Years ago, when I was a security analyst/administrator in the health care/research sector, one of the units there had a nasty experience with a server. All the unit's PCs were being dutifully backed up to the server in question. Unfortunately, it hadn't occurred to anyone to back up the server. Not, at any rate, until problems hit both a PC and the server that resulted in the loss of data. Not critical data, perhaps, since the unit and the organization are still around, but significant enough to threaten managerial heads with a sudden migration from neck to guillotine basket.

In fact, the history of security is littered with failed backup strategies. Here are a few horrible examples from Practical UNIX and Internet Security, by Simson Garfinkel and Eugene Spafford.

  • A researcher at DEC who lost 10 years' worth of email because the DAT tape on which it was backed up had never been verified and failed to work because of a bad block right at the beginning.
  • A project group that had to retype in a system from printout because it turned out that their home-brewed backup utility only backed up the first 1024 bytes of each file.

As Garfinkel and Spafford said: “Making backups and verifying them may be the most important things that you can do to protect your data.” But if hardcore IT professionals can get it wrong, what chance does the everyday home user have of ensuring that their data is safe?

Unfortunately, security professionals are apt to emphasize the need to back up without going into the practical details. ESET's Aryeh Goretsky, however, has put together a short paper that addresses that need for the home/SOHO audience without lapsing into gratuitous marketing. He avoids overly-esoteric technical detail and ubergeek jargon, but manages to pack in enough information on a complex and difficult topic to give a home user a good grasp of what they need to know in order to take their first steps toward business continuity and disaster recovery in the home and small business. I've already recommended the paper to family and friends outside the security industry, but perhaps I also need to recommend it to one or two of my former colleagues.