How to build defense in depth in a business

by Daniel Malee, Security Platform Technical Expert, AT&T

Defense in depth is a business security strategy in which multiple security tools are deployed. If one tool is breached by an attacker, other tools can prevent further access to lessen overall impact. A defense in depth network security strategy covers hardware, software, cloud, edge, and on-premises network vulnerabilities, as well vulnerabilities due to human error. 

Why is defense in depth important?

In 2023, the U.S. had the highest average data breach cost of any country at $9.48 million.1 And that’s not including costs due to operational disruption, reputational damage, higher insurance premiums, or denial of coverage.Given how costly and damaging these breaches can be network security is a critical part of any security strategy. 

Many modern businesses no longer have all their employees working under the same roof. Today's hybrid workforce demands new connectivity solutions. With these solutions comes the need for greater security to protect the data flowing through this new tech. 

Digital data storage, as-a-service providers, cloud, Internet of Things (IoT), and multi-access edge computing technologies enhance both on-site and hybrid workplace innovation. The downside is that once these technologies hit the market, cyber attackers quickly search for new ways to steal data and hold companies hostage using broad and sophisticated methods. 

Hybrid and remote work arrangements give your employees flexibility. This creates new vulnerabilities because the networks your employees are connecting to aren’t protected by the on-site security of a business. But on-site connectivity has risks too. The same is true for your external suppliers, vendors, and other collaborators. You may allow third parties to access your business network and data, but this creates more opportunities for your network to be exposed to attackers.  

This lack of a defined network perimeter means your company can no longer rely on a single security solution like a firewall. Computers, wireless devices, public and private connections, software, applications, clouds, and data centers need multiple layers of security. This layered approach creates the redundancy that is needed to protect your network and data effectively. Without it your company risks paying a heavy price, putting the business at risk. 

What is defense in depth in a business?

The term defense in depth comes from military defense strategies. To protect a strategic asset, military leaders overlapped defensive measures so that no potential single point of failure would result in a breach. When defense in depth is used effectively, layered defenses slow or stop an intruder until opposing forces can react and eliminate them.   

The same defense in depth principles apply to business network and data security. Tools like firewalls, antivirus software, secure network access gateways, and virtual private networks (VPNs) all figure into business network security strategies. However, the constant and sophisticated nature of today’s cyberattacks means your company needs to do more. 

In addition to using a defense in depth strategy that includes a mix of security tools, business policies, and best practices, defense in depth should also be part of a company’s culture and decision making. By teaching your employees and leadership to engage in secure, responsible network behavior, your business can further reduce the risk of a breach and lessen the burden on other resources. 

Key principles of defense in depth

In the case of defense in depth architecture, redundancy is key. A good example is how you protect your home. Gates, perimeter fencing, and locked doors and windows physically prevent intruders from entering. Smart doorbells and motion-activated cameras log activity at your front door. This can buy you extra time to get out of your house, secure your valuables, or take shelter in a safe room. If an intruder does make it inside, your alarm system can notify you, your security company, and in some cases, the police.  

This same redundant security approach applies to your business. To be effective, defense in depth security measures should overlap to protect the physical, administrative, and technical aspects of your network. Examples include: 

Physical security controls 

Physical controls include gates, security guards, and locked doors to restrict entry.  

Administrative controls 

Administrative controls include security policies, procedures, and methods your users should follow. This may include things like securing laptops when employees are not at their desks or completing an annual security awareness training. 

Technical controls 

Technical controls include the use of hardware or software like firewalls, antivirus programs, and multi-factor authentication. 

Defense in depth vs. layered security

While defense in depth security uses a layered defense approach, keep in mind that defense in depth isn’t the same as layered security. Layered security means deploying multiple products in a specific security area while defense in depth applies to the broader security strategy.  

For example, you might choose multiple layered security protections within each of the following areas: 

  • Controlled access: Multi-factor authentication, timed access, biometrics, virtual private networks (VPNs) 
  • Workstation defenses: Anti-virus and anti-spam software 
  • Data protection tools: Encryption, secure data transmission, and encrypted backups 
  • Perimeter defenses: Firewalls, gateways, and intrusion detection and prevention systems 
  • Network monitoring and threat prevention: User access and activity logs, vulnerability scanners 

To be most effective, you need to deploy multiple, redundant layers of security so your network stays protected should one or more tools be breached. By following this defense in depth strategy for network security, you can better secure and protect your network and data from a breach. 

What is defense in depth for network security?

As your company grows, so might your network complexity. When this happens, you may have new areas to update and new vulnerabilities to protect. Cyber attackers are agile. They can exploit gaps in your network defenses almost as soon as they appear. Even as technology evolves, and new protections are available, bad actors will continue to probe for new entry points.

A company that doesn’t deploy application updates and security patches risks having these vulnerabilities exploited. Of the many methods cyber attackers use, simple, yet often overlooked examples include phishing scams and stolen user credentials that allow them access to your network and data. As we've mentioned, network breaches might also begin through external suppliers, vendors, and other collaborators on-site. But breaches can also occur through a trusted vendor, like a cloud, a software-as-a-service (SaaS) provider, or a third-party contractor, that has access to internal systems.

At the network level, defense in depth means embedding multiple layers of protection within the network itself. It not only provides a practical shield of protection for the lifeline of connectivity that is your network, but also the ever-growing endpoints that connect to it. 

This new approach to network security, one that AT&T has pioneered, includes features like a stateful-inspection firewall that keeps track of the state of active connections and makes decisions based on the context of the traffic. It also includes intrusion detection systems, policy-based filtering, and more in a single solution that can prevent attackers from reaching your local area network. 

Without this type of protection, your business will need individual security tools layered on top of your network and at vulnerable entry points, like emails and mobile devices, but  this adds complexity and  may  add to the cost of layered security. Your IT Team will also need to make sure application and product updates and security patches are deployed as soon as they’re available. 

One of the many benefits of a built-in network security solution is that the provider updates these protections automatically, so you don’t have to.

Defense in depth security tools to consider

Due to the increasingly technical and advanced nature of cyberattacks, your business can’t rely on a single security tool to protect everything. As we've covered, there are multiple – and multiplying – entry points into your network. 

When deploying a defense in depth strategy, examples of a few security tools to keep in mind are: 

  • Network and application-specific firewalls
  • Web and email gateways
  • Intrusion detection and prevention systems
  • Endpoint detection and response software
  • Antivirus software
  • Encryption and data loss prevention tools
  • VPNs

And your security tools are reinforced by best practices and policies such as:

  • Two-factor or multifactor authentication
  • Network segmentation
  • Edge protection
  • Zero Trust or Principle of Least Privilege access policies
  • Strong password management
  • Employee awareness and training
  • Incident response planning and penetration testing

To optimize your protection against cyber threats, consider talking to a network security services professional to learn how best to secure your business. In addition to advanced security expertise and guidance, an effective network security services professional will recommend the right tools to fit your business, as well as provide future-forward insight to help you stay protected in the years ahead.

Build your defense in depth in your network security with AT&T Dynamic Defense. To connect with an expert who knows business, contact your AT&T Business representative.

Why AT&T Business?

See how ultra-fast, reliable fiber and 5G connectivity protected by built-in security give you a new level of confidence in the possibilities of your network. Let our experts work with you to solve your challenges and accelerate outcomes. Your business deserves the AT&T Business difference—a new standard for networking.