I was watching an automotive program earlier today \u2013 Autoweek out of Detroit \u2013 and there was a panel discussion about how to protect automobiles from hacking attacks.\u00a0 And during the discussion there were terms being thrown out that resonate in the IT world, just as they always have, with the most resonant being \u201cDefense in Depth\u201d.\u00a0 This is a term that I have heard again and again over close to 35 years in this wacky business.<\/p>\n
To over-simplify a complex concept, Defense in Depth means you have layers of security in place within your IT infrastructure.\u00a0 You don\u2019t simply install a firewall and announce that you\u2019re done; rather, you have firewalls and anti-virus and anti-malware and secured wi-fi and segmented networks and security policies and local machine firewalls and so on and so forth ad infinitum.\u00a0 You build your castle and moat to keep the bad guys out.\u00a0 And while most larger enterprises \u201cget it\u201d and do this, many smaller organizations do not.\u00a0 And, to add fuel to the fire, everything \u201cCloud\u201d adds another layer of complexity to the situation.<\/p>\n
To be very clear, there is only so much any organization can do to protect their systems.\u00a0 There is no such thing as \u201cperfect security\u201d regardless of what many might tell you.\u00a0 The bad guys are always working to find new ways to defeat the security systems and the good guys, meaning most of us human beings, are generally sloppy.\u00a0 So it is the job of the IT pro\u2019s to do as much as they can, with management\u2019s backing, to build as secure a system as organization size and budget will allow.<\/p>\n
So, how does a small organization do this?\u00a0 How do you build defense in depth?\u00a0 I think the answer is actually pretty simple; you do what you can from a technology point of view and then you educate the hell out of your people!\u00a0 It may sound odd but a big part of the problem is actually simple ignorance on the part of your users.\u00a0 Most users simply don\u2019t have any idea about the relative dangers of borrowing their kid\u2019s USB stick to transport a file from home to work or, worse, why you shouldn\u2019t let your 10 year old use your work laptop!\u00a0 This isn\u2019t a slam against the kids, it\u2019s just a simple statement of fact.\u00a0 Uncontrolled access to organizational assets is a very big problem.\u00a0 As an organization you can put all sorts of defenses in place such as anti-virus and anti-malware scans but this just isn\u2019t enough if your users ignore all the rules.<\/p>\n
Definitely add the technology that you can afford — install the UTM firewall, install commercial-grade anti-virus and and-malware systems (no, the free stuff just isn\u2019t good enough), control access to USB ports on client machines, secure and segment your wi-fi, ensure you have domain security controls in place regardless of where the domain lives on-prem or in the Cloud, control and secure remote access to your resources.\u00a0 But, most of all, educate your users!<\/em>\u00a0 If your users understand the why<\/em> behind a security policy then they usually will do their best to comply with it.\u00a0 Security policies fail when users have no clue why you have made their lives \u201cdifficult\u201d.<\/p>\n Small organizations generally don\u2019t have the high profile that invites external parties to \u201cattack\u201d their systems.\u00a0 The threats that small organizations face come more from ignorance, the suspicious email that carries a cryptolocker-style payload when opened or the infected USB stick that gets plugged into the network.\u00a0 Education is your biggest defense against these kinds of attacks.\u00a0 it is one more layer in your defense in depth.<\/p>\n","protected":false},"excerpt":{"rendered":"