Defense-in-Depth Cybersecurity on the Basketball Court
Post-season college basketball is in full swing, and as a sponsor of UConn Athletics, it’s something we get very excited about. Of course, we also get pretty revved up about layered cybersecurity pretty much any day of the week. Watching so much hoops this time of year, we’ve noticed that the principles of a good cybersecurity defense are reflected on the basketball court.
It’s a proven fact that, when it comes to basketball, defense wins championships. However, aside from the occasional epic block, defense rarely makes the highlight reel and defensive specialists don’t typically rise to superstar status. Rock solid defense is crucial for a basketball team, but it isn’t flashy. Similarly, any business of any size needs robust cybersecurity to stay competitive, though it’s not something that’s going to win them any industry awards or boost their profile.
In both cases, the incentive to pay attention to defense is rooted in long-term thinking—this is the thankless task we have to do to win. The results of doing it successfully are subtle and measured in the absence of an outcome: the other team doesn’t score, you don’t get hacked. Though the results of unsuccessful execution can be spectacularly bad: you lose by 88 points or get put out of business by a costly cyber attack.
With this in mind, we invite you to go on a sports metaphor journey with us to see what basketball can show us about cybersecurity.
Since any one component or measure can be circumvented or fail, the cornerstone of a good cybersecurity strategy is multiple layers of defense. Perhaps the best analogy on the basketball court would be a zone defense. If one defender is beaten, her teammates come to her aid and collapse on the player with the ball. Each has different strengths—size, agility, hops. There’s a defender on the three-point line and another in the paint. Similarly, if a phishing attack gets through one member of your company and an employee clicks on a malicious link, other layers of defense such as DNS protection can still prevent the cyber attack by blocking the URL.
The fast break is one of the best strategies to beat a zone defense because it isolates outnumbered defenders. In a two-on-one fast break, the defender has to choose between defending the shot or the pass. In the same fashion, hackers will not limit themselves to one attack vector. Your system is patched and you have strong anti-virus? Great—you’re protected against certain kinds of attacks, but if this is your entire defense, you’re still vulnerable. Just as a single defender usually can’t stop a fast break, a single cybersecurity measure isn’t enough to stop hackers.
In fact, in order for both a zone defense and a defense-in-depth cybersecurity strategy to work, you need all elements in place. Zone defenses have set formations, and if one player is out of alignment or distracted, it leaves an opening for the offense to score. In cybersecurity, having more than one layer of defense is a must, but having comprehensive protection in which every different type of vulnerability is addressed in some way is the single best way to prevent cyber attacks. Just as the defenders on a basketball team keep their eye on the ball, defense-in-depth takes upkeep. Having the right measures in place doesn’t accomplish much if they are allowed to go offline or get out of date.
Mind the No-Look Pass
The no-look pass—where a player casts her gaze in one direction while throwing the ball to a teammate in the other—looks so smooth when executed well. “She doesn’t even need to see her teammates to pass to them! They’re so connected! So in tune!”
An office environment can develop a rhythm not unlike a basketball team with employees processing and sending documents and files to one another rapidly to keep the workflow going. It’s great for productivity, but like the no-look pass—which often ends up in some vacant corner of the court or directly in an opponent’s hands—when workers lose track of cybersecurity fundamentals while communicating and sharing information, disastrous results can ensue.
Particularly during tax season when valuable information is flowing as companies and individuals prepare to file, it’s important to take that extra moment to be sure you’re sending sensitive information to the right person. Hackers are known to set up spoof email accounts that look similar to those of colleagues or vendors, or even to hack the email accounts of executives and request information from subordinates. While a no-look pass may give the impression of being an efficient worker, it’s best not to risk it. Take that extra moment to call someone who sent you an email asking for information to double check that it’s legitimate.
Easy Bucket? Try it Again!
If your basketball team gives up a layup or an open three-pointer, you can be sure your opponent will try the same play again. It’s amazing how often it works a second or third time before the defense gets the hang of it.
Hackers follow the same logic. For instance, if they successfully launch a ransomware attack against a company, they will almost certainly be back to see if the company is so reckless as to pay the ransom and leave the vulnerability in place.
Like the best defenders on the court, the latest cybersecurity technology adapts. Cisco Umbrella, for example, is constantly gathering data to stay ahead of hackers.
Of course, the most important part of your cyber defense is your people, and they may not adjust as fast as artificial intelligence. When a coach sees a weakness in the defense that’s not being addressed, what does he do? He calls a timeout, preferably before the other team goes on a 15-0 run. This is precisely why we believe that regular cybersecurity training must be a part of any comprehensive defense. It doesn’t take long—a coach can issue some reminders and draw up a play in a 30-second timeout. Your team can get a much-needed cybersecurity refresher in a short, online module.
Necessary for Excellence
Obviously, defense alone can’t win a single game. The UConn women put up some pretty astounding point differentials, but they have yet to win a game in which they did not score. Strong cybersecurity won’t get you to the top, but without it, any company—whether you’re a “top seed” in your industry or a Cinderella upstart—can be taken down at any time.
However, unlike in basketball in which players must play both offense and defense, your company can outsource your cybersecurity partially, or even entirely if you choose. That’s why we developed Defend Forward. It’s like the Geno Auriemma of Cybersecurity-as-a-Service - nothing is unbeatable, but it’s about as close as you can get. Leave the defense to us so you can focus on offense for your business.