In the Middle Ages, castles were the regional centres of commerce and imposing manifestations of power across Europe, offering protection and security to royalty, landowners, merchants and local employees.
These symbolic structures often lasted for many hundreds of years and through several generations, for a very good reason: their defences were effective against different forms of attack.
The castle architects of the time had an excellent understanding of what constituted effective security and how it should be applied to repel threats. While the role of the castle as the hub of business and commerce has been taken over by enterprise networks and applications, the security challenge is much the same now as it ever was.
It's about protecting critical resources and processes against ever-changing, complex, sometimes stealthy, threats, both human and technological. I believe that many of the security techniques that applied back then are still relevant to businesses now. Let's take a closer look at what the CSOs of 800 years ago – the castle designers – could teach us about corporate security today.
The primary lesson is that castles were built with security as their main purpose. It wasn't an add-on, but a core element of the design with all other aspects (such as living quarters, areas of commerce and so on) subservient to it. This approach isn't too surprising, given that survival was a key reason for building the castle in the first place, but it's a maxim that companies today would do well to observe.
All too often, business network usage evolves with user convenience as the main driver and security is added as an afterthought. Witness the rapid adoption and explosive growth in consumerisation and use of Web 2.0 apps, and the security headaches these are causing.
It's all too easy for organisations to introduce new technology without adequate consideration of the risks and security implications. So existing IT infrastructures need to be re-evaluated from a security standpoint.
How could networks be attacked, and what would the impact be if an attack was successful? What is the impact and potential risk of introducing a new technology? Thinking about security needs and placing them in a business context gives a clearer insight into exactly which network and data resources need protecting, and why. This in turn helps companies to develop simple, coherent security policies that serve their needs.
By the 13th century, castle design included several layers of security, starting with a moat and drawbridge, then heavily fortified outer walls with look-out points and defensive positions.
Gatehouses featured multiple doorways, often with secure holding areas so a visitor's credentials could be checked before granting access to the castle interior. Even then, certain areas would be segregated, giving access only to authorised people.
It's much the same today. Organisations need multiple layers of protection: gateways to protect access points; intrusion protection systems to identify attempts to infiltrate the network; endpoint security to protect individual PCs; data-leak prevention to stop inadvertent losses and breaches; and application control to mitigate the risks associated with inappropriate usage.
Furthermore, all elements of the organisation's security architecture need to work in harmony. This can be achieved partly through revising and simplifying policies, as well as central management.
The key point is that attackers will seek to exploit any vulnerability they can find, encouraging today's businesses to enforce multiple layers of security to mitigate the risk of a successful attack.
User awareness and education
The harsh conditions of the Middle Ages meant that people were less trusting of others, and far more aware of the need to actively protect what was valuable to them because of the obvious external threats. While no one would advocate a return to those perilous times, it is clear that businesses do need staff to be more security-conscious, and aware of the possible consequences of their actions.
A majority of breaches involve social engineering: 48 per cent of enterprises we surveyed in 2011 had experienced 25 or more such attacks. Whether the user's actions were intentional or not, the results can be damaging. All too often, the issue is that staff are not aware of the risks: most will not have read their company's security policy, even if one is available to them.
So companies need to train employees on security issues such as the emailing of sensitive information, copying data to removable media such as USB sticks, or use of Web 2.0 apps. Interactive training and enforcement can be embedded in people's workflow, with clear real-time alerts explaining why users' actions may breach policies, together with mitigation support.
This helps users to understand clearly the types of data they can access, via which medium. Regular engagement with users will help raise their security awareness and create a more vigilant workforce.
Even with the imposing defences offered by their castles, those in charge of security understood the need to continually monitor and manage those defences with lookouts, armed guards and regular reports on security status through a defined chain of command.
Modern-day IT security management is no different. The starting point should be for security staff to have a single, unified view of the organisation's network, with prioritised alerts from all security devices, from gateways, VPNs, IPS, endpoints, anti-malware and more. By prioritising the alerts, security teams can assess potential attack vectors and identify new vulnerabilities, so these can be addressed before they can be exploited – enabling active risk mitigation.
Centralised management also extends to managing employees' use of networks – understanding the devices and applications they are using and applying best security practice accordingly.
In conclusion, castles were three-dimensional manifestations of power and security, intended to protect key assets from contemporary threats. Similarly, businesses today need to apply a 3D security approach, involving policies, layered protection and people to create an organisation-wide fortress that protects their networks and data against current and new threats.
Terry Greer-King is UK managing director of Check Point