HP TECH TAKES /...

Exploring today's technology for tomorrow's possibilities

How a Defense in Depth Cybersecurity Strategy Keeps you Safe from Viruses

Linsey Knerl

February 6, 2023

The devastating consequences of a failed cybersecurity policy are a concern for every business leader, not just those who deal strictly with data or network resources. You may have heard the term Defense in Depth (DiD) discussed among information technology (IT) professionals, but even those outside of that industry should care about it.

The Verizon 2020 Data Breach Investigations Report revealed that among 32,000 security incidents and 4,000 confirmed breaches, 67% involved email and credentialing violations. Many of these breaches could have been protected with a solid defense approach. That alone makes DiD everyone’s problem.

Here’s how the DiD approach is changing the way businesses look at security with a deeper look at how it’s making a difference for small business leaders today.

What is Defense in Depth?

DiD is a cybersecurity method that utilizes a series of defense layers to keep important data and tech resources secure and safe from hackers or cybercriminals. These multiple layers work in harmony to protect your entire enterprise.

If one layer fails, the system simply engages the next layer. In this security strategy, each layer has a unique benefit to the system to reduce redundancies and ensure better overall protection across the network.

Some experts refer to DiD as a "castle approach.” It acts in the same way as medieval castle protections, with the moat, draw bridge, archers placed high above, and manned cannons. The concept reinforces that while it's possible (and even likely) to test or breach one layer of security, it's unlikely that every layer will come down at once.

What makes Defense in Depth?

.lazyload-placeholder { display: none; } HPImage

In addition to its layered approach that creates a unique security method, DiD often utilizes three categories of protection: physical controls, technical controls, and administrative controls.

1. Physical controls

Physical controls include the things we actively do to prevent physical access to the building or rooms where we store tech or data. It's easy to forget about this as part of a multi-layered approach, but we must consider it.

A security team that watches who enters and exits the building, as well as locked doors or badges for secure areas, is an example of physical security controls. Multiple security points, such as alarm systems and fire extinguishers, can help combat natural and criminal threats.

2. Technical controls

This is the category most people think of in relation to cybersecurity. It’s the nuts and bolts of IT that protects hardware, software, and network access. This group also includes antivirus software, password protection, file folder permissions, and other things a company does to keep records and data safe from access by those who are not authorized.

3. Administrative controls

Administrative controls are essential to an overall security plan. The upside to these controls is that you don’t need a high technical aptitude to put these procedures into place.

The negative is that it depends on human behavior and compliance to make it work. This can be difficult to implement or maintain, depending on your workplace culture. It also relies on thorough training programs and leaders who can communicate the importance of the DiD efforts. Leading by example is a crucial part of this step.

What are examples of these controls? They include simple tasks like reminding employees to avoid leaving protected programs open while they’re away from their desk. There are technical steps for employees, too, such as ensuring the use of encryption tools when they send sensitive data.

What protections does Defense in Depth offer?

While there are too many hardware, software, and network security weaknesses and flaws to list in full, we’ve included some of the most common ways that a Defense in Depth security approach can help fortify your system.

1. Employee behaviors

User error contributes to some of the most harmful attacks. These range from employees opening emails with malware attachments to sharing passwords for access to common programs. With DiD, you can help secure against those actions where no one intended to do wrong and may not be forthcoming about the error.

2. Lack of regular maintenance and care

It’s easy to get behind on firmware or security patch updates. The DiD method helps secure your data even if other common security access points are compromised.

3. Vendor or client relation gaps

If your customers or third-party business partners don’t use secure practices, they can leave your systems vulnerable. In instances where it is impossible to ensure everyone uses good security methods, DiD can help shore up your system.

4. Remote work challenges

More employees are working from home than ever. As companies figure out the best way to keep employees connected, they need to weigh the risks of granting data and network access from afar. DiD best practices are being updated all the time to accommodate this workforce trend and new threats to security.

5. Encryption errors

When should your employees use encryption? While your industry may have legal requirements for protecting customer data, these can be made weaker when workers don’t stay the course and encrypt even their own internal messages that could reveal this information to bad actors.

Improper or outdated encryption can also cause problems and make a Defense in Depth approach even more necessary. Consider this a must for health and banking companies with especially stringent industry demands.

How Defense in Depth fights back against human error

As long as people use the systems that house vulnerable data, mistakes will happen. Some errors are passive, such as not knowing the best way to protect data or failing to install important security patches.

They may be active, too, like when someone shares passwords or even steals data for personal gain. A Defense in Depth model should be designed to prevent any one error from compromising massive amounts of data or the integrity of your entire system.

The best DiD approach won't stop at just preventing a breach from spreading. It can notice behaviors that may become a breach and stop it from occurring. The hallmarks of today’s DiD best practices include intrusion detection systems and other proactive measures. There’s no need to wait for something bad to happen before security measures kick into gear.

At the same time, the best DiD methods remove redundancies. Each layer in the system has a role and does it well. It can prevent systems from competing against each other for resources in a serious attack.

Defense in depth for today’s businesses

It may feel overwhelming to discuss DiD with others if you don’t have a technical background. To help combat this, Keatron Evans, a principal security researcher, instructor, and author at Infosec, explains the concept in everyday terms.

“Defense in Depth works on the principle that no single implementation is 100%,” Evans says. “Following this logic, having layers of different defensive techniques and technologies make it harder for a malicious entity to infiltrate the environment.”

But what does Defense in Depth mean for a typical business? Evans provides the example of installing an endpoint security solution on each employee’s device to look for malicious applications or files.

While this is one way to stop bad actors, a more thorough design would combine this security feature with a network-based one that tries to identify malicious files and applications before they even make it to the end-user.

“Additionally, you may have an administrative policy that prohibits users from downloading anything from anywhere other than approved locations,” Evans says. “You now have two technical/logical controls at the endpoint and on the network, as well as an administrative control at the policy level. This is Defense in Depth.”

How to use Defense in Depth in your business

Most organizations utilize layers of security that start with administrative policies and procedures supported and influenced by upper management. These will lay the framework for building administrative security controls and shaping security culture from within.

At the same time, technical controls are just as important. These include firewalls, network-based intrusion detection, and endpoint security, such as host-based intrusion detection and prevention.

What can small business leaders do to start the journey to a Defense in Depth strategy? Evans says that some SMBs use security information and event management companies that can help implement and deploy solutions. If this is outside of your budget, you may also opt to use a managed security service provider to receive similar solutions through security products and services.

About the Author: Linsey Knerl is a contributing writer for HP Tech@Work. Linsey is a Midwest-based author, public speaker, and member of the ASJA. She is passionate about helping consumers and small business owners do more with their resources via the latest tech solutions.

Related tags

Need help?

Disclaimer

Prices, specifications, availability and terms of offers may change without notice. Price protection, price matching or price guarantees do not apply to Intra-day, Daily Deals or limited-time promotions. Quantity limits may apply to orders, including orders for discounted and promotional items. Despite our best efforts, a small number of items may contain pricing, typography, or photography errors. Correct prices and promotions are validated at the time your order is placed. These terms apply only to products sold by HP.com; reseller offers may vary. Items sold by HP.com are not for immediate resale. Orders that do not comply with HP.com terms, conditions, and limitations may be cancelled. Contract and volume customers not eligible.

HP’s MSRP is subject to discount. HP’s MSRP price is shown as either a stand-alone price or as a strike-through price with a discounted or promotional price also listed. Discounted or promotional pricing is indicated by the presence of an additional higher MSRP strike-through price

The following applies to HP systems with Intel 6th Gen and other future-generation processors on systems shipping with Windows 7, Windows 8, Windows 8.1 or Windows 10 Pro systems downgraded to Windows 7 Professional, Windows 8 Pro, or Windows 8.1: This version of Windows running with the processor or chipsets used in this system has limited support from Microsoft. For more information about Microsoft’s support, please see Microsoft’s Support Lifecycle FAQ at https://support.microsoft.com/lifecycle

Ultrabook, Celeron, Celeron Inside, Core Inside, Intel, Intel Logo, Intel Atom, Intel Atom Inside, Intel Core, Intel Inside, Intel Inside Logo, Intel vPro, Itanium, Itanium Inside, Pentium, Pentium Inside, vPro Inside, Xeon, Xeon Phi, Xeon Inside, and Intel Optane are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

In-home warranty is available only on select customizable HP desktop PCs. Need for in-home service is determined by HP support representative. Customer may be required to run system self-test programs or correct reported faults by following advice given over phone. On-site services provided only if issue can't be corrected remotely. Service not available holidays and weekends.

HP will transfer your name and address information, IP address, products ordered and associated costs and other personal information related to processing your application to Bill Me Later®. Bill Me Later will use that data under its privacy policy.

Microsoft Windows 10: Not all features are available in all editions or versions of Windows 10. Systems may require upgraded and/or separately purchased hardware, drivers, software or BIOS update to take full advantage of Windows 10 functionality. Windows 10 is automatically updated, which is always enabled. ISP fees may apply and additional requirements may apply over time for updates. See http://www.microsoft.com.

“Best All In One Printer” and “the easiest printer you’ve ever had to set up” from Wirecutter. ©2020 The Wirecutter, Inc.. All rights reserved. Used under license. https://www.nytimes.com/wirecutter/reviews/best-all-in-one-printer/

Get Marvel’s Avengers when you purchase HP gaming PCs with qualifying 9th gen or 10th gen Intel® Core™ i5, i7 and i9 processors. Redemption code will be sent out by email within 60 days of purchase. Limited quantities and while supply lasts. Offer valid thru 12/31/2020 only while supplies last. We reserve the right to replace titles in the offer for ones of equal or greater value. Certain titles may not be available to all consumers because of age restrictions. The Offer may be changed, cancelled, or suspended at any time, for any reason, without notice, at Intel’s reasonable discretion if its fairness or integrity affected whether due to human or technical error. The Offer sponsor is Intel Corporation, 2200 Mission College Blvd., Santa Clara, CA 95054, USA. To participate you must create an Intel Digital Hub Account, purchase a qualifying product during the redemption period, enter a valid Master Key, and respond to a brief survey. Information you submit is collected, stored, processed, and used on servers in the USA. For more information on offer details, eligibility, restrictions, and our privacy policy, visit https://softwareoffer.intel.com/offer/20Q3-19/terms.

© 2020 MARVEL. © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others.

The personal information you provide will be used according to the HP Privacy Statement (https://www8.hp.com/us/en/privacy/ww-privacy.html)

Welcome

Explore

Shop

Support