By Larry LaBas

Cybersecurity is top of mind for every business leader today, but this huge, interconnected, often nebulous topic can be difficult to navigate without expert guidance. Protecting an organization from the ever-increasing threat of cyberattacks is a multi-layered process that requires steady hands at the tiller.

My team at Taos has deep experience working side-by-side with clients to provide this expertise. In this new series of blog posts, we’ll be covering some of the best practices we recommend to our clients in building and maintaining a robust security posture. 

We start this series with the basics, because a strong security strategy starts with a strong foundation. Even if you buy the best home security system in the world, you can’t expect it to protect you if you don’t lock your door every night. 

Recovery Can Be as Easy as 3-2-1 

Data is everywhere and it’s vulnerable. Hardware failures, accidental deletion, stolen devices, and of course cyber threats like ransomware are not going away. Losing data in today’s world can be devastating to productivity, customer trust, and even involve hefty fines and other financial damage. To minimize (or even avoid) disruption to your business, organizations need to plan for the inevitable by educating and supporting their people, giving them the means to protect the data they are responsible for, and empowering them to recover quickly and improve their security posture. If you don’t have a dedicated CISO or security team in place, it can be difficult to know what to do next. 

A useful strategy to start with that I like to recommend is the 3-2-1 Backup Method. It’s a time-tested approach that’s easy to rally around and promotes the ability for individuals and teams to recover from data loss. 

What is the 3-2-1 Backup Method? 

A user creates three regular backups for their devices using two different methods, and one of them has to be offline. So that’s: 

  • 3 backups 
  • 2 different methods 
  • 1 offline or not locally accessible 

How might this work in practice? Let’s take an employee with a laptop. For this device, they would create the following: 

  • One live cloud-based backup (OneDrive, Box, Google Drive, etc.) that captures changes in real time 
  • One automated scheduled backup to a different cloud source, like a company cloud account 
  • One offline or inaccessible backup such as saving to a simple USB drive or S3 bucket that is dismounted after the backup and is encrypted 

Keep in mind that some things considered a backup are not actually backups if used alone or improperly. One example is cloud storage with live updates. It’s great for a hardware failure, but it’s not great for malware or ransomware: if your laptop gets hacked and encrypted, your live cloud storage will get encrypted too. Another example is a USB drive or other external storage tool that isn’t physically disconnected from the device afterwards. If it’s still connected, it’s vulnerable to the same hack as the device it’s backing up. 

Where to start? Get teams on board. 

I always recommend starting a conversation about recovery methods with your teams. Review the current backup strategy of the company and determine as a group how the company could benefit from a system like this. Encourage Interaction and get input from team members to drive engagement and buy-in to whatever policy is eventually chosen. 

Extra steps you can take to ensure compliance  

Since the 3-2-1 Backup Method is easy to implement, it’s likely to be embraced quickly, but having some things in place will make compliance easier. 

  • Provide backup tools for the team. Sometimes a company already has one or two already in place but might need a third, but the backup sources a company recommends or provides depend on the size of the company and compliance requirements. For instance, a USB drive backup method isn’t appropriate for a healthcare company but could be useful for a firm that doesn’t handle sensitive information. 
  • Automate the first two backups as much as possible, and set a policy recommendation for the third individual backup. How often again depends on the size of the company, compliance regulations, and the kind of data an organization is handling. 
  • Finally, share the effects of ransomware and data loss, and the benefits of restoring devices quickly. If your laptop gets locked and wiped, how great is it to restore everything immediately by plugging in that handy USB drive? 

Your team will also appreciate that the benefits of the 3-2-1 Backup Method beyond the business. I have friends and colleagues who have adopted this system for their home technology after learning how simple it is to implement—my family has made it a way of life. Make sure you make it a part of your business.