2023-03-31

World Backup Day 2023

Today is World Backup Day.  

Data backup is incredibly important today given how much of human activity is online.  Here are a few suggestions to reduce the risks of losing your important data.  (Data is "important" if losing it would negatively impact you.)

  1. Ensure that all your important data is backed up to at least two different places, at least one in the cloud and at least one local (e.g., an external hard drive).  
  2. Manual backup -- weekly at a minimum -- can work if you're diligent and set a reminder in your calendar, but automated daily backup is much better.
  3. For data that lives on your computer or an external drive, your first backup should be to a cloud provider.  Your second backup can be cloud or local.
  4. Have an offline local backup.  Offline means that the storage device (e.g., external drive, flash drive) is physically connected to your computer only during the actual backup operation.  This provides protection against corruption, deletion by mistake, and ransomware. 
  5. If you have data that lives in the cloud, you need at least one backup too, which could be on your computer or an external drive.  Your password manager falls under this: export its database occasionally -- but only if your computer drive is encrypted; see below.
  6. Cloud sync (often free, e.g., Google Drive) is not the same as cloud backup (usually paid, e.g., Backblaze).  True backup will keep deleted files and old versions of your files for at least 6 months (and ideally longer), supports point-in-time restore, and lets you choose which folders to back up.  Cloud sync providers usually keep these for no more than 30 days, don't support PIT restore, and often only back up files you place in the single fixed folder.
  7. For sensitive data you're backing up to the cloud -- or if you don't want to have to think about which data is sensitive or not -- use a cloud provider with end-to-end encryption (E2EE), also called Zero Knowledge.
  8. For local backups (e.g., to external drives), ensure that the data is encrypted.  (Critically, also ensure that your computer's drive is encrypted.  Windows Home doesn't do that and Windows Pro doesn't do it by default; so if someone steals your computer they'll get all your data.)
  9. For mobile devices you can reduce data backup concerns by ensuring that all important data on your device actually comes from (is synced from) the cloud, or, say in the case of new photos not yet transferred to your computer, is automatically backed up to the cloud.  Don't leave any unbacked-up data on your device for too long.
  10. A backup is not useful if the restore from it fails when you need it, so run test restores on your data occasionally.  This applies to both local and cloud backups.
  11. Manage your backup process: keep a list of all your data sources and where each source is backed up to and how often.  This will help you identify gaps in your backups.
  12. Looking at the broader picture, you can reduce the cost, effort, and risks for data backup by reducing the amount of data you have.  Don't keep data longer than it's useful to you for.
  13. Organizations: The larger the organization, the more stringent their backup requirements are, for both technology and processes.  One small example of the latter is that the organization's security policies should include detailed requirements for backup of the organization's data.
This is an update of my World Backup Day 2021 post: World Backup Day, and suggestions.

2023-03-21

Key security measures for a small organization

A small non-profit recently asked me for recommendations for improving their password security.  They wrote:

Do you make recommendations on password security software for businesses?  We are looking to increase our security and password protection, but are getting so many different opinions on best options.  Last Pass was popular and has been recommended in the past, but apparently has had some security breaches as well.

 My reply was as follows.  (This would apply equally to a for-profit organization.)

Bitwarden and 1Password are the password managers I tend to suggest.  Because of the LastPass data breach I no longer suggest LastPass.  Organizations should typically use the Teams version of their chosen password manager so that the service can be managed for the organization.

 For a bit more background you can see my blog post on the LastPass breach:

The big LastPass data breach and what to do about it (gsharratt.com)

This is a good article with more info: 

The 2 Best Password Managers of 2023 | Reviews by Wirecutter (nytimes.com)

Two-factor authentication (2FA) is the other critical part of security for account credentials.  My blog post has more info, including lots of info on Authy:

Set up two-factor authentication (2FA) - another nice COVID-19 project (gsharratt.com)

A core third leg of security is device security, including strong passwords/PINs for all devices and full-disk encryption (FDE) for all computers, so that no data is compromised if computers are stolen or lost.  If you have Macs they likely already have FDE, but if you have Windows PCs they would need BitLocker in order to support FDE.   Search for “BitLocker” in this blog post:

Core security advice for general users [aka security hygiene] (gsharratt.com)

Hopefully you have an IT person or an IT managed service provider, and they can help you set up FDE for all computers.  They might possibly also be able to help you set up a password manager and 2FA.

This blog post contains an overview of other security controls that you could consider:

Security hygiene for a small professional office (gsharratt.com)

Note that the above are just generic suggestions that are typically suited to small organizations, since I know little about your organization and so can’t give advice.