Sink (and get eaten) or swim

A shark swimming though a school of fish

When a shark is after you, there’s no need to outswim it. You only have to swim faster than anyone else.

This grisly metaphor is at the heart of many cybersecurity measures. While complete defence from a cyberattack is nearly impossible, taking steps to make your organisation the least appealing target is the next best option. That means having measures in place to ‘swim’ better than other organisations when facing a cyber-criminal.

With high-profile attacks making headlines in recent years, the most common question we field from boards is how their organisation can avoid falling victim to a major attack – like recent examples of Distributed Denial of Service (DDoS) and ransomware affecting large New Zealand entities.

Unfortunately, there’s no silver bullet to protect yourself against a major incident. Instead, organisations and directors need to take a holistic approach to cyber security.

That’s where it’s worth taking a closer look at the concept of ‘Defence in Depth’. This approach delivers multiple layers of protection for your organisation, is cost effective, and makes you among the fastest swimmers in the murky ocean of cyber threats and malicious hackers.

Defining defence in depth

Defence in Depth is the application of multiple layers of security controls throughout your organisation. Strictly speaking, technologists might say it only applies to information technology (IT) systems, but really, Defence in Depth should extend to physical security, processes and human resources, too. These measures can be categorised as physical, technical and administrative controls.

What Defence in Depth does is quite simple: if a bad actor gets through one line of defence, they face another, and then another. Defence in Depth makes getting into your organisation’s systems or information more hassle than it’s worth, increasing the likelihood that the attacker will simply move onto a new target.

Ultimately, hackers are opportunistic – they are looking to extract maximum reward for minimum effort. By making their job more difficult, your organisation becomes a less appealing target.

Targeting your security spend

While Defence in Depth is an all-encompassing approach, it’s unrealistic to assume that businesses have the unlimited budgets and people resources to invest heavily in every single security measure. Aiming for impenetrability is unrealistic and impractical.

This is where good governance can come in. When organisations are bound by budgets that determine what can be achieved with cyber security, the board needs to support the business to make the right decisions around prioritisation of defences.

Therefore, the first step with Defence in Depth is assessing your organisation’s risk profile: know where attacks are likely to come from, what data or infrastructure is most valuable and needs the highest level of protection, and what kind of breaches you are most susceptible to. This is best done in consultation with cyber security professionals, who can objectively assess your security profile and help create a blueprint for the layers of defence which will best protect your unique situation.

Often, it’s the foundational cyber security controls – antivirus, authentication, encryption, good passwords, vulnerability scans, intrusion detection, firewalls and more – that are the measures from which Defence in Depth is constructed. Doing the basics well means protecting your organisation from most threats, and it’s alarming how many organisations fail to get these right.

The other factor to consider is the human element – technology systems rarely make mistakes, but people do. Ensuring your cyber security team are continually educating employees through regular awareness training is among the best returns for security investment possible.

The trap to avoid is targeting investment in a single tool or solution over implementing multiple security measures. Don’t go all in on the world’s greatest firewall to the exclusion of everything else, or you’ll find yourself with an amazing firewall but a poor overall security posture. Understanding the threat surface and constructing defences appropriately reduces the chances of a breach.

“Ultimately, hackers are opportunistic – they are looking to extract maximum reward for minimum effort. By making their job more difficult, your organisation becomes a less appealing target.”

Plan for the worst

A good Defence in Depth approach should also include planning for when things do go wrong. Cyber security is a harsh taskmaster because you can do everything by the book and still get breached – but it isn’t the end of the world and, provided you’ve planned appropriately, a cyber incident won’t be fatal to most businesses.

Having a clear response strategy and incident plan which helps get you back on track with minimal disruption will lessen the effectiveness of the attack, and, in turn, avoid putting your organisation in a position where you need to recover data or system access from an untrustworthy cyber-criminal.

The role of the board

If I could give any advice to boards on how to support a best practice Defence in Depth strategy it would be this – consider cyber security as a broader risk-based issue. While directors today have vastly improved their knowledge, cyber security is still often seen as a technology issue which belongs in the IT department. While IT has a role to play, cyber security should be elevated to a standalone governance issue. Your Chief Information Security Officer should be regularly updating and engaging with the board.

As directors take a holistic, risk-based view of cyber security, they should be asking for evidence that the cyber security team are reporting on the right metrics that build up a picture of the overall posture, and continually assessing the organisation’s risk against emerging and current threats. This is the key to staying ahead of the circling sharks.