Defense in Depth: Building a Multi-Layered Security Strategy
When it comes to cybersecurity, there’s no silver bullet that guarantees protection. Modern attackers use diverse tactics, from exploiting unpatched systems to deceiving employees with convincing social engineering schemes.
This is why businesses of all sizes need to adopt a variety of cybersecurity protections that work in concert.
Defense in depth is a cybersecurity concept in which multiple security controls are layered across a business to protect against the individual failure of any one control. Stacking multiple security controls across people, processes, and technology provides redundancy, making it harder for cyber criminals to execute successful attacks.
Just as vehicles use a combination of seatbelts, airbags, rearview cameras, and blindspot monitors to reduce the likelihood and severity of an accident, businesses must implement multiple overlapping layers of security to effectively defend against cyber threats.
Determining which security controls will make the biggest impact can be challenging, especially for small businesses that dedicate less than 10% of their overall budget and fewer than 10 hours a week to cybersecurity.
Below, we’ll explore the security controls every small business should focus on to begin developing a defense-in-depth strategy, prioritizing the security controls that we believe make the most meaningful and immediate impact.
Essential security controls for a defense-in-depth strategy
Security controls are technology solutions or measures that a business can put in place to help protect its computer systems, networks, and data against cyber attacks. Each security control has its own specific role and contributes to a larger focus area within a defense-in-depth strategy.
A basic defense-in-depth cybersecurity strategy focuses on 5 key areas:
Reducing security exposure
Embracing zero trust architecture
Educating employees
Detection and response
Recovery and resilience
This framework emphasizes the core components of an effective defense-in-depth strategy and can help businesses reduce risk and strengthen their overall security posture.
Stacking multiple security controls across people, processes, and technology provides redundancy, making it harder for cyber criminals to execute successful attacks.
1. Reducing security exposure
The first step in defense in depth is to minimize the size of your attack surface. Every exposed system, unpatched vulnerability, or unnecessary service is a potential doorway for attackers. Continuously assessing your attack surface is critical. By quickly remediating these gaps, businesses limit the opportunities for attackers to gain a foothold.
Coalition’s Small Business Cybersecurity Study* ("the Study") found that 43% of small business respondents perform regular security audits or risk assessments (Figure 1). Notably, 24% of small businesses said that if they had more resources for cybersecurity, they would invest in security audits and risk assessments (Figure 2).
43% of small businesses say they perform regular security audits or risk assessments.
Equally important is implementing the principle of least privilege. Not every user, device, or application should have broad or unrestricted access to a business’ data. Assigning only the necessary permissions for a role (and regularly reviewing these permissions) limits the damage that could occur if credentials are stolen or misused. Strong access controls don’t just protect sensitive systems; they also reduce the number of pathways attackers can exploit once inside.
2. Embracing zero trust architecture
Zero-trust architecture takes the principle of least privilege a step further. Instead of assuming users or devices inside the corporate network are trustworthy, a zero-trust approach treats every access request as potentially hostile. Multi-factor authentication (MFA) is the foundation of this approach.
A security control that can block over 99.9% of account compromise attacks, MFA adds an extra step to the login process by requiring at least two forms of verification, such as: something you know (a password or PIN), something you have (a smartphone), or something you are (a fingerprint). Requiring MFA for all remote logins and sensitive resources ensures that stolen credentials alone are not enough for attackers to gain entry.
Conditional access policies add another dimension to zero trust by applying contextual intelligence. Access can be granted or denied based on factors like device health, geolocation, or the risk level of a session. This dynamic enforcement means that even legitimate users are only granted access when conditions are safe.
Network segmentation and micro-segmentation provide additional safeguards by isolating critical systems. The Study found that 51% of small businesses currently use some form of security technology or software, including those related to network segmentation (Figure 1). By breaking up the network into secure zones, businesses make it much harder for attackers to move laterally and escalate privileges.
Requiring MFA for all remote logins and sensitive resources ensures that stolen credentials alone are not enough for attackers to gain entry.
3. Educating employees
Most cyber incidents start with human error. In fact, 76% of cyber insurance claims in 2024 originated as phishing attempts, which makes security awareness training for employees a vital part of your defense-in-depth strategy.
Only around half (45%) of small businesses report having some form of employee training program in place (Figure 1). Implementing regular security awareness training can help a small business’ team (no matter how small!) improve its cyber hygiene, as well as recognize and avoid scams.
Regular training should cover common attack methods, like phishing, “smishing” (SMS-based phishing), and social engineering tactics. These programs need to evolve alongside emerging scams, so employees are prepared for new threats that might otherwise catch them off guard, not just last year’s.
23% of small businesses said they would add security awareness training programs if they had more resources for cybersecurity.
Education must also be reinforced through practice. Simulated phishing campaigns test whether employees can apply what they’ve learned in real-world scenarios. When paired with a strong “report, don’t ignore” culture, testing helps employees recognize suspicious activity and escalate it quickly, reducing the likelihood that a single click will lead to a full-blown security incident.
4. Detection & response
Even the most well-protected networks will face attempted intrusions. That’s why defense in depth includes rapid detection and response. Whether through managed detection and response (MDR) services or in-house security tools, around-the-clock monitoring ensures that threats are identified in real time and handled quickly.
Having cyber experts analyze and investigate suspicious behaviors helps distinguish false positives from real dangers, preventing attacks from slipping through unnoticed. The Study found that 50% of small businesses already employ 24/7 monitoring by a cybersecurity expert or service (Figure 1).
Speed is critical once a breach is detected. Automated response tools can contain incidents quickly by shutting down malicious processes, isolating compromised devices, and blocking suspicious accounts before attackers gain deeper access. This reduces dwell time (the period attackers spend inside a network undetected) and limits the damage they can inflict. By combining human expertise with automation, businesses achieve both precision and scale in their defenses.
5. Recovery & resilience
Preparation also means maintaining and testing an incident response plan. A well-documented plan outlines roles, responsibilities, and step-by-step procedures for containing, investigating, and recovering from a cyber attack. The Study found that the smallest proportion of small businesses (39%) already have an incident response plan (Figure 1), and only 25% would create one if they had more resources (Figure 2).
Regular tabletop exercises and updates ensure the plan remains relevant and effective. By pairing cyber insurance with a strong incident response strategy, businesses can reduce downtime and accelerate recovery, even under pressure.
39% of small businesses say they have a comprehensive incident response plan in place.
Despite layered defenses, no system is 100% secure. Businesses must prepare for the possibility of a breach by ensuring financial and operational resilience. Cyber insurance plays a key role here, and can provide coverage for expenses tied to data breaches, ransomware demands, and business interruptions.
Having up-to-date coverage provides a critical safety net, allowing businesses to recover without catastrophic financial loss. According to the Study, 48% of respondents would add or increase cyber insurance coverage (Figure 2).
From cyber risk awareness to action
Businesses can’t eliminate their cyber risk entirely; as the landscape continues to evolve, this continues to ring true. There is no single security solution that can prevent all incidents. Even the most sophisticated defenses can’t prevent all attacks.
Small businesses must prioritize defense in depth, investing in foundational security practices and technologies to significantly reduce their cyber risk. We believe these security practices and procedures can make such a meaningful impact on reducing risk that we offer a range of technology solutions and services, including cyber risk assessments through Coalition Control®, Coalition Security Awareness Training, Coalition Managed Detection & Response, and Coalition Incident Response.
Our approach is based on a simple yet powerful premise: proactive security measures significantly reduce both the frequency and severity of attacks. Coalition aims to drive action to reduce policyholder risk before incidents occur.
