Have Your Security Thrive in ‘25

Introducing the 10 Layers of Defense

Every day, articles on cybersecurity give quick advice—two or three things “you must do.” Just this fall, CISA published “Four Easy Ways to Protect Your Business.” All great and many are aligned with this article.

However, there is no single source providing a simple and comprehensive plan of action that builds defenses for the entire organization, one step-at-a-time, significantly reducing risk. This is exactly the intention of this article.

Here, we have organized the most important best practices in 10 defensive layers. Simply, if one layer is breached, then there’s another immediately behind it. In addition, we follow the two principles of Zero Trust “Never Trust, Always Verify” and “Assume Breach.”

Cybersecurity lives in the world of “you’re only as strong as your weakest link.” So, while 10 layers of defense are required, there’s no escaping that many actions are involved as each weak link is strengthened. What this approach brings is a sense of order and reduced stress, all at very little external cost! Okay, enough preamble, let’s start with the first and most important layer.

1^st Executive Commitment

All good defense is built on a solid structure and a broad foundation. So, the first layer of defense is exactly that—a written security policy encompassing the whole organization. Commitment and realization that cybersecurity is not just an IT issue and means having executive-level responsibility for cybersecurity. As defenses mature, an ongoing, measurable plan reflects the requirements of your business, systems, and networks. These documents will be central to both regulatory compliance and competitive positioning.

2^nd Asset Curation

Protecting all assets: data, systems and software is critical. Encryption is key for critical customer data, intellectual property, etc., mitigating theft. Automated updates of software, network devices, and end-user systems minimize human errors and accelerate fixing newly discovered attacks. Segmenting and hiding network and data elements nullifies attacks. If they can’t find it, they can’t break it.

Backups are often the threat actors’ primary target. Key to asset management is backing up data, software, user and system information and disconnecting it from the rest of the system to eliminate outside access. This prevents actors from corrupting even encrypted data. Defense and resilience to attacks on mission critical data is never complete until the backups are restored and content verified as valid.

3^rd System Access

Next, ensure defense from illicit user access. Anyone inside or outside the organization must use multi-factor authentication/passkeys, and strong passwords. Human resources must vet employees and contractors, building and executing ongoing training to guard against insider threats and social engineering of staff. Users must only be given sufficient privilege to undertake their assigned tasks.

4^th Policy Management

Identity, authentication, privilege, and access control management in line with policy, with authorized users only permitted to access systems from approved devices and locations, at allowed times. This goes for all third-party contractors, devices, and software.

5^th Organizational Integrity

Strengthening departmental and external vulnerabilities: best practices across every area of the organization, outsourced and contractors. It’s often overlooked that every organization uses third parties and their software. It must fall upon the executive responsible for security to oversee all manner of third parties who have access to sensitive information. For example, recruiting companies, CPA, web hosting companies, legal firms, external network service providers, etc. must all be verified. No potential weak link may be trusted—ever.

6^th Supply Chain Management

Supply Chain Security: even the largest companies are guilty of not collaborating to validate their supply chains’ products or services. Suppliers and customers have a shared responsibility. “Never Trust, Always Verify” operates this defense so that responsibility can be delegated not abdicated. See cybyr.com/delegation for the details.

7^th Basic Software Protection

It was important to first establish best practices for defensive measures. Beyond backups, these required no additional outside spend. Now we can turn to defenses which are likely already included via software subscriptions. i.e., basic anti-phishing, anti-malware, firewalls, VPN, a password manager, and low-cost identity managers. This essential software is the necessary next layer of defense.

8^th Breach Defense

So far, the defenses listed have primarily been to guard against attacks to the “system” and its users. Now it’s time to apply the Zero Trust principle “Assume Breach.” Even if, for whatever reason, the previous layers of defense have been breached, then it’s vital to detect and remove threats that are already in your system or the network. Most ransomware attacks are of this advanced, complex nature and are fully explained at cybyr.com/cyberpedia. When penetration occurs, malware looks for weakness, lying in wait until signaled by its host, and then uses illicit software to move to areas of weakness and begin the attack. Use of Threat Detection and Response software is beyond the scope of this article, but implementation is covered on my Virtual CSO page: cybyr.com/vcso.

9^th Monitoring & Measurement

Monitoring of everything above should be automated and is a critical element of the defense. Both software and procedures must report when people or processes are not within policy, when people, transactions or systems are blocked, anomalies occur, and when overall risk improves or as a regular audit.

10^th Vigilance

None of these defenses are one-offs. Awareness to new threats, ongoing adaptation of policies, techniques, improvements and compliance to new regulations, and careful adoption of GenAI will be a constant part of your defense. Part of our role is to highlight the most noteworthy of the thousands of news items each month and more than 400 cybersecurity terms as they evolve. 

Each advance is measured as risk decreases and new recommendations are implemented. Sharing these ideas is important but implementing them with you is why we created our Virtual CSO service described at cybyr.com/vcso. The intention of this article was to create an implementable structure to reduce your risks across your organization at very limited cost. We hope that has been achieved so you can look forward to a secure 2025. This story continues at cybyr.com/10layers.