Do you ever wonder how large corporations that have a mature and robust information security program still suffer a data breach even after spending millions of dollars on security experts and cutting-edge technology?
If a sinking ship has five holes in its hull and the crew only plugs three of them, the ship will still sink. If you view the holes in the ship’s hull the same as you would a threat to your network, information systems, and data, you know you must plug all of the holes to prevent the potential for a breach. If not, you risk your ship sinking and potentially taking your crew (and reputation) down with you.
Instead, a crew must diligently plug each and every hole so thoroughly, not even a drop of ocean water can seep through. Although it’s possible the plug may not work forever, the chance of the ship springing a leak and sinking will greatly decrease. When infosec and IT departments collaborate and identify risks to their organization, they can work together to ensure any potential exposure points are protected from threats that could potentially lead to a breach.
This is called defense in-depth. Defense in-depth implies that an organization has done a thorough analysis of every possible threat attack vector to their organization’s network, information systems, and data, and determined the risk and potential impact of each attack. A defense in-depth also requires the company to have taken proactive steps to implement security controls that mitigates the risk of the threat to an acceptable level, like the plugging all the ship’s holes.
Most company’s stop way short of plugging all of the holes and leave their company vulnerable to sinking. With active monitoring and assessment of your company’s potential exposure points, one can greatly reduce the risk of a devastating breach.
Mark McCurley is information security advisor for IDT911 Consulting.