Is your business an egg or an onion?


Is your business an egg or an onion?

Is your business an egg or an onion? This is the question that you need to ask in order to determine what actions your organisation should take to improve the protection of its information assets. The egg vs. onion analogy relates to how you have protected the information assets within your business from accidental or malicious leakage.

The Egg
If your business is an egg, you have put into place a hard layer of protection on the perimeter of your organisation to protect your information assets from the hostile outside world. This is a simple, easy to manage approach. You've probably got a solid, well managed firewall through which all of your traffic flows. You may even have content filtering or a DLP solution to stop your information leaking out. However, there is an issue. If someone were to crack your hard exterior, they may gain full access to your information assets. This could be an external attacker or even a disgruntled employee who is already inside your network.

The Onion
If your business is an onion, you will have put into place multiple layers of security around your information assets. This may restrict both physical and logical access to your corporate information and will probably be layered in a way that ensures that they most important assets are placed deeper into the onion (i.e. is stored behind more layers of security). A well-managed onion approach gives your business a great degree of flexibility in who can access what information and may even include controls determining when specific data can be accessed.

What should I do?
The onion approach definitely seems like the ideal approach. The downside is that these additional layers of security also bring with them additional overhead in terms of cost, processes, operational activity and governance. It is important that the number of layers of security that are put into place are appropriate for the information being protected. To be able to put into place the appropriate layers of defence, some of the questions that you need to ask are:

·         What information do I actually have?

·         Have I classified this information in relation to its sensitivity?

·         Do I know who needs access to what and when?

·         How do I manage access to the information in a consistent manner?

·         Do I handle my customer's information and what is their expectation?

·         Is there any legislation/regulation that I need to consider (e.g. PCI-DSS)?

·         Do I need to think about controlling physical access to areas within my offices?

On the upside, it is quite unlikely that your business isn’t truly an egg. You have likely already put into place layers of security through logical access control (e.g. usernames/passwords) or physical access restrictions (e.g. swipe cards). However, does your current security implementation really protect your information? It may seem like a good idea to implement a whole host of security controls to provide more layers of security, but you also want to run a profitable business. Every additional security control comes with an associated financial and resource cost. Asking some of the above questions will provide a starting point from which you can begin securing your organisation in a way that considers what you want to protect and how you can begin identifying the risks that you need to consider. Once you understand what your risks are, you can work more effectively in protecting your information.

If you are taking forward a business case to implement layers of security within your organisation, then a more formalised name for the Onion Approach is Defence in Depth.

Want to know more?  Call us on 0845 519 6138 or email


What could a data breach cost your business?


What could a data breach cost your business?

You are no doubt familiar with many of the recent high profile data loss incidents reported in the media. The events seem to be getting so frequent that both consumers and the financial markets are becoming desensitised. The recent loss of the personal information of all ebay users resulted in a 4% drop in share price. However, the knee-jerk reaction by the market was short-lived and the share price quickly recovered. The widely reported loss of payment card details by US retailer Target saw a 3% dip in sales, however once again sales were back up to normal levels within a very short period of time. The limited reputational damage seems to demonstrate little or no consumer backlash following the incident.

On the surface the impact of such events on the business' bottom line look minimal. Many organisations are hesitant to share information on the real cost beyond what is absolutely necessary. We rarely get any insight into the what a data breach actually cost a business. Following the Target data breach we gained a deeper insight into this cost. Banks and credit unions collectively spent $200m in replacing the payment cards of all affected consumers.This figure did not include the additional cost of fraudulent transactions using compromised information. In addition the Target CEO resigned and a further $61m was spent on post-incident remediation activity within the organisation.

Not every business has such deep pockets. Many organisations faced with the same situation have gone under, and many more are likely to do so in the future unless they begin preparing for such an event. The Target example clearly demonstrates that the financial impact of a data breach spreads well beyond the confines of the business and resulted in significant cost to number of financial institutions. This is a factor rarely considered when quantifying the risk of a data beach.

Calculating the real cost of a data breach goes beyond the short-term financial and reputational cost or remediation activity. The long term effects of poor future financial results or loss of competitive advantage should also be evaluated.  Businesses that have lost intellectual property may not realise the impact of a data breach until a competitor brings a product to market before them a number of years later, taking their market share.

Have you considered what a data breach would cost your business?

  • Who else may be affected beyond the walls of your organisation?
  • How would you quantify the impact?
  • How would you prepare for a breach?
  • Are you under attack right now and how do you detect it? How do I prevent it?

I will explore the answers to these questions and more in my series of blogs on the subject of data beaches. I would welcome comments and challenge to any of my assertions to make this a truly interactive and enriching experience.

I will leave you with one last thought.
“In 2013 the median number of days attackers were present on a victim network before they were discovered was 229 days” . . . “only 33% of organisations to which Mandiant responded had discovered the intrusion themselves”

Source: Mandiant M-Trends Threat Report 2014