When it comes to data security, the so-called “3-2-1- Rule” is a useful guideline.
This rule, which originated in the photography world, advises maintaining three copies of data, using two different types of media for storage, and keeping at least one copy off-site, says Rick Vanover, whose company, Veeam, specializes in data protection and recovery.
In industries like financial services — where data is life blood — Vanover says he would take the rule further, tacking another “1” and a “0” on the end. The extra “1” underscores the importance of having one copy that is offline, air-gapped or immutable. The “0” is for ensuring that the data is error-free.
“Backing up your data is not enough – you must ensure that each backup is recoverable, complete, and uncorrupted,” Vanover wrote in a blog post about the ‘3-2-1- Rule.’ “Recovery testing is critical because it ensures that you really are protected against disasters and ransomware attacks.”
In research Veaam conducted with 1,200 IT leaders across industries for its 2024 Data Protection Trends Report, three out of four said they had experienced a ransomware attack in the preceding 12 months. A quarter of the respondents said they had been attacked four or more times.
“Recovery testing is critical because it ensures that you really are protected against disasters and ransomware attacks.”
Notably, Veeam’s earlier research on ransomware trends found that most companies end up paying, sometimes to no avail. In that survey, 80% of the respondents acknowledged paying the ransom, with a quarter of those saying they remained unable to recover their data even after paying.
Only 16% said they had not paid because they were able to recover their data on their own — which Veeam described as the “right” answer that ought to apply to everyone.
Vanover is the senior director of product strategy at Veeam, which is based in Columbus, Mo., but has offices in more than 30 countries. He talked in more detail about how companies can ensure they have an effective data backup strategy on the “Banking Transformed” podcast with host Jim Marous. Below is an edited version of their discussion.
By Failing to Prepare, You Are Preparing to Fail
Q: Some companies recover from cyberattacks more easily and quickly than others. What are they doing differently than their peers?
Rick Vanover: The organizations that get out of these ransomware scenarios and cybersecurity incidents most efficiently are the ones that have planned.
Imagine the digital equivalent of police tape being wrapped around a data center where critical systems we need are running. You can’t go back there. Maybe cybersecurity insurance is taking over the situation to see if there’s a claim, and a lot of times people haven’t thought of that. The organizations that are most prepared are the ones that have a plan B for such unexpected scenarios.
The investments an organization makes ahead of an incident will 100% predicate how they get out of problems.
Q: Where do you see the biggest vulnerabilities right now? What should organizations be looking out for?
Vanover: Our “Data Protection Trends Report” for 2024 is a survey of 1,200 IT leaders who are responsible for data protection at their companies. It tells us one of the biggest challenges is that organizations don’t know what they have. Different lines of business are going to ramp up different systems.
Are you talking to all the different lines of businesses to know what they’re doing? Maybe you didn’t know that Kubernetes is now in production over there in that business unit. Is it protected? Is it resilient? Is it ready for a ransomware threat? Does it have disaster recovery? Is it subject to audits? All these different things come into play.
Identification is truly one of the biggest challenges across all industries. You can’t respond, protect, detect and recover from what you don’t have identified.
Do a ‘Red Team’ Exercise to Test Your Cyber Resilience
Q: But unexpected scenarios are, by definition, unexpected. You don’t know what you don’t know. So how do you prepare effectively? Is there a process for catching what might fall through the cracks otherwise?
Vanover: I always advise my clients to do what I call a “red team exercise.” Build your defenses, and then turn your head around and think, “If I want to do something malicious, how would I succeed?” And then just keep improving from there.
We also suggest having a “two-human” or “four-eyes” model for key processes. You see this approach on television: the launch of a missile takes two keys turning exactly at the same time and they’re so far apart that one person can’t do it.
How many times have you tried to log into something and you get this text message on your phone that you need to go get a code? These types of constructs add a layer of protection. Nothing’s absolute, but they’re a very important layer that I think can let these decision makers sleep at night.
Q: When you first engage with a financial institution, how do you find out where their vulnerabilities are?
Vanover: There’s always a discovery. And I’d argue that discovery is the most overlooked yet most relevant part of making anything better. To your point, you don’t know what you don’t know.
I learned a long time ago that if you work backwards in the supply chain, you will learn so much. So, I think it’s important to think about an outcome of scaling X, Y, Z system, or increasing the capacity, or adding a new line of business, but working backwards to the people, the processes and the products involved.
And I would go one step further for financial services professionals: If you can, get the business involved, aligned and supportive. That’s especially true if there’s a sentiment of “well, we don’t have budget for that.” Get the business involved because, trust me, that can absolutely drive change and make budget appear where budget wasn’t there.
See all of our latest coverage of bank technology.
The Pain Points for Banks to Address
Q: In what area are financial institutions falling short with their legacy backup systems?
Vanover: First, don’t make the assumption that everything is backed up. That’s not the case. Services like Microsoft 365, Salesforce, any software as a service, some of these cloud-hosted apps, a lot of organizations don’t know that they need to back them up. So a lot of times, they’ll have these compliance “aha” moments, and that is not a good “aha,” because they don’t have their own discrete separate copy. So again, working backwards, you find out these things.
Second, there are many challenges, but there’s one in particular that I want to highlight. Our trend report asked, what is the likelihood that your organization will switch its primary backup solutions in 2024? Of the 1,200 respondents, 54% said they either definitely will or are likely to switch.
Asked about the most important factor that would cause them to switch, the answer that ranked highest — at 17% — was the need for consistent reliability. That just blows my mind: basically, the reason I’m changing my backup is because it’s not working. That is unacceptable in today’s data protection space.
And that’s before we even get into, well, I have these 30-, 50-year-old systems that are still super important to my business and all the data just happens to live there and I need to protect it. There’s that problem as well. But at the heart of it, people have the motivation to change because the systems just aren’t reliable enough.
Will you be changing primary backup solutions in next year?
| Response | Percentage |
|---|---|
| Definitely will | 17% |
| Very likely | 37% |
| Somewhat ulikely | 13% |
| Somewhat unlikely | 6% |
| Very unlikely | 16% |
| Definitely won’t | 11% |
Q: What about those that aren’t uplevelling their cybersecurity? What are their reasons for not changing?
Vanover: They’re almost too comfortable for the level of threat out there today. I’ll give you one example from a financial services organization in Europe. The organization went through a ransomware incident, I want to say it was in the middle of the last decade, so quite a bit ago. A few systems were impacted. They had complete recovery. They were happy and they moved on.
There’s a real risk of these organizations feeling a little bit complacent. They haven’t got stung hard enough by some of these threats out there. I think that’s one really big reason.
Data Protection: Advice on Where to Start
Q: What advice would you give financial IT and security leaders around how to advance their data protection today, to be prepared for tomorrow? Where should they start?
Vanover: Make it your goal to be able to bounce back from an outage or data loss. Think about things not going as planned and being able to bounce back. Red team exercise your IT.
It gets technical. I know it does. You’re going to have to talk to the IT people. You’re going to have to work backwards in the supply chain. And there’s going to be new words that come up; people are going to be using words like “immutability,” and there’s no such thing as too much immutability. That’s a good thing, right? That’s a resilient copy of data.
I would just challenge everyone to be ready to bounce back with that “radical resilient” approach.
For a longer version of this conversation, listen to “The Increasing Importance of Data Resilience,” an episode of the Banking Transformed podcast with Jim Marous, available here or wherever you get your podcasts. This Q&A has been edited and condensed for clarity.
Justin Estes is an award-winning writer, strategist, and financial marketing expert with expertise in banking, investments, and fintech. His clients include the NYSE, Franklin Templeton, Credit Karma, Citi and, UBS, and his work has appeared in Forbes, Barrons and ThinkAdvisor as well as The Financial Brand.