The war against cyber crime has, for some time, been a losing battle. Organisations are reporting record numbers of data breaches, while the costs associated with those incidents continue to spiral.
According to Cisco’s 2022 Cybersecurity Almanac, the amount of money organisations spend recovering from cyber attacks is expected to increase by 75% in the five-year period from 2021 to 2025, reaching as much as $10.5 trillion (about £8.9 trillion).
Meanwhile, global spending to prevent cyber attacks is predicted to increase by the same percentage during that period.
Organisations are continually urged to invest more in defences – whether it’s technological solutions, staff awareness training or revamped compliance practices – but if those solutions aren’t part of a cohesive strategy, the benefits will be minimal.
It’s why many experts recommend taking a defence-in-depth approach to cyber security.
What is Defence in Depth?
Defence in Depth (DiD) is a layered approach to cyber security that covers five important elements: detection, protection, management, response and recovery.
A defence-in-depth approach to cyber security ensures you can mitigate the risk of complex cyber attacks and data breaches.
When one defensive layer is breached, the others work to contain the damage so you can return to normal operations as quickly and efficiently as possible.
Stage 1: Detection
The basis of all cyber security defence programmes is threat detection. It’s only by understanding the threats you face and where your cyber defences are most at risk that you can implement appropriate defences.
There are, broadly speaking, two ways that threats emerge: from technical and human vulnerabilities.
Technical vulnerabilities can be detected with a programme of regular vulnerability scanning. This approach identifies security vulnerabilities in computers, internal and external networks, and communications equipment.
It’s an automated activity that scans infrastructure targets for known vulnerabilities and misconfigurations, enabling you to bolster your defences where you need most support.
By contrast, human security weaknesses relate primarily to people’s innate susceptibility to social engineering.
Staff awareness training, particularly phishing staff awareness training, is essential to mitigating the threat of cyber attacks. Training your staff how to recognise phishing emails and what to do if they open them or click on a malicious link is critical to keeping your organisation secure.
Stage 2: Protection
No matter how well prepared an organisation is to detect threats, some attacks will get past the first layer of defence.
This will often be the case if cyber criminals find zero-day vulnerabilities (technical weaknesses that haven’t been identified by antimalware software), or they use sophisticated techniques to outsmart defences.
Organisations should prepare for this by implementing robust cyber security controls and ensuring that employees know how to manage cyber security controls.
Training and professional certification helps ensure you have the skilled staff you need to implement and maintain your security measures.
Meanwhile, certification to basic security schemes such as Cyber Essentials helps protect organisations from the most common cyber threats and demonstrate their commitment to cyber security.
Penetration testing goes a step further than vulnerability scanning. The process consists of experienced ethical hackers probing an organisation’s systems looking for vulnerabilities in the same way that a criminal hacker would.
Stage 3: Management
The next layer of security addresses cyber security as an ongoing process rather than a set of static solutions.
This stage is defined by the way organisations manage cyber security risks as part of their wider operations. It includes measures such as as embedding risk-based security controls into corporate processes, managing the security of supply chains and carrying out regular audits to ensure security controls remain up to date.
Organisations can perform these tasks with the help of ISO 27001. It’s the international standard for an ISMS (information security management system), which takes a risk-based approach to information security that encompasses people, processes and technology.
Independently audited certification to the Standard demonstrates to customers, stakeholders and staff that the organisation has implemented and maintains information security best practice.
It also helps organisations comply with the GDPR (General Data Protection Regulation), as many of the requirements overlap.
Stage 4: Response
The security measures you have implemented should minimise the likelihood and impact of a successful attack, but it only takes one mistake for a data breach to occur.
That’s why organisations must adopt a layer of security that addresses what will happen in the event of a disruptive incident. The better prepared you are for disaster, the faster you will be able to act and the more you will be able to limit costs.
Organisations can address this layer with a robust business continuity management system, combined with cyber security and data protection audits, and supply chain security.
Cyber incident response management is a part of wider business continuity management. This helps you put plans in place to cover all types of unplanned disruption, from cyber security incidents to natural disasters, from power outages to pandemics.
Stage 5: Recovery
The final layer of security addresses the aftermath of a data breach. Sometimes, the recovery process will be more disruptive than you might have planned for, with organisations often taking months to fully return to business as usual.
Having cyber insurance in place can give organisations peace of mind, giving them cover when they need it most, and helping the organisation get back to business as usual as soon as possible. Ultimately, it can cover the cost of-rebuilding if all else fails.
How to adopt defence in depth
Whatever your resources or expertise, a defence-in-depth approach to cyber security will give you the best chance of mitigating the cyber security risks your organisation faces, so you can focus on your core business objectives without having to worry about coming under attack.
You can find out how to implement the framework with the help of our experts. IT Governance has all the tools you need to address each of the five layers, such as staff awareness training, incident response management support and compliance guidance.
Get in touch today to find out how we can help you secure your success.