The enterprise perimeter is an antiquated idea, like building moats and drawbridges in an age of armed drones. The perimeter's demise is thanks in part to BYOD, but there's also risk inherent in endpoints that never venture out corporate doors. Sensitive data flows through them, too. Many desktops and laptops never leave the office, but hackers still used them as gateways for exfiltration or to launch man-in-the-middle attacks and grab encryption keys. So you must shore up your IT fortress with defense-in-depth security to have any chance at turning back the barbarians at the gates.
Where to begin? First, recognize who are your most likely attackers and learn how they fight. Next, keep your defenses updated. Are you prepared, for example, to deal with signatureless malware? Or are you still relying on signature-based antimalware tools that leave you "one step behind" hackers, as expert Matthew Pascucci puts it?
Once you have a good grasp on who you're up against, it's easier to stay up to date on the best tools and techniques and to decide what combo best plugs potential holes. Be sure to consider the role of compliance with industry regulations -- which, let's be honest, can feel like another pain in the job of a security pro. But HIPAA, GDPR, PCI DSS -- choose the one that applies to you -- can also serve as guides to sustainable security, highlighting what needs protection.
Defense-in-depth security means acquiring the attitude that no one tool is ever, by itself, enough. Construct your security "fortress" by focusing on finding the right combination of new and tried-and-true techniques and tools. Also, consider ways to automate this security "drawbridge." Patch management, software updates -- anything that's automatable -- frees up time for things that are not, like education.
Defense-in-depth security should be the buzz phrase for 21st-century IT.