The real risk is not having it plugged in.
There is a risk, yes.
But:
- It’s a small risk.
- There are ways to mitigate the risk.
- There’s a greater risk at play if you don’t leave it plugged in.
Let me explain.
Become a Patron of Ask Leo! and go ad-free!
Leave the backup drive plugged in
The risk of leaving your backup drive plugged in is much smaller than the risk of forgetting to back up at all. Use good security tools, practice safe habits, and let backups run automatically. Some backup programs have additional features to protect your backups from malware (specifically ransomware).
The risk
Let’s say your machine becomes infected with malware. That malware is designed to harm not only data on your machine’s primary hard drive but also any connected drives (internal, external, or in some cases even networked).
Ransomware, for instance, is malware that encrypts all the data it finds and then holds it for ransom. Many people are concerned that ransomware could thus encrypt your backups.
The reasons I characterize this as a “small” risk include:
- Most ransomware has shifted to targeting larger enterprises. Individuals appear to be less impacted by ransomware of late.
- Most ransomware focuses on smaller files like documents and photos, which it can encrypt quickly with less chance of being detected until it’s too late. Backups are large files.
- Most malware does not seek out external drives.
- Most malware performs other malicious behavior, such as installing keyloggers or other ways to compromise online accounts, or crypto-mining.
“Most” is not all, of course. I’m not saying there’s zero risk. I’m just saying that in the grand scheme of things, it’s not a big risk.
Related
Will Ransomware Encrypt Backups?
A full-image backup is still the best defense against ransomware. But what if your backup gets encrypted? I'll look at the likelihood of that happening and make some recommendations.#21259
Mitigating risk
Ransomware is just malware. There’s a good chance you’re already mitigating the risk significantly.
- Run good security software and keep it up to date.
- Make sure your security software is updating its database of known malware and behavior regularly (usually daily).
- Connect to the internet through a router acting as your firewall.
- Don’t click on links you aren’t 100% certain of.
- Don’t open attachments you aren’t 100% certain of.
- Don’t install software you aren’t 100% certain of.
That’s it. Do the things you know you should be doing anyway.
- The chance of malware making it through is small.
- The chances of malware making it through and wreaking havoc are small.
- The chances of destructive malware making it through and going after your external drive are smaller yet.
A small risk of a small risk of a small risk means it’s a very small risk.
I have one more mitigation, but first, we need to talk about the more critical risk.
Related
What Backup Program Should I Use?
Backing up your computer's data is critical. The best program is whatever you'll actually use.#1894
The risk of not keeping your backup drive connected
As you probably know by now, I’m a huge believer in backups. To be more specific, I believe strongly in automated backups: backups that, once set up, happen automatically without much further effort on your part.
Automated backups, of course, require that the external drive on which your backups are to be placed is connected to your computer.
The alternative is to connect the external drive only when performing a backup. This implies that the backup process, and that physical connection and disconnection, are performed manually. You have to do it.
More concerning, you have to remember to do it and take the time to do it.
The risk is simple: you’ll forget. Trust me, you will forget, or something else will come up to prevent you from performing the backup.
And while I’m not a huge believer in fate and Murphy’s Law, it does seem to happen that you’ll find you desperately need your backups immediately after having forgotten to create them.
That, to me, is a much higher risk than malware coming along and trashing the backups you’ve created because you left the drive attached.
One more mitigation
The good news is that backup software manufacturers understand that people have this fear, regardless of the practical risk it really represents. As a result, some offer additional mitigation.
Macrium Reflect calls it Image Guard. EaseUS Todo has what it calls Security Zone. Other tools have similar features.
The common thread is that backup images and files are protected from tampering. Period. Even the owner of the backup can’t modify, or perhaps even see, the backups created with these features enabled. And if you can’t, malware can’t. The only way to access the backup files is to use the tool that created them.1
Whether it be a file permissions setting, some kind of fancy partition setup, or something else, the important thing about these features is that your backups are inaccessible to malware.
Do this
- Back up.
- Automate your backups so you don’t have to remember.
- Leave your backup drive connected.
- Practice safe computing.
- Consider enabling additional protection features like Image Guard, Security Zone, or equivalent tools.
There’s just no reason to disconnect your backup drive.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Occasionally, the backup software includes specific exceptions. I’ve not tried it, but my understanding is that Macrium Reflect allows the Windows tool RoboCopy to copy backup images.
I use Macrium Reflect and have Image Guardian turned on. On impulse, I tried to copy one of my incremental backups to another drive using “Copy To Folder” in the context menu in File Explorer. Image Guardian was fine with that. When I attempted to use “Move To Folder”, Image Guardian immediately popped up to block the action.
It appears that Image Guardian will allow copying files if the “Allow Robocopy to sync and move backup files on protected volumes” box is checked in the Macrium Image Guardian Settings. Learned something new. Thanks, Leo.
That’s because Image Guardian blocks all attempts to alter those backups. You can’t alter or delete those files except with the Macrium Reflect program, even if you try using the Administrator account. You can copy them, but you can’t modify or delete them. Macrium Image Guardian makes this question a non-issue. EaseUS Todo paid has a similar feature.
I’ve been using Image Guardian since it was introduced and am familiar with how it works. What I didn’t know about and hadn’t thought to try was copying an image backup to another drive.
It can be useful for archive purposes in that I can connect another drive, copy an image file from my backup drive and then set the second drive aside or store it in a secure location. I usually connect an additional drive and run a system image backup using that drive as the destination drive and removing it when the backup is completed.
The drive I use for regular backups is large enough for three full image backups, including incrementals (14TB). Now I plan to copy the image files to another drive for archival purposes in case I need something from more than two months ago.
The neat things about IG is that it protects from modification or deletion, but you can still read and copy the image.
I just keep two backup drives, and periodically swap them out. Maybe once every month or two. I’ve rarely got significant data that would be critical if I lost it during that time span, and anything I do want to make sure I’ve got I just swap the drives after one backs up. That way one is always safe from what could happen on my PC, and one has 99.9% of my lifetime’s data while the other has 100%.
I have two external backup drives. One, always connected, is used for automated daily backups of my OS (Linux Mint) and hourly backups of my documents directory (the stuff I absolutely cannot lose). The second drive is normally disconnected and is used on a more-or-less weekly basis to manually back up the OS plus all documents, photos, and everything else; all my data stored on two internal and one external 1TB hard disks. Once the weekly backup finishes the drive is disconnected. I had a lightning strike a couple years ago which wiped out the modem, router, computer and lots of other stuff in the house. The disconnected drive saved my butt. Replacement desktop and restore from the normally disconnected drive.
I agree with Erik’s ‘dual backup drives’ with an adder: I keep the inactive drive in a fireproof safe in a steel building far from the house. Living in the Alaskan wilderness, burglaries are near zero, but fires are common. This advice would protect those living in suburbs/urban areas where a burglary could mean loss of both backups. A fireproof safe in the house, garage, or other structure (1 hour average) secured to wall studs or floor joists from inside the safe should protect the contents from fire and thwart burglars. If you don’t have a safe, keep the drive with valuables you hide, or consider a safety deposit box – inconvenient, but weight this against the loss of your data.
Isn’t it possible for malware to invoke the backup software itself to delete the backup files? I have Reflect with IG and keep my external drive plugged in all the time. If the malware is running under my credentials couldn’t it simply use Reflect the same as I would if I intended to delete, say, an outdated image?
Again, ANYTHING is possible. But that would have to be some very crafty and complex malware specifically engineered for users of Macrium Reflect. I consider it an EXTREMELY low risk.
I use Erik’s strategy, and Fred’s. My Macrium Reflect schedule does a full backup on Monday and incremental on Tuesday and Wednesday, then a full on Thursday followed by incrementals Friday through Sunday. On Thursday and Monday I swap the external drives, so I have two complete, independent backup sets. In addition, once a month (on the first so it’s easy to remember) I take a full backup to a separate external drive, which I keep in a desk. For all the reasons mentioned in the article, the risks of forgetting a disk swap or a monthly backup are minimal. I worry about a fire or flood wiping out the computer and all the external drives, but I think the exposure is small.
First, I want to acknowledge that there is no perfect solution for either system security or backup security. If I can create it, crackers can find a way to get at it. With that said, my chosen solution is to use Macrium Reflect Free to generate Weekly Backup Sets, each consisting of a full system image and six differential system images. I keep four backup sets so I can access versions of my files, going back up to twenty-eight days. I use an external drive that I keep continually connected to my computer for my backup image sets.
I dual-boot Windows 11 with Garuda-KDE-Lite GNU/Linux, and each month, I create a full system image using RescueZilla, which is a live system installed on a thumb drive. I store the RescueZilla system image on a partition formatted to EXT4, making it unreadable to the Windows operating system, so hopefully, any ransom/mal-ware that attacks Windows won’t be able to read/access/affect my GNU/Linux partitions.
Ernie
I have the paid EaseUS Todo installed on c: and have a full backup on a portable hard drive e:. I set a schedule for the 1st of every month for a “full” backup. I am concerned that it doesn’t have everything I would need.
On a USB drive I made boot file in case I lose the c: drive for any reason. Is that enough or should I have or be using one or more of EaseUS Todo “Tools” to make sure I can recover.
For instance should I have EaseUS Todo on the USB or e: drive?
I am 82 and been using computers, since the Osborne 1 and CPM back in the day the floppies are all gone now, now Windows 10 on a desktop PC for work and fun.
What would be helpful is “backup list” of EaseUS Todo “tools” to use in the proper order to get this PC or a new one restored with all my “stuff” in a “restore list” of EaseUS Todo “tools.” I have “One Drive” for PC stuff and “iCloud” for Photos from the iPhone. I haven’t seem to find a sequenced list for both tasks.
I leave my 10 tb backup drive disconnected until I need it, for one reason: It ramps down when not in use. When accessing File Explorer, for example (or any storage on the PC), I am faced with a 7 second delay while the backup ramps up again, even when it’s not the storage I need. So….. When I am backing up or adding or accessing directories on the back-up drive, I plug it in. When that is complete, I pull its umbilical cord so I am not irritated by the delay.
Leo, I completely agree with your assessment that ransomware is a minimal threat to external backup drives. But I have concerns about physical security:
(1) Theft of PCs, especially higher end gaming gear (I’m into flight sim) may be more likely than ransomware. Connected equipment is likely to fly away with the thief. I keep backups separate, in a fire rated safe.
(2) Lightning is a real concern. I’ve seen unbelievable damage to digital systems deep in large buildings: computers, phone switchboards, HVAC controls, fire alarm and security, etc., with no apparent reason why they were singled out. If if equipment is not connected, it’s safe.
(3) Fire is another very real possibility. Those who leave a backup drive connected should at least use two (or more) and rotate them frequently, keeping the idle drive(s) in a safe place.
I probably go too far but will hopefully never have reason to wish I’d done more. And my caution was certainly shaped by years in the aerospace industry, where redundancy and contingency measures are the rule.
I’m running a new Dell Inspiron 15 laptop and do 1 a.m. MR backups to a 2TB Seagate external drive. When the drive is plugged in, the computer fan (I’m pretty sure it’s a fan) runs continuously 24/7 until I unplug it. Seems like this would be harder on the hardware and use more energy over the lifetime of the machine? Since the laptop usually gets moved around during the day (but not always) I have been plugging in the power cord and Seagate drive before retiring for the night, and then unplugging it each morning. I thought this made sense….but maybe not?
Hello Leo,
The main reason for my comment is to find out what size of a storage device is required to save the backup of my hard drives to?
At least as large as all drives combined? Two or three times the size of all drives? I have not been backing up my CPU’s. I have 2 Desk Tops and 1 lap top, all with several TB’s hard drives. It sounds overwhelming to back up everything, but I know I need to do so. Any suggestions for me to get started?
I am not as experienced as the majority of your readers. I am a 76 year old retired petroleum geologist, not exactly a novice. Thank you!!
Cedar F.
It all depends. I have 1.5tb internal drives – 0.5tb for the C drive (programs are located here) and 1tb on the D drive (used for data)
I have a 4tb external drive that stores an image of the C drive
I have 3 file and folder backups that backup selected files and folders on the C and D drives to 3 separate external 1tb drives.
In you case, Cedar, I would have an external drive for each computer that is twice the size of the internal drive. These external drives would be for creating images of the internal drive. I would also get another external drive for each computer to back up data. These do not need to be larger than the internal disk, although, in my opinion, you can’t get a disk too large.
excellent article with just one caveat. I have a home network NAS unit always on with automated backups enabled and a UPS to power the NAS because of frequent power brownouts. This small UPS has no battery check features so I became lazy. One day a brownout occurred during an active backup and the UPS battery was dead in seconds. Thousands of irreplaceable file lost forever. Now I only turn it on when I do manual backups. Now I have a second NAS to do backups of the first NAS. Keeping a backup device always on may not be the perfect solution as you mentioned
I use Macrium for the backup. I don’t leave my drives on 24 hours a day. I have six external drives for local backup. Each is connected to a USB hub with 16 ports. Before starting the laptop each day (yes, I turn it off nightly), I turn on each hard drive.
I use Blaze for my cloud backup because it allows to be back up not only the two internal drives but also the six external drives. (Other cloud backup services charge for each drive backed up.)
At the end of the day, the laptop is powered down and then the hard drives are turned off.
I think this is a good way to make sure the backup drives are on while using the laptop and are turned off when not needed.
For those wondering, I have yet forgotten to turn on the drives. There has been a few times when I forgot to turn off the drive.
Forgot to mention that one of the external drives is used to back up flash drives and a a network drives. I copy the information I need to keep and then Blaze backs up the drive. (Blaze doesn’t backup network drives as far as I can tell.)
David. I agree w you. I do similar. And I dont forget because i do it each night before shutting down. I am willing to lose only 1 day worth of data. I also do 1 other step. I encrypt each changed file each day and copy it to pcloud (automatic using syncbackPro). Pcloud encrypts it as well but who trusts anyone anymore. This is for data only of course. I dont copy my images to pcloud (but i spose i could).
I think a backup is only as good as its’ restore. Meaning how do you know if your backups are any good without a restore? I hear take a volume image, but how do you test that backup?
I just think if you have a backup solution that you think is great test it.
You can test your backups. It’s not 100% perfect but it’s as probably close as you’ll get.
Testing Your Backups Is Critical
How Do I Test Backups?
I do an image backup once a week, Saturday night, or when it boots up on Sunday. I only have it plugged in then.