuff.txt” is something that is immediately identified as a high-value item. Remember that if you store your backup in the cloud, the stuarts of this cloud could have access to them. Portable drives are, well… portable, and by this I mean they can be portable in someone else’s pocket!

  • Use strong passwords on that offsite cloud service. Select cloud backup solutions that are zero-knowledge. (The stewards of the cloud don’t have access to your data in unencrypted form!)
  • Encrypt the data backed up to external solutions.
  • Store these backups in a safe place, preferably under lock and key.

The examples above where encryption is used are how it is beneficial, as opposed to how it is used by ransomware authors.


Good automation and discipline!

The single greatest obstacle to a proper 3-2-1 backup regimen is the discipline required to maintain it. A good way to mitigate this is to automate the backup process. The backing up of “Important_stuff.txt” should be transparent to its owner.

Having backups gives you the option to deny ransomware authors by choosing the painful option and restoring from backups…

You could also install our product to mitigate ransomware attacks. (This should not be thought of as a replacement for a good backup strategy!)


Payment must be the absolute last resort.

Any option other than paying the cybercriminals for a decryption key is preferable. This is why when we see news reports recommending paying the ransom we collectively shake our heads. Encouraging familiarity with the Bitcoin ecosystem isn’t bad at all. Crypto-currencies are fascinating. Having some stored on hand for a quick payment, however, implies a fundamental failure.

Remember, when you pay the bad guys, you reinforce the viability of these types of attacks. You are teaching them that ransomware works.



Jean Taggart

Senior Security Researcher

Incorrigible technophile who loves to break stuff and habitually voids warranties.