“Defense in Depth.” This is a fundamental principle of information security. Essentially it means that you add layers of security so you don’t rely on a single point of failure in your security model. For instance, if you have a hardware firewall for your network, you also run a software firewall on your desktop computers. If it helps, you can think of Defense in Depth as a security backup. The canonical example is a castle, which has not just a keep, but an outer wall, a drawbridge, a moat, low stone walls, etc. to defend it. Castles didn’t rely on just one thing to protect them, and neither should your network.
Similar to rotation of duties among staff members, (so that if one employee is out sick, an entire department or company doesn’t grind to a halt), defense in depth can ensure that a single failure on your network doesn’t completely expose you to a security risk.
How can a small business implement defense in depth? There are many ways, and several are inexpensive. Here are some examples:
- Have a security policy which governs what is and is not allowed on your network AND train users in its purpose and how to follow it. Don’t just hand out a policy and expect they will understand and appreciate it, and remember to implement a security policy in the first place. Many small businesses overlook this important step.
- Have your network’s router (often supplied by your ISP) filter out unwanted incoming traffic AND have a firewall behind it doing the same thing. If a flaw or exploit is found on the border router, your firewall can still protect you, and vicce versa.
- Have a hardware firewall on your Internet connection, AND also use your operating system’s built in firewall on the desktops. Windows, Mac OS X and Linux all include firewalls, although they are not always turned on by default, so you (or your IT personnel may want to check on this).
- Run a malware scanner on your desktop PCs AND your servers.
- Have an email virus scanner either at your ISP, in front of your server, or on your mail server AND use one on your desktop computers. Antivirus, while not a guarantee of protection, is still a must on today’s Internet.
- Train users to avoid suspicious emails and websites, AND have a and email filter on your network AND run with lowered privileges on your computer so that if malware, like a virus, does get through, you don’t have the privileges to run it anyway, so it can’t do any harm.
- Conduct security audits and penetration tests to ensure that policies and implementations described above are being followed, and doing what you think they should be doing.