Skip to main content

A closer look at the security strategy of “defence in depth”

The world was at war in 1918 when the great Spanish influenza epidemic struck. As battles were fought in Europe, the flu conquered country after country, killing 50 to 100 million people in a year. Surely, this virus was one of humanity's greatest enemies.

Obviously, computer viruses aren't nearly as tragic – but they're called "viruses" for a reason. These small programs operate on the digital "molecular" level, and they can spread at an exponential rate. People render their systems contagious simply by opening an email message, downloading an attachment, clicking on a pop-up ad, or surfing to the wrong website. The effects on your business can be serious: Viruses, Trojan horses, and worms can slow systems to a crawl, destroy data, and punch holes in your network. Successful vaccination starts with securing your network and educating your employees.

A winning security strategy is to employ a concept called "defence in depth." The basic idea is that the safest way to protect something is by wrapping it in multiple secure layers. It's not enough to implement antivirus measures only at your gateway or at individual workstations. You must deploy multiple layers of security throughout your company, working from the outside in.

The first step is securing your gateway. A gateway antivirus product (often a security appliance) sits at the entrance to your network and inspects all traffic entering or leaving it, quarantining suspicious files and stopping them before they reach your servers and workstations.

Server antivirus products protect file, application, and email servers. There are plenty of products in this class from vendors such as F-Secure, McAfee, Symantec, and Trend Micro. For the most part, protecting a file server is just like protecting a desktop; software inspects every file written to or read from the hard drive.

Email antivirus is more sophisticated, scanning incoming and outgoing messages, detaching and scanning attachments, and then recombining everything and sending it on if it's clean. If you're running your own email server, you'll definitely want protection, since email is the most widely used vector for spreading viruses. If you outsource your email, then make sure your provider offers a comprehensive antivirus solution.

The next step is securing individual workstations. Desktop antivirus programs inspect executable files and scan files when they are read from or written to the hard drive. Kaspersky, Bitdefender, Panda, McAfee, Symantec, and Trend Micro are some of the major players here. If you're in a very small office, you can install the software on each machine individually. But if you have more than ten desktops, consider a centrally managed solution. And make sure you (or your employees) run antivirus updates and Windows Updates regularly – and don’t forgot to update other apps with patches that cure vulnerabilities as they’re exposed, too.

Of course, you’ll also need to install antivirus protection on any device that leaves the safety of your LAN, such as laptops, tablets and smartphones. Again, all the major security providers have mobile solutions, and many desktop security suites offer additional mobile cover these days.

The final layer is preventing your employees from compromising all the other layers with foolish habits. Teach your co-workers to think before they click. Forbid them to download programs and attachments from unknown sources. A little education goes a long way, and such measures will protect your business from attack.