The National Institute of Standards and Technology (NIST) defines Defense-in-Depth (DID) as “An information security strategy that integrates people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.” However, defense-in-depth strategies predate the internet and personal computing by hundreds of years.
One of the longest-lasting examples of an early defense-in-depth strategy is the typical medieval castle, which featured multiple layers of defense to resist a rapid penetration of attackers. The attackers may overcome one barricade, but it’s very difficult to get through all of them quickly without taking severe damage from castle defenders. At the very minimum, multiple layers of defense slow down an attack to give defenders enough time to respond more effectively.Organizations can combine various mitigating security controls better to protect their users, data, and resources using a layered cybersecurity defense.
Why Are Multiple Cybersecurity Layers Important?
Castles weren’t built because people inherently desired to build more complex structures. The earliest castles were very simple and could be assembled quickly. However, as invading armies developed better strategies to penetrate them, they grew more and more complex as a matter of necessity.
Similarly, while a single, powerful cybersecurity solution can still stop some specific attacks, it is no longer enough to keep your data and resources safe from the advanced capabilities and sophisticated strategies today’s cybercriminals employ. As their attacks have evolved, so must an organization’s cybersecurity strategy.
Which Businesses Are More Likely To Be Targeted by Cybercriminals?
While this may seem illogical, small businesses are far more likely to be targeted by cybercriminals than their enterprise-scale counterparts. If you think like a cybercriminal, however, this makes perfect sense.
Small organizations are more attractive targets than larger ones for a number of reasons:
- They often lack adequate security measures
- They don’t have the resources to counter ransomware, so ransoms are paid back at higher rates
- Small vendors may offer the easiest route of entry into a larger business
- Attacks on small organizations are less likely to be investigated
- As many attacks are automated, it’s preferable for a cybercriminal to invest a relatively small amount of time attacking many smaller organizations, than a larger amount of time attacking a well-defended one. In fact, many automation tools are available for purchase on the dark web.
7 Layers of Cybersecurity
Perhaps not surprisingly, many illustrations of the seven layers of cybersecurity look much like a diagram of a Medieval concentric castle, where a series of concentric curtain walls are designed to ward off attackers or hold them in place.
Modern Cybersecurity consists of seven layers of protection against would-be attackers. It includes the protection of critical assets, data, endpoint security, application security, network security, perimeter security, and finally, the human layer.
Let’s explore each of these in greater detail.
1. Mission-critical Assets
Not all data requires an equal amount of protection. As the name suggests, mission-critical assets include the data that your organization simply couldn’t operate without, like vital tools, medical records, or customer financial records.
2. Data Security
Data security protects the transfer and the storage of data and includes secure backups, data encryption, and secure archiving.
3. Endpoint Security
This layer protects the connection between user devices and your organization’s network.
4. Application Security
This layer protects the internal security of your organization’s applications. It also safeguards your access to important applications and their access to your important data.
5. Network Security
Network security protects your organization’s network from unauthorized access and includes applying important security patches and encryption.
6. Perimeter Security
Like a castle’s outer wall, this layer protects your organization as a whole.
7. The Human Layer
While your organization’s staff is likely to be your weakest link in maintaining proper cybersecurity, they can also be trained to be an important line of defense against phishing schemes and more.
Is Your Business Protected?
There’s an easy way to find out if your business is in line with cybersecurity best practices, and that’s to get a cybersecurity assessment. Marco’s cybersecurity assessments are based on recommendations by the NIST Cybersecurity Framework (CSF) and the Center for Internet Security (CIS). These comprehensive assessments will help you understand what your organization is already doing well and where you may have gaps in your current cybersecurity posture.