Written by: Aaron West
If you’ve got a child who’s going on an Easter egg hunt soon, you might want to give them more than one basket to carry. In this trying time of the pandemic it might need to be a virtual egg hunt.
In any event, eggs are fragile and dropping your basket could mean you’ve ruined all of your hard-won eggs. The same goes with information security. If your organization relies on just one layer of defense it isn’t hard for an attacker to crack it and break your prized “eggs.” I was recently thinking about how life and work have been affected under the restrictions of Covid-19.
In the military, layers of defense are easiest to conceptualize because, most of the time, the defense levels are in fact physical layers. One unit can be placed behind another in case the enemy gets through the first defending unit. In cybersecurity the “layers” are more conceptual but just as important to implement as part of an effective cyber defense. This idea is even more important in the current COVID-19 environment of wide-spread remote work. The vast expansion of remote work has created new vulnerabilities for many organizations who may not have a new “basket” to place these information eggs into.
A useful model to apply when thinking about multiple baskets or layers to your cyber defense is the integration of people, processes, and technology. Information technology exists ultimately to support people and therefore our users play the central role in securing it. So, security awareness education becomes the key to equipping your people with the extra “baskets” they need to protect the confidentiality, integrity and availability of their most delicate eggs within an organization. Focus on education across your entire organization. The fact is that many employees either haven’t been informed as to what they need to know about cyber threats or haven’t been armed with effective cyber habits. They need succinct routines that they can integrate seamlessly into their busy days.
You’ve heard it said that one plans for the worst and hopes for the best; you can’t rely on “hope” to prevent a successful attack from affecting your organization. Good planning and preparation can certainly increase your chance of preventing an attacker from getting through your defensive layers, but no defense is 100 percent effective. Establishing effective, repeatable processes can maximize your defense by adding additional “layers” to your security program. A coordinated incident response program can ensure that your organization will minimize the disruption from a cyber-attack and give you the ability to resume operations soonest. Plan, prepare, and respond; nevertheless, practicing your response is the key to preparedness. Other terms for practice include test and wargame.
Two technology concepts are perfect analogies for a layered or multi-basket defense: detection and least privilege. Many environments invest heavily in protective controls like firewalls to prevent security events. However, even the most advanced defenses can’t stop 100% of attacks so it’s important to “add a basket” of detective technology as well. The most common detection technology is the IDS or intrusion detection system. New detection technologies have also emerged to match the evolving landscape of threats that organizations face. Identify the key nodes within your network and adopt detection technologies for them in order to create the necessary detection layers to increase the opportunity to discover an attack. This concept ties well with the principle of least privilege which strives to give only the privileges a user requires to do their job and nothing more. An organization with only one means of intrusion detection and gives excess privileges to its users is at a higher risk of attack. What’s even worse, this “one basket” environment also limits your ability to detect attacks in the first place.
Start thinking about your multiple baskets of defense as a set of defensive layers for your organization’s important “eggs.” Inform and educate your people with effective routines to combat cyber-attacks, adopt overlapping detection technologies and grant only least privileges. Implement an incident response process that prepares your organization to respond with confidence. Assume that it is only a matter of time when you’ll be breached and don’t assume you are not a target. This philosophy can spur your organization to then develop the methods of testing and preparation necessary to ensure your response is the best it can possibly be and ultimately get your business back to normal operations. So, start getting all your eggs out of that one, solitary basket – your company teams (and your Easter egg hunters!) will thank you.
About the Author
Aaron West is an information security professional with over 25 years of combined military service and business experience, leading in various roles. Aaron holds master’s degrees in Cybersecurity and Risk Management, Information Technology Management, Security Studies, and Military Strategic Operations. He also earned a Graduate Certificate from the Kelley School of Business and a Green Belt in Lean Six Sigma from the U.S. Army.