It’s not if we’re breached, but when… In cyber security, the fortress mentality is the view that all threats can be kept outside of the organisation’s networks, with defensive measures in place making the network impenetrable. This ignores the potential threat posed by insiders – both accidental and malicious – but also presents the (often misguided) assumption that all systems within the network can be made completely secure in a cost-effective way.
Warnings against following a fortress mentally to cyber security have been around for years. One example is Franz-Stefan Gady, writing in 2010 for the Foreign Policy Journal (‘The Cyber Fortress Mentality’) where he stated that ‘any fortress wall is vulnerable’ referring to the use of fortresses during several conflicts in North America. The most determined attacker will identify a way to penetrate a network.
I follow the viewpoint that we should follow an approach that offers layered security, or defence-in-depth; acknowledging that although this may not be successful at preventing every single attack, we can act to contain that attack and continue our business-critical…
