A layered approach to security

What a modern car can teach you about protecting your business.

Modern cyber security, like modern car safety, is built from layers that work together. Most businesses your size already have a decent set of tools in place, so the question is no longer whether you have them. It is whether they work as one system, and whether someone is watching them. A modern car is not safe because of any single feature. It is safe because the features are joined up and there is a capable driver behind the wheel. Security is no different, and this is a plain-English look at why.

Isn't having the tools enough?

Think about how car safety has changed. For years, a seatbelt was the safety feature. It was the thing that kept you alive, and fitting one was seen as doing what needed to be done. Antivirus was the seatbelt of cyber security. Essential, sensible, and for a long time considered enough.

The trouble is that a seatbelt only does one job, and only once you have already crashed. Nobody would argue you should take it out, but nobody today would call a car with nothing but a seatbelt a safe car. Safety moved on. Modern cars now protect you in layers, and most of those layers are working to stop the crash happening in the first place.

Cyber security has moved the same way, and for the same reason: the threats got faster and cleverer, and a single reactive control simply cannot keep up with them.

What does layered security actually look like?

The clearest way to picture it is to keep going with the car.

layered-security-diagram

Antivirus is still your seatbelt, the basic protection you would not go without. Your firewall is the airbag, another layer that helps when something is already coming at you. But the modern features are the ones that change the picture. Anti-lock brakes and stability control step in during a dangerous moment to keep you in control, the way endpoint protection acts the instant something suspicious starts happening on a device.

Lane-keeping and blind-spot alerts watch the areas you cannot, catching the drift you did not notice. That is much like dedicated email security such as Mimecast, which sits alongside your Microsoft 365 and catches the threats that slip past the built-in filters, and email is where most attacks begin. And the immobiliser stops anyone without the right key from driving the car off at all, in the same way multi-factor authentication and access controls keep out anyone without the right credentials, whether they stole a password, guessed it, or bought it. It is an always-on barrier, not a last-second save.

No single one of these features is the answer. What makes a modern car safe is that they all work together, and that there is a capable driver behind the wheel. A pile of clever gadgets that do not talk to each other, with nobody paying attention, is not a safety system. The same is true of security. The value is not in owning the tools, it is in having them work as one, and having someone watching.

Does cyber insurance really care which tools I have?

It does, and this is where the car comparison holds up almost exactly.

Your car insurer does not simply ask whether you own a car. They ask what safety features it has, whether it is locked and alarmed, where it is kept, and they price your cover accordingly. Better protection, better terms, and often a lower premium. Cyber insurance now works the same way. Insurers want to know which layers you run before they will offer good cover, and often before they will offer any at all.

There is a positive side to this worth holding onto. Just as fitting an alarm and an immobiliser can bring a car premium down, the stronger your security layers and the better they work together, the more your cyber premium could reduce too. It is not guaranteed, and it varies by insurer, but it does mean the picture is not simply more cost. You may spend more on the right tools, and see some of that come back through lower premiums and a lower risk of a very expensive incident. Good security pays for itself.

The difference is that cyber insurers are even less forgiving than car insurers. Crash your car despite doing everything right and you are still covered. Suffer a breach with the layers missing that you claimed to have, and your payout can disappear. So even if you were willing to carry the risk yourself, the people pricing that risk increasingly will not let you carry it on a seatbelt alone.

So where does a business start?

The honest answer is that you do not have to buy everything at once, and you should be wary of anyone who tells you otherwise. Layered security is a direction, not a shopping list. The useful first step is to understand which layers you already have, where the gaps are, and which of them matter most for how your business actually works.

Get in touch CTA

What matters more than any single product is that the layers are joined up and that someone is actually watching them. A modern car full of safety technology still needs a driver. Security is no different, and that is where the next part of this series goes: the layer that watches for threats already inside, how it works, and who sits behind the wheel when the alarm sounds.