Get Started
All Services Managed IT Cybersecurity Ransomware Remediation Infrastructure & Low Voltage Who We Serve Why DC Plus Resources & Case Studies Areas We Serve Get a free assessment
Home / Resources / Blog
Foundations · Cybersecurity

Defense in Depth, Plainly

Defense in depth isn't a product you buy. It's a layered posture — and here's what each layer actually does for a small or mid-sized business.

10 min read

Walk into a vendor's booth at a security conference and you'll get sold a single product that "solves cybersecurity." Maybe it's an endpoint platform. Maybe it's a SIEM. Maybe it's a phishing-training service.

None of those things is wrong to have. All of them, by themselves, are insufficient.

The phrase you'll hear from people who do this work seriously is defense in depth. It's an old military concept — when an outer wall falls, there's another wall behind it. The attacker who breaks through any single layer hasn't won; they just have to keep working.

Translated to business cybersecurity, defense in depth means you have eight or so different layers of protection, each doing a different job, each catching what the others miss. The home page of this site shows a diagram of those layers around our logo. This post is the long version.

Here's what each layer does and what "good" looks like in each.

Layer 1 — Network & Firewall

This is the perimeter. Every packet entering or leaving your business runs through it. Done well, a modern firewall does much more than block ports — it inspects traffic for known attack patterns, recognizes when a system is talking to a known malware command-and-control server, and segments your network so a compromise in one area doesn't immediately reach everywhere.

What "good" looks like:

  • A next-generation firewall (Fortinet, Palo Alto, Cisco, SonicWall, etc.) with active intrusion-prevention licensing — not a consumer router.
  • Network segmentation so guest Wi-Fi, employee Wi-Fi, server VLAN, and IoT devices (cameras, smart thermostats, plant-floor sensors) are isolated from each other.
  • Outbound traffic filtering, not just inbound. The most damaging breaches are typically caught — or missed — at the moment an attacker tries to exfiltrate data outbound or call out to a control server.
  • Logging that flows somewhere useful (see the SOC + SIEM layer below).

This is the layer most businesses think they have. Many do not have it correctly configured.

Layer 2 — Identity & Access

If the firewall protects the building, identity controls protect the doors and windows inside. Identity is also the layer attackers most often target now — phishing for credentials is cheaper than finding a software vulnerability.

What "good" looks like:

  • Multi-factor authentication enforced for every user, with phishing-resistant methods (authenticator apps with number matching, FIDO2 security keys) preferred over SMS codes.
  • Conditional access policies that look at context — device compliance, location, sign-in risk — and require additional verification or block sign-ins that look wrong.
  • Single sign-on (SSO) for the applications you use, so identity is managed in one place rather than scattered across a dozen separate password databases.
  • Privileged accounts treated differently — fewer of them, stricter rules, separate accounts from regular user identities.
  • Regular review of who has access to what, with prompt removal when people leave or change roles.

For most businesses today, identity is the perimeter. Get this layer wrong and the rest of the layers matter less.

Layer 3 — Endpoint Defense

The laptops, desktops, and servers your team uses every day. Each one is a potential foothold for an attacker if it gets compromised — through a malicious email attachment, a drive-by download, or stolen credentials.

What "good" looks like:

  • Endpoint Detection and Response (EDR) software running on every device — not just antivirus. EDR watches for behavioral signals (a process suddenly encrypting many files, an Office document spawning a PowerShell session, etc.) rather than only known malware signatures.
  • Automated patching for both operating systems and applications. Unpatched software is one of the top three breach causes year after year.
  • Device hardening — disabling features that aren't needed, restricting administrative access, requiring full-disk encryption for laptops.
  • Mobile device management (MDM) for any phones or tablets that access company resources.

A modern EDR with active monitoring catches things antivirus never could — and modern antivirus alone catches roughly half of what gets through.

Layer 4 — Email & Phish Defense

Email is still the number-one attack vector. Every business email compromise, every ransomware deployment via malicious attachment, every credential-stealing phish — almost all of it arrives through email.

What "good" looks like:

  • Microsoft 365 or Google Workspace's built-in filtering tuned and configured (not just defaulted).
  • A third-party email security product layered on top, using machine learning to catch the social-engineering patterns the defaults miss — particularly business email compromise, where the attacker doesn't send malware, just lies that look convincing.
  • DMARC, DKIM, and SPF correctly configured on your sending domains so attackers can't easily impersonate you to your own employees.
  • Continuous phishing training, not annual training. Realistic simulated phishes, with feedback on what was missed.
  • Clear escalation paths for users who suspect a phish — a single button in Outlook that reports a suspicious message to IT.

Email is also the layer where most successful attacks start. Take it seriously.

Layer 5 — Cloud & 365

Microsoft 365 isn't just email. It's also your SharePoint, your OneDrive, your Teams, and increasingly your identity store and your phone system. Each of those has its own configuration that needs hardening.

What "good" looks like:

  • Tenant-wide policies that block risky default behaviors — like anonymous file sharing, external auto-forwarding of email, and legacy authentication protocols.
  • SharePoint and OneDrive sharing controls scoped appropriately, especially for sensitive sites (HR, finance, executive).
  • Continuous monitoring of sign-in activity, mailbox rule creation, and unusual data movement.
  • Audit logging enabled with sufficient retention to support investigation if needed.
  • Conditional access that ties the cloud layer to the identity layer (Layer 2) — sign-ins from non-compliant devices or risky locations get blocked.

We've written a more detailed post on Microsoft 365 hardening that goes deeper on this layer specifically.

Layer 6 — Backup & Recovery

Sooner or later, something will go wrong. Hardware will fail. Ransomware will get through. A user will delete the wrong folder. Backup and recovery is the layer that turns "catastrophe" into "inconvenience."

What "good" looks like:

  • Three copies of important data, on two different types of media, with one copy off-site. The classic 3-2-1 rule, and it still holds up.
  • Immutable backups — copies that ransomware cannot encrypt because they're write-once. This is the protection against attackers who specifically target your backups before deploying their encryption.
  • Tested restores. A backup you have not test-restored is not a backup; it's a hope. Test quarterly at minimum.
  • Defined recovery objectives — how long can you afford to be down (Recovery Time Objective), and how much data can you afford to lose (Recovery Point Objective). These numbers drive the architecture.
  • Coverage of everything that matters — servers, databases, desktops, Microsoft 365 mailboxes, SharePoint, OneDrive, and configuration data.

Many businesses we assess have backup coverage of their servers but not of their Microsoft 365 environment. That's a serious gap. Microsoft does not back up your 365 data for you in the way you'd expect — their model is service availability, not data retention against accidental deletion or malicious destruction.

Layer 7 — SOC + SIEM (24/7 Monitoring)

Everything above this layer generates signals. Network firewall logs. Endpoint detection alerts. Identity sign-in anomalies. Microsoft 365 audit events. Backup completion status.

By themselves, those signals are noise. Correlated, prioritized, and watched by a human, they become an early-warning system.

What "good" looks like:

  • A SIEM (Security Information and Event Management) platform that ingests logs and events from across the environment and applies correlation rules.
  • A SOC (Security Operations Center) — actual humans, available around the clock, who review the alerts the SIEM raises, investigate the ones that matter, and escalate to your team when something is real.
  • Clear procedures for what gets escalated, when, and to whom.
  • Tuning of the noise level — too quiet and real threats hide in the background; too loud and the team stops paying attention.

This layer is the one most businesses cannot operate alone. A SIEM is expensive software. A 24/7 SOC requires staffing for nights, weekends, and holidays. This is where the right managed-service relationship pays for itself many times over.

Layer 8 — People & Policy

The unglamorous layer. The one without a product to buy. And the one that pays the highest dividends.

What "good" looks like:

  • Documented policies covering acceptable use, password requirements, incident response, vendor management, and data handling. These are not for the binder; they're for the situations where you need to know what the rule was before the situation happened.
  • Ongoing security training, run as a program rather than an annual checkbox. Phishing simulations. Refreshers on data handling. Discussion of recent attacks in the news that affected similar businesses.
  • A defined incident-response plan with names attached to roles. Who calls the insurance carrier? Who notifies the board? Who decides about regulatory notifications? These are not 3 AM questions.
  • Tabletop exercises — at least annually, walk through a realistic incident scenario as a leadership team. Find out where your plan is thin while there's still time to fix it.
  • A clear path for users to report suspicious activity without fear of being blamed. Most ransomware events are caught in the early stages by employees who saw something weird and said something.

Every other layer is technical. This one is cultural. The businesses that handle incidents well have invested in this layer for years before the incident.

Why the layers matter together

No single layer is sufficient. Each one will fail sometimes. The whole point of defense in depth is that the layers cover each other's failures.

A successful attack on a properly-defended environment looks like this: phishing email gets past email defense (Layer 4), user credentials get stolen, attacker tries to log in but is blocked by conditional access (Layer 2), tries again from a different angle and gets a session — but the session is observed by EDR (Layer 3), which raises an alert to the SOC (Layer 7), which contains the affected endpoint within minutes. Meanwhile backups (Layer 6) are immutable so even if the attacker had gotten further, recovery would be available.

That sequence happens because of the layers, not despite them. Take any one away and the chain breaks differently — sometimes catastrophically.

This is the framework we use when we assess a new client environment, when we design protection for a credit union or manufacturer, and when we hold ourselves accountable to a defensible posture. It's not the only framework, but it's the one we've found works in practice.

What to do with this

If you're a leader trying to evaluate where your business sits:

  1. Walk through the eight layers and ask, honestly, what you have in each one.
  2. Where you don't know, find out. The questions in this post are good ones to put to your IT team or current MSP.
  3. Where you have gaps, prioritize closing the layers that protect the data that would hurt you most to lose, in the order an attacker would actually hit them.
  4. Don't try to do all of this at once. A reasonable plan executed over six months beats a perfect plan that never gets executed.

If you'd like an outside read on where you stand today, that's the work a security assessment does. We do them for free for organizations that fit our model — credit unions, manufacturers, and small or mid-sized businesses in regulated industries. Walk out with a clear picture of where you sit, what to do about it, and a punch list — whether you hire us or not.

Want to see all eight layers visualized? They're rendered as a defense-in-depth wheel on our home page — that's the same framework, just with the labels and the logo at the center.

More from DC Plus

Keep reading.

All resources & case studies Credit Union Compliance Guide

Let's make your IT the thing you never have to think about.

Free assessment. No obligation. A real conversation with a local team.

Schedule your free assessment