The devastating consequences of a failed cybersecurity policy are a concern for every business leader, not just those who deal strictly with data or network resources. You may have heard the term Defense in Depth (DiD) discussed among information technology (IT) professionals, but even those outside of that industry should care about it.
The
Verizon 2020 Data Breach Investigations Report revealed that among 32,000 security incidents and 4,000 confirmed breaches, 67% involved email and credentialing violations. Many of these breaches could have been protected with a solid defense approach. That alone makes DiD everyone’s problem.
Here’s how the DiD approach is changing the way businesses look at security with a deeper look at how it’s making a difference for small business leaders today.
What is Defense in Depth?
DiD is a cybersecurity method that utilizes a series of defense layers to keep important data and tech resources secure and safe from hackers or cybercriminals. These multiple layers work in harmony to protect your entire enterprise.
If one layer fails, the system simply engages the next layer. In this security strategy, each layer has a unique benefit to the system to reduce redundancies and ensure better overall protection across the network.
Some experts refer to DiD as a "castle approach.” It acts in the same way as medieval castle protections, with the moat, draw bridge, archers placed high above, and manned cannons. The concept reinforces that while it's possible (and even likely) to test or breach one layer of security, it's unlikely that every layer will come down at once.
What makes Defense in Depth?
In addition to its layered approach that creates a unique security method, DiD often utilizes three categories of protection: physical controls, technical controls, and administrative controls.
1. Physical controls
Physical controls include the things we actively do to prevent physical access to the building or rooms where we store tech or data. It's easy to forget about this as part of a multi-layered approach, but it's imperative that we consider it.
A security team that watches who enters and exits the building, as well as locked doors or badges for secure areas, is an example of physical security controls. Multiple security points, such as alarm systems and fire extinguishers, can also help combat both natural and criminal threats.
2. Technical controls
This is the category most people think of in relation to cybersecurity. It’s the nuts and bolts of IT that protects hardware, software, and network access. This group also includes antivirus software, password protection, file folder permissions, and other things a company does to keep records and data safe from access by those who are not authorized.
3. Administrative controls
Administrative controls are essential to an overall security plan. The upside to these controls is that you don’t need a high technical aptitude to put these procedures into place.
The negative is that it depends on human behavior and compliance to make it work. This can be difficult to implement or maintain, depending on your workplace culture. It also relies on thorough training programs and leaders who can communicate the importance of the DiD efforts. Leading by example is a crucial part of this step.
What are examples of these controls? They include simple tasks like reminding employees to avoid leaving protected programs open while they’re away from their desk. There are technical steps for employees, too, such as ensuring the use of encryption tools when they send sensitive data.
What protections does Defense in Depth offer?
While there are too many hardware, software, and network security weaknesses and flaws to list in full, we’ve included some of the most common ways that a Defense in Depth security approach can help fortify your system.
1. Employee behaviors
User error contributes to some of the most harmful attacks. These range from employees opening emails with malware attachments to sharing passwords for access to common programs. With DiD, you can help secure against those actions where no one intended to do wrong and may not be forthcoming about the error.
2. Lack of regular maintenance and care
It’s easy to get behind on firmware or security patch updates. The DiD method helps secure your data even if other common security access points are compromised.
3. Vendor or client relation gaps
If your customers or third-party business partners don’t use secure practices, they can leave your systems vulnerable. In instances where it is impossible to ensure everyone uses good security methods, DiD can help shore up your system.
4. Remote work challenges
More employees are
working from home than ever. As companies figure out the best way to keep employees connected, they need to weigh the risks of granting data and network access from afar. DiD best practices are being updated all the time to accommodate this workforce trend and new threats to security.
5. Encryption errors
When should your employees use encryption? While your industry may have legal requirements for protecting customer data, these can be made weaker when workers don’t stay the course and encrypt even their own internal messages that could reveal this information to bad actors.
Improper or outdated use of encryption can also cause problems and make a Defense in Depth approach even more necessary. Consider this a must for health and banking companies with especially stringent industry demands.
How Defense in Depth fights back against human error
As long as people use the systems that house vulnerable data, mistakes will happen. Some errors are passive, such as not knowing the best way to protect data or failing to install important security patches.
They may be active, too, like when someone shares passwords or even steals data for personal gain. A Defense in Depth model should be designed to prevent any one error from compromising massive amounts of data or the integrity of your entire system.
The best DiD approach won't stop at just preventing a breach from spreading. It can notice behaviors that may become a breach and stop it from taking place. The hallmarks of today’s DiD best practices include intrusion detection systems and other proactive measures. There’s no need to wait for something bad to happen before security measures kick into gear.
At the same time, the best DiD methods remove redundancies. Each layer in the system has a role and does it well. It can prevent systems from competing against each other for resources in a serious attack.
Defense in depth for today’s businesses
It may feel overwhelming at first to discuss DiD with others if you don’t have a technical background. To help combat this, Keatron Evans, a principal security researcher, instructor, and author at
Infosec, explains the concept in everyday terms.
“Defense in Depth works on the principle that no single implementation is 100%,” Evans says. “Following this logic, having layers of different defensive techniques and technologies make it harder for a malicious entity to infiltrate the environment.”
But what does Defense in Depth mean for a typical business? Evans provides the example of installing an endpoint security solution on each employee’s device to look for malicious applications or files.
While this is one way to stop bad actors, a more thorough design would combine this security feature with a network-based one that tries to identify malicious files and applications before they even make it to the end-user.
“Additionally, you may have an administrative policy that prohibits users from downloading anything from anywhere other than approved locations,” Evans says. “You now have two technical/logical controls at the endpoint and on the network, as well as an administrative control at the policy level. This is Defense in Depth.”
How to use Defense in Depth in your business
Most organizations utilize layers of security that start with administrative policies and procedures supported and influenced by upper management. These will lay the framework for building administrative security controls and shaping security culture from within.
At the same time, technical controls are just as important. These include firewalls, network-based intrusion detection, and endpoint security, such as host-based intrusion detection and prevention.
What can small business leaders do to start the journey to a Defense in Depth strategy? Evans says that some SMBs use security information and event management companies that can help implement and deploy solutions. If this is outside of your budget, you may also opt to use a managed security service provider to receive similar solutions through security products and services.
About the Author: Linsey Knerl is a contributing writer for HP Tech@Work. Linsey is a Midwest-based author, public speaker, and member of the ASJA. She has a passion for helping consumers and small business owners do more with their resources via the latest tech solutions.