As anyone who has spoken to a security professional probably knows, “Layered Security” is a must, since no single safeguard can be expected to cover all potential types of threats. There are a lot of ways to build layers into an environment.  But a sensible thing to do is pick layers that use different approaches and have overlapping coverage.

For example, to prevent insider threats from being successful, you might use a deterrent safeguard such as “login banners” that warn of the employee’s responsibilities to adhere to an acceptable use policy, where violations may result in dismissal.

A second layer would have preventative policies that ensure that all applications that handle sensitive information must use strong passwords for authentication and access control.

Further, you need logging of events related to access attempts and data modifications.  This provides a safeguard that not only enables “detection” of security events, but provides evidence for later investigation and analysis.

These are just three types of safeguards that utilize a “before, during and after” view of events.

One thing that many managers overlook is that, while login banners are necessary from a legal point of view to show some amount of due diligence, the fact is many people ignore the same message that pops up every day.  That doesn’t make the employees less responsible, just less effective.

However, there is a way to make the human element much more effective. “Security awareness” as a layer in itself can be made more effective by treating it as a series of sub-layers, with each employee having a different view of the business processes and events.  If people are taught to understand the impact of their jobs on protecting the organization’s information assets and even profitability, they can be proactive in making other layers more effective, in addition to watching for suspicious events that would allow for earlier detection and response.

If you can stop a breach while it is still just an “incident” then you can save thousands, or even millions of dollars in corrective action costs.

So, use the potentially powerful “Human Security Layer” in an intelligent way, during both product development and business operations.  Don’t just by keep pelting warnings and reminders at your staff.