The 3-2-1 Backup Rule and Effective Cybersecurity Strategy

Last week, I wrote an article on top cyber security risk trends and predictions for 2020.

In the article, I reviewed some very significant breaches and attacks that occurred in 2019, touched on common cyber risks, threats, and attacks, and made predictions on what we should expect for 2020.

An interesting conversation kicked off amongst some security professionals on an online professional networking platform a few days. The conversation centred on the 3-2-1 backup rule, and how strategy measures or compares to assessing and preparing for cybersecurity threats & attacks for 2020.

The one question that seemed to pop-out of the conversation is this: Is the 3-2-1 backup rule sufficient enough to constitute or be considered as an effective cybersecurity strategy?

I’ll give my response to this question in the course of this article. But for now, let’s have a bit more contexts, definitions, and discussions on several bits of the subject, shall we?

3-2-1 backup rule diagram
3-2-1 backup rule diagram

What’s the 3-2-1 Backup Rule?

The 3-2-1 backup rule is a best practice data backup strategy that aims to ensure that data is adequately protected and resilient to potential damage and corruption.

The rule states that there should be at least three (3) copies of the data, store two (2) copies on different storage media, and keep one (1) of these copies in an offsite/remote location.

You’d notice, from the image above, that the title on the image states the 3-2-1 Backup Rule but the image appears to suggest that the rule should be called the 3-2-1-0 Backup Rule instead.

A few alternative postulations in the community state that the proper and correct best backup practice strategy should include a step that covers valid and verified data recoverability.

I do agree with the views I’d just cited above, and, thus, I felt the need to capture the 3-2-1-0 steps as also representing the 3-2-1 backup rule.

Anyway, moving on…

Yes of course! Data backup and restore are essential elements of any security strategy that’s worth its weight in salt. Absolutely. Without any doubt.

Every effective Business Continuity and Disaster Recovery (BC/DR) plan needs a very good backup strategy to be successful. The 3-2-1 backup rule is effectively all about redundancy, ensuring data resilience and availability.

As stated by Alex Mayer, “the 3-2-1 backup rule is a good recommended start in building any data protection system – a way to protect your data from loss/corruption…

Consequently, I think we should be very clear about one thing: the 3-2-1 data backup rule is not a panacea for cyber security risks, threats, and attacks.

If your organisation (or one of your clients) had experienced any previous yet successful security attacks, you would learn that data backup is indeed a vital risk mitigating action but:

  1. It does not address or mitigate against potential severe interruptions to business operations (i.e. BC/DR, BAU, MTTR, etc.)
  2. It does not address or mitigate against attacks that target networks and infrastructure
  3. It does not address or mitigate against attacks that make illegal and unauthorised copies of data
  4. It does not address confidentiality or integrity of data nor information; 2 of 3 principles of the cybersecurity triad
  5. It does not address, resolve, or eliminate actors of the attack (both internal & external), and invariably,
  6. It does not eliminate, thwart, or deter/discourage the repeat of the (previously successful) attack or similar attacks.

I can affirm that combating and winning any cyberwarfare against cybersecurity risks, threats, & attacks requires more than implementing the 3-2-1 backup rule.

So, here’s my response to the question raised earlier on: the 3-2-1 backup rule should form a vital part of any good Security Incident and Event Management (SIEM) plan. But it is probably most certainly not a replacement or a substitute for an effective cybersecurity strategy.