The 3 – 2 – 1 Principle for keeping your data safe

Memory Stick Collection

I was cleaning out a drawer in my home office this morning and found this collection of old USB memory sticks dating back quite a few years. Remember those days when you thought you were so cool because you had this little storage drive full of all your stuff in your pocket? I recall working in a school back in those days where we actually mandated that every student had to have a “USB”, such was the apparent importance of these things. The intention was for students to keep their personal data safe and secure, but we used to constantly find them left behind in the USB ports of the classroom computers after a lesson. Or they would sometimes mysteriously just stop working. Or the kids would lose them. USBs may have been cool, portable and handy, but they were about the most insecure method for managing data I can think of.

(Side note: I’ve never quite known what to call these things. Calling them simply a “USB” seems stupid to me, because USB – or Universal Serial Bus – is a data interface standard, not a name for a device. Lots of devices might use a USB plug as the connection interface but that’s not the name of the actual device. I’ve owned microphones and printers and cameras and all kinds of things that connect using a USB interface, but we don’t call all these devices “USBs”. That would be silly. If you must use the term USB for these portable memory devices, at least call them a USB memory stick)

Some people seem to feel like their data is perfectly safe and secure if they have it stored on one of these little memory sticks. Let me tell you, for the vast, vast majority of people, letting them manage their own data storage is a really bad idea. The only real explanation I hear for why people feel memory sticks are a secure way to store data is that they “know where their data is”. People actually say that they won’t put their data anywhere that they don’t know where it stored. It might sound good to say that your data is safe as long as you know where your data is stored, but trust me, just knowing where your data is stored has nothing to do with it actually being secure.

As for relying on memory sticks, those things are the least secure way to store your data I can think of. They can get lost, fall out of your pocket, go through the wash, get eaten by the dog, or you leave them in the back of another computer and forget about them, or they simply just stop working for no apparent reason. If you have a few of them it is near impossible to keep track of what’s stored on them. Other than for absolute emergencies or moving a file as a last resort, USB memory sticks, or whatever you want to call them, are probably a really bad idea.

So when it comes to storing data, what IS a good idea then? For most people who never really think much about boring things like secure data storage, the answer is the cloud. Whether it’s Google Drive, DropBox, OneDrive or some other cloud service, it will be infinitely more secure than any storage “system” you could come up with by yourself. Once your data is in the cloud it gets securely stored, safely backed up and is accessible from anywhere, on any device.

I know what you’re thinking. “Yes, but I don’t trust the cloud, I don’t know where my data is stored.” Well, you probably have a bank account but you don’t know where your money is stored either, so I’m not sure what your point is. Claiming your data is more secure on a memory stick would be like putting your money in a shoebox under your bed and claiming it is more secure than the bank. Just like money, data is secured by the processes and infrastructure that store it, not from simply knowing where it is. I’ll say it again. For the average person – yes, you – the safest place to store your data, by far, is in the cloud.

But what if the internet goes away? But what if the cloud loses it? But what if the data centre burns down? Or what if I do store it in the cloud, and that free storage they give me now becomes something I have to pay for one day? (How terrible that you might one day get asked to pay for a service you’re using!)

If you really don’t trust the cloud, then at least get a portable hard drive, so you’re not dealing with these dinky little memory stick things. In fact, while you’re at it, buy a second portable hard drive, because you’re going to need to make a backup of the backup, because what if you lose the first one?

Which brings me to my main point. Data security – or keeping your important data safe – is a big deal. The truth is most people wouldn’t really care if they lost that Word file of a resume for a job they applied for 10 years ago. But losing your entire photo collection? Or all your music? Or videos of the kids when they were little? Or letters from your deceased parents? This is the stuff that’s a big deal. This is the stuff that you don’t want to put at risk. This is the stuff that you don’t ever, ever, ever want to have just stored on a memory stick.

So how should you store it? There’s a general principle of keeping data safe. The 3-2-1 rule. Three copies of the data. Stored in at least two different mediums. One of which is in a different physical location. Let me elaborate…

Three – you need to have three copies of important data. One is clearly not enough because if you lose it or it gets destroyed, that’s it. It’s gone for good. A second copy – a backup – is important. But if the data is really critical, the I-really-cannot-lose-this kind of stuff, then a third copy gives you peace of mind.

Two – you need to store the data in at least two mediums. There would be no sense having three copies of your data if each copy was on floppy disks. I don’t know about you, but it’s been a while since I’ve seen a floppy disk reader, so having everything stored in one now-obsolete format means you can’t read any of the copies. You might think floppy disks are a silly example. Well how about this? I own a number of computers – mostly Macs and Chromebooks – and not one of them has a port that can read those USB memory sticks in my drawer. Those old memory sticks use a standard called USB-A, but all modern computers use the newer USB-C format, rendering all those old memory sticks now obsolete. Sure I could use an adapter, but the fact is those old memory sticks are yesterday’s technology. You should keep the three copies of your data in at least two different formats because you never know how technology will change and you want to make sure that you’re always using formats that will still be readable.

One – you need at least one of those copies to be stored offsite. There’s no sense having your three copies in two different formats if they are all stored in your house and the house burns down. At least one of them needs to be kept in a completely different physical location. Offsite. Your parents’ house. A friends’ place. Or in the cloud. Somewhere. Just not in the same place as the others.

As it turns out, having your important stuff stored in the cloud addresses every one of these requirements – it’s another copy, it’s in a different format, and it’s offsite. And regardless of how well you think you can manage your own data on those portable drives, putting your data in the cloud puts it into a real data centre which stores it in real time, with real backup processes, real biometric security, real disaster management plans, and real data management processes. I don’t care how well you think you can manage your own data, you’re an amateur compared to the way the data centre looks after it.

If you’re still not sure convinced that the cloud is a safer alternative than that old SCSI Zip drive you can’t seem to find right now, take a look at this video tour of a Google data center.

Should you have all your data only in the cloud? Of course not! 3-2-1! Weren’t you paying attention? Go get yourself a couple of hard drives and set up Time Machine or SuperDuper with a regular scheduled backup. Then after you’ve done that, go upload everything to a reputable cloud service.

But stop relying on those stupid USB memory sticks!

Something you know, Something you have

I read an article today in an educational newsletter about keeping your accounts safe with a strong password.  It suggested a range of sensible things like having at least 8 characters, using a mix of uppercase, lowercase, numbers and special characters, and not reusing old passwords.  All pretty good advice.

I hear a lot of people expressing concern about the security of “the cloud”.  They worry that their data could be compromised if kept on a server they don’t own themselves, or a server that is located somewhere else, possibly even in another country.  They express concerns about data breaches from hackers, security breaches of data centres, or even data being accessed by foreign powers during a government uprising. Is any of this possible?  I suppose so. Anything is possible. Unlikely perhaps, but possible.

If it’s true that anything is possible, and we want our data to have zero risk, then we need to not keep data anywhere. The only sure way to have no risk with our data is to have no data, but that’s obviously not possible, because we live in the real world where having data is important and useful. To live in a world without data is not an option. So when it comes to the security of your data, we need to decide what level of risk is acceptable to us.

Putting aside the likelihood of secret hacking attempts or tinfoil-hat conspiracy theories, can we all just acknowledge that the single most likely way your data will be accessed by someone else is if they get hold of your password.  Either you didn’t pick a very secure password to start with, or they guess it because they know your pet’s name, or you do what so many people do and write it on a post-it note and stick it to your monitor at work. Or maybe you are away from your desk without locking your computer. Or maybe you’ve shared it with someone you know.  Whatever the reason, that password, those eight or so little characters, are all that stands between you and potentially disastrous consequences.

So why, oh why, do more people not use Two Factor Authentication (or 2FA)?  I have had literally hundreds of conversations with people who will argue about the alleged insecurity of the cloud, and who get all freaked out because they don’t know where or how their data is physically stored, and who claim that they can’t possibly rely on a cloud service to store their precious data, but who don’t use 2FA on their account!  It’s insane.

Look, I get that some people might be mistrustful of the idea of putting their data somewhere other than a server that they own themselves. But unless they at least use 2FA to secure their account I cannot take anything they say about security seriously.  They are not even taking the most basic of steps to secure their own data, while they bleat about highly unlikely potential worst case scenarios.

So what exactly is two factor authentication?

Many people have two locks on their front door – a top lock and a bottom lock, each with it’s own key. Unlocking either one of the locks is not enough to open the door – you need to unlock both locks at the same time. That’s two factor authentication. You need both factors – in this case, both keys – to open the door.

When it comes to data, you also want to have two keys, or ‘factors’. And ideally you want to have two different kinds of factors – something you know and something you have. 

The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember.  But it’s not enough. It’s just one factor.

The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password.  Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.

Some people think that using two factor authentication can be a pain, but it doesn’t have to be. It’s easy and absolutely worth whatever very minor inconvenience it might cause.  You probably have your phone with you all the time anyway, so it’s really not a big deal. Once you set it up, when you log into your account on a new device you simply enter your username and password as usual, then tap a button or enter a code on your phone to complete the login.  No phone, no login. Take that, hacker!

There are a number of ways to get that second factor, from receiving a text message, to entering a secret number that gets generated every 30 seconds, to tapping a ‘Yes’ button on your phone, to having a dedicated Yubikey in your computer. It’s an extra step, sure, but it makes your account very, very difficult to hack.

So please, if you don’t already use 2FA (on every account you own!) then set it up now. Your online life will be exponentially more secure. And if you don’t, then please do not ever express an opinion about the security of the cloud or anything else. If you can’t take even the most basic steps to protect your own online data then you have no business expressing your opinions about whether a cloud system is secure enough or not.  You just sound silly.

The Power Of Spreadsheets

I had a knock on our front door a few weeks ago. It was a young English guy going door to door for an electricity retailer, trying to get me to switch my power company.  As it turns out, it was his first day so he didn’t really know a lot about what he was selling and couldn’t answer many of my questions in detail. To be fair, I can be a bit analytical about these things and I don’t think he was prepared for so many questions. His spiel was basically “You should switch to us because we are better”, but when I asked about the rates they charge, all he could respond with was “We have really good rates”.

If you ever come knocking on my door, whether you’re trying to get me to switch energy companies, or convince me that Jesus loves me, you better be prepared to engage. I ask lots of questions. You better have answers.

So I grabbed my most recent power bill, and asked him exactly what their rates were per KWh. He had never heard of a Time Of Use meter (TOU), which our house uses, so I had to explain the concepts of Peak, Shoulder and Off Peak rates to him. As we compared the rates, we both learned that his company’s “really good rates” were not quite as good as he had been led to believe.  Compared to what we were currently paying, they were slightly cheaper for Peak and Shoulder, and quite a bit more for Off Peak.  It was an interesting discussion and I told him I would take the data he provided and think about it.

When I think about data, I do it with a spreadsheet. I often amazes me how few people really understand the power of a spreadsheet to analyse numbers. Even with just a few simple formulas, it’s possible to dig into numbers and see what they really represent.  Especially with consumer level data – like knowing how much things really cost – it astounds me that more people don’t know how to make sense of the numbers for their basic expenses.

So I knocked up a spreadsheet in Google Sheets. I transferred the KWh usage from my last power bill onto the sheet (which was a little tricky as there was a rate change part way through the quarter, so I had to calculate the different rate amounts and add them together for the total) but in the end was able to correctly derive the exact same $429 figure as I actually paid. Just that part of the exercise was useful as it helped me understand exactly how my power bill was calculated. (Do you understand how yours is calculated?) I then projected the amount of my next quarterly power bill – $529 – assuming the usage was the same, but with the latest rates.

Then I copied the usage data and plugged in the KWh rates being quoted to me by my door knocking friend. His company was offering a 15% pay-on-time discount on the bill (but only on the actual power usage, not the supply charge, as I found out later by reading the fine print). As it turns out, his company – Simply Energy – was indeed cheaper than my current provider, coming in at $439 for the same usage and a saving of $89.88. Not bad.

But wait, it got me thinking. Could I do even better? A quick internet search turned up a power provider called Red Energy. Red Energy was highly recommended by Canstar, so I found their rates and plugged them into my spreadsheet. Their KWh rates were cheaper, however they only offered a 10% pay-on-time discount, but it was on the whole bill not just the consumption component.  Can you see why you really need a spreadsheet to analyse this data if you want to make any informed decisions? I’m sure that companies deliberately calculate their charges using different formulas to their competition, just to make it harder for consumers to make apples-to-apples comparisons. Thank goodness for spreadsheets and knowing how to use them.

Red Energy was not actually the cheapest option, but they were close enough and the one I felt best about as they are a 100% Australian owned company. So I called them, and made the switch.

And then the fun started. Yesterday I got a call from Energy Australia, my current power provider, telling me what a valued customer I am and how much they wanted to keep my business. So much so that they offered an ongoing 26% (!) pay-on-time discount on my power bill. While that certainly sounded like an attractive deal, their actual rates were still higher, so how can you tell?  Yes, with a spreadsheet.

As the Energy Australia rep was wooing me with enticing offers I was able to say “Hang on, I have a spreadsheet!”  I quickly entered their data into the sheet and was now discussing the options knowing exactly what I was talking about. Having data is powerful.  Turns out it was a good deal, so I decided to remain with my original provider (although I was a little bit annoyed that you need to threaten to leave them before they suddenly discovered they can offer me a discount!)

Now I had to call Red Energy and tell them I was cancelling the switch. But, surprise surprise, Red has a customer retention department as well and they didn’t want to lose me as a potential new customer either. So they upped the ante to a 12% pay-on-time discount AND a $100 rebate on my next bill. Into the spreadsheet that new data went. And it turns out that when you take all of that into account, Red wins – by $6.34 annually.  So I decided to stick with my decision to switch after all.

You can check out the spreadsheet I made here if you are interested.

I think there are a couple of lessons here…

  1. If you want to be a canny consumer, you need to have the facts. Many companies give you information that is confusing, incomplete or just misleading. Take the time to analyse the data for yourself so you know the reality of their claims.
  2. If you want to save money on basic bills, then leave your current provider (or at least threaten to). Switching your power, phone, gas, or other service to a competitor is likely to get their customer retention department calling with a much sweeter deal than you currently get.
  3. Learn to use a spreadsheet! They are a simple tool, but oh so powerful. I can tell you, at least anecdotally, that most people I meet have absolutely no idea how to use one. Don’t be one of those people.
  4. If buying locally matters to you at all, do some research. Turns out that Energy Australia, despite the name, is a wholly owned Hong Kong company. Red is 100% Australian owned by the Snowy Hydro Scheme. Foreign ownership of Australian companies is an interesting can of worms.

Here the educational part of this blog post…

As a teacher, I see this kind of thing as a brilliant activity for students. What if you gave your learners the basic skills of calculating numbers with a spreadsheet, and then a bunch of different rates from different competing companies and simply asked “Who is offering the best deal?”  This process usually raises lots and lots of questions, and will certainly make them better consumers, better at understanding data, and better users of spreadsheets.

For an example of the kinds of ways you can take this convoluted consumer experience and turn it into a reasonably useful learning task for students, the links below are from a task I have used with my Year 11 students looking into how to figure out the best mobile phone plan. As you will see from looking at the task, it tried to take account of the complexities of the word “best” by introducing a user-centric approach (best for who?) and encouraging them to really dig into the information being provided to make sense of it. I’ve also included a grading rubric to give you an idea of how I graded this task.