Layers of security are like slices of swiss cheese. Once you’ve accepted that no security system is perfect and that malware could still get through the holes in each slice, you’re ready to learn about defence in depth as the best solution to evolving cyber-threats.
Data breaches tend to happen in steps. Your corporate security system’s job is to prevent the series of steps from occurring. Look at the picture below. Each slice of swiss cheese represents your layers of control. When the holes in a slice of swiss cheese momentarily align, a risk becomes an incident. You obviously don’t want that. But if you only had one slice of swiss cheese, you can see how that would make it a lot easier for the threat to impact your organisation.
That’s where defence in depth comes in. You need three types of control in your systems:
Detective controls are like burglar alarms – you wouldn’t let a burglar alarm go off in your house for six months, but companies will go for months not realising their systems have been hacked.
Preventative controls are like guard dogs – the measures put in place to stop criminals, including the bad actors within your company, getting to the valuable data.
Corrective controls are the actions after the burglar alarm has gone off – what are you going to do about the errors that have been detected?
With all these controls in place, there’s still the risk of a security breach. Why? Because criminals develop increasingly sophisticated threats and no amount of defence is 100% effective. But you have to start somewhere. Swiss cheese is better than no cheese!
By detecting patterns in your systems, you’ll be able to warn the appropriate people of potential issues and add new layers of controls either manually or automatically. As already mentioned, your chances a lot better if you’ve got a few cheese slices than if you’re relying on a single layer of protection.
So, to sum up, defence in depth consists of a combination of control measures to develop a security system that you can use effectively to monitor what’s going on. Your security journey has to start somewhere, especially if you’re sat knowing you’re the organisation with a single slice of cheese protecting all the company data.
How many slices of cheese do you have?