Backing up data is, to many of us, like flossing or exercising. We know it’s a good idea, but still don’t do it as frequently as we should. If you have ever felt the sting of lost data from the crash of a hard drive that wasn’t backed up, you will be highly interested in trying to do it right. This blog post is intended to paint a clear picture of the proper way to go about it.

Rule of 3-2-1

• There should be three copies of any data you really care about. If it’s critical data, loss of which would cause you to lose business, or cause you to be non-compliant with some mandates, you should have (1) your active copy that you’re using, (2) on-site backup copy, and (3) off-site backup copy.
• You should use two types of media for your backups. You can use CDs, DVDs, hard drives, thumb drives, off-site cloud storage– I don’t care. Just so not all your eggs are in the same basket. For example, what if both your on-site and off-site backups are on tape, and your tape drive goes down? So give yourself options for the restore process.
• At least one copy should be stored off-site. And not just that, but this should be automated as much as possible. The less human interaction, the better. Everyone says, “I’ll just do it myself. But business owners are spinning numerous plates. You will forget. Automated backup to the cloud will work when you are there, when you’re on vacation, when you’re dealing with a crisis. You can use something like Carbonite or Mozy, or Amazon’s Glacier for slow, archival storage, but there are too many choices to go into here. For an excellent discussion between Steve Gibson and Leo LaPorte of many cloud storage options, go here: www.grc.com/sn/sn-349.htm.

Restoring and Testing

In addition to memorizing and following the Rule of 3-2-1, here’s something few people do but everyone should. After you have put a backup system in place, you should periodically spot-check by getting a backed-up file. The goal is to make sure the backup is actually occurring and that you are familiar with the retrieval process. Cloud backup is a wonderful thing. A common question that I hear get is, “Can I trust online storage?” In all the years I’ve been helping people with backups, there has never been an instance where I haven’t been able to restore data from an online service.

Almost nobody in business has had formal training in security or passwords. The only thing you’ve had is crazy IT admins yelling at you, or frustration with password setup processes that don’t seem to make sense.

So let’s get back to the fundamentals. There are three components to authentication:

1. Who you are. Typically corporate networks use your email as your login username.

2. What you know. This is information kept only in your brain, such as a password or a PIN.

3. What you have. This is a tangible thing in your possession. Your debit card is an example of the second and third components: you have a debit card and you know your PIN. With those two, you can take out money.

Here’s the problem: most Web services use only the first two factors of authentication. (There are third-factor devices such as USB dongles and secure ID keyfobs, but these are in limited use.)

The first is not very secure– the username, usually your email, is public. So really, you only have one-factor authentication, consisting of your password. It’s crucial that you not screw that up. Avoid doing so and you will eliminate most likelihood of being hacked, but not all of it. Even a WIRED editor got hacked through social engineering–calling Apple and tricking them into giving out his password– (see wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/.

The other big problem with password security is people don’t practice compartmentalization. Let’s say pets.com gets hacked and the bad guys get your Yahoo! email address and password. They immediately go to Yahoo! mail and try to log in using that password. They succeed because you didn’t compartmentalize– you used the same password for both pets.com and your email account. Now they can log in and quickly change your email password, locking you out. With control of your email account, they move on to your banking and credit card accounts. Game over.

So, compartmentalize– use different passwords for different accounts.

The final important thing about passwords is to make them long and use wacky characters. Use upper and lower case, and use symbols such as &, ! # and *.  Also, a length less than twelve characters makes it too easy for brute-strength password-guessing bots to succeed, so make them long.

Here are some password examples:

And how will you remember them? Best way is to write them on a piece of paper and keep them safe at home. There are also password-keeping programs that will encrypt your password list, and then you’ll only need to remember one password.

• When purchasing laptops and desktop PCs, don’t get the warranty if the computer costs less than $600.
• If you are buying a laptop that costs over $1200, seriously consider getting the accidental damage warranty for at least 3 years.
• If you see that a Java update is available …DO IT!
• Back up your stuff. Seriously… back it up.
• A backup means there are at least 2 copies.
• Laptops should last reliably for 3-4 years.
• Desktops should last reliably for 4-5 years.
• Servers should last reliably for 4-5 years.
• Use a surge protector rated at 2000 joules or higher.
• If you have a wireless network…secure it with encryption.
• You are the legally responsible for what goes on over your Internet connection.
• Have different passwords for all your websites.
• Passwords should be at least 12 characters or longer.
• The computer you conduct business and work on SHOULD NOT be the computer your kids use.
• If you think a computer might be infected with malware or a virus, DO NOT do banking or conduct any transactions online or even offline.
• Think of malware and viruses not as bad programs but as bad guys sitting at your computer day and night seeing all that you do.