Business woman screaming at laptopMany years ago, before common sense kicked in, I thought it would be a good idea to rent a storage space for all the extra furniture and other stuff I could not fit in my new house.  Knowing it would only be temporary, I stashed everything from upholstered and leather furniture, to boxes of books.  Fast forward twelve months.  The rental agreement was expiring, and I realized that I would never need nor have room for all that I’d stored, so I decided to have a sale to dispose of it.  When I went to the storage space I was horrified to see that everything was covered in a thin film of mold.  (This was years before climate-controlled storage was widely available.)  I had no choice but to trash it all, which both cost me money and prevented me from converting my goods to profit.

I was reminded of this long-ago event when I heard about the latest ransomware attack.  We’ve been reminded countless times of the importance of backup, and ransomware is only the most recent reason.  If you have ever had a hard drive fail, you know the pain that comes with irretrievable data.

So what happens when your backup media fails.? Or your archival media?  Don’t CDs last forever?

Media longevity

I thought my stuff was safe.  That it would look just like it did when I took it to storage.  I was wrong.  The media—in this case the storage locker—failed me.  In the digital world, all media have a finite lifespan.   The scary part is that there are many factors that influence that lifespan, and can dramatically reduce the usable and readable life of all media.    Here are just a few:

  • Raw material quality
  • Manufacturing quality
  • Environmental (temperature, humidity, sunlight, pollutants)
  • Storage methods
  • Handling

You may remember what happened when you left a cassette tape or CD on your dashboard.  Tape stretched and degraded, CDs became warped and scratched.  “But I backup to the cloud,” you say.  True, most cloud providers have lots of manpower and redundant systems, but even the largest of them can fail from time to time.

Belt and suspenders

Ransomware is a growing problem.  It does not discriminate among individuals, small business, and global corporations.  In most cases, no one gets their data back.  Period.  So it’s more important than ever to ensure that our backups are safe, that they can be restored, and that they are current. Depending on the criticality of the data at risk, it may also be important to have more than one copy.  In years past, when backup to CDs was more common, I would often make two CD copies as a hedge against the failure of one.   Replicated data centers can help, but if the vulnerability that allowed the ransomware in is replicated, you’re toast.

Not just for disaster recovery

While you’re looking at your backup media and processes in light of disaster recovery and business continuity, be sure to consider technology obsolescence as well when archiving for the long term.  Think floppy disk.  Do you still have any?  Do you have drives and software that will read them?  The optical media of today are the floppies of tomorrow.  Media will fail, the technology that reads them will fail, and the software will become incompatible with future operating systems.   Any archival storage of data must include a migration path, and should be evaluated every few years.  Recorded media should be sampled and checked for readability on a routine schedule.  Retrieval indexes must be maintained, and any migration of image data must take into account retention of index links and references.

I hope you are never hit with a ransomware attack.  But if you are, please be able to say, “No worries.  My backup is safe, readable, and current.”

  • Jim Shook

    Debbie, a very timely and insightful discussion, thank you. What ransomware is unfortunately exposing is that many organizations do not have complete backups of their key systems; they fail to protect their backup environment (even offline tape backups have online catalogs that need to be protected); or the recovery from tape takes a week or more, just given the volume of data. Plenty of good solutions to these problems but IT and Security need to get together to assess.