How 'Defense in Depth' Gets Data Protection Right

Meeting the challenges of data protection requirements in today's increasingly connected, complex business environment demands alertness at all times. Here's how one energy company, Engie Insight, is meeting those challenges.

Susan Fourtané, Science & Technology journalist, writer, and philosopher

March 9, 2018

4 Min Read

When it comes to preventing cyber attacks, no one technology can prevent a determined attacker from breaking into an enterprise network. However, a combination of preventative tools, best practices and employee training has helped one energy company bolster its security defenses over the past several years.

Engie Insight, which is based in Spokane, Wash., helps large businesses and Fortune 500 companies manage their energy use. The company recently rebranded its name from Ecova to better aligned with its French parent company.

However, beyond energy use and name changes, Engie has worked to meet the challenges that come with modern security practices, namely data protection and improved alertness. The company recently achieved Service Organization Control (SOC)2 Type 1 for data security and availability trust principles in its utility business efficiency platform, which shows a significant commitment to data security.

(Source: Pexels)

(Source: Pexels)

To learn about how enterprises can improve their own data protection and make better use of employee security training, Security Now spoke with Paul Carugati, Engie's director of information security.

In the company's experience, the most comprehensive way to defend against modern cyber attacks is to layer multiple preventative and detective controls to ensure maximum protection and response capabilities at all times, according to Carugati.

"This is known as 'Defense in Depth' and is a best practice for enterprise information security programs," Carugati said.

One of the most intriguing aspects of data protection for an organization after having been a victim of a cyber attack is to know how other companies protect and secure their data.

In order to ensure its client and sensitive data remain unsullied the information security program is aligned with industry standards such as the NIST Critical Infrastructure Protection and ISO 27001-2013 framework, which focus on a combination of people, process, technology and risk management controls to minimize incident and response, containment and recovery.

Society thinks of health prevention as a wise step, something that keeps us away from being victims of illness and virus attacks and, for Carugati, it's no different in the enterprise. "The more prevention the less risk [there is] to let unattended vulnerabilities damage and steal our data," he said.

For Carugati, technology such as next-generation firewalls, intrusion prevention, data leakage detection and anti-virus are all valuable, foundational security controls for prevention, or early detection.

The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

"But true prevention lies with the understanding of critical information assets and the knowledge of associated enterprise risks which drive right-sized controls around the data that is most crucial to the organization," Carugati said. "A purpose-fit information security program must be well-rounded and driven by the data of concern."

Together with prevention and the understanding of critical risks the enterprise might be exposed to, is security education. And humans, if not educated in how to prevent security threats, represent the most serious internal risk a company can have.

"Above all else," Carugati added, "people are the most critical component to any information security program. People are the new threat landscape and as such, are the primary targets in modern cyber attacks. Users are the attack vector, but also the first line of defense."

Proper security education, coupled with frequent assessment and testing, is an organization's greatest preventative control to thwart an impending cyberattack.

"Enterprises should never underestimate the power of their people to report the early warnings signs that could lead to a major data breach," Carugati said.

Related posts:

Susan Fourtané is a science and technology journalist and content writer, whose work has appeared in global publications and, the European Research and Innovation Media Centre. She is based in Europe. Follow her on Twitter @SusanFourtane.

Read more about:

Security Now

About the Author(s)

Susan Fourtané

Science & Technology journalist, writer, and philosopher

Susan Fourtané is a Science & Technology journalist, writer, and philosopher with a life-long interest in science and technology -- and all things interesting.

She has been a technology journalist for nearly 10 years writing and reporting for global print and online publications such as Helsinki Times, UBM DeusM's Internet Evolution (probably the best site dedicated to the analysis of the future of the Internet that has ever existed), Big Data Republic, TheCMOSite, Enterprise Efficiency, HPIO_UK, Global Blue Marketing, SixDegrees Magazine, and World.Edu.

Currently, she writes for UBM Tech Electronics Division's EETimes and EBN; also for Light Reading and The New IP. And most recently UBM's Future Cities. Prior to journalism and writing, she worked extensively in the international B2B environment in several countries on two continents specializing in international business communication. 

Susan has been the media advisor for tech startups, European correspondent and media advisory board member for Crypto Biz Magazine. Susan considers herself a citizen of the world who currently tries to split her time between Helsinki, London, and the French Riviera.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights