Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //


End of Bibblio RCM includes -->
08:05 AM
Susan Fourtané
Susan Fourtané
News Analysis-Security Now
Connect Directly
E-Mail vvv

How 'Defense in Depth' Gets Data Protection Right

Meeting the challenges of data protection requirements in today's increasingly connected, complex business environment demands alertness at all times. Here's how one energy company, Engie Insight, is meeting those challenges.

When it comes to preventing cyber attacks, no one technology can prevent a determined attacker from breaking into an enterprise network. However, a combination of preventative tools, best practices and employee training has helped one energy company bolster its security defenses over the past several years.

Engie Insight, which is based in Spokane, Wash., helps large businesses and Fortune 500 companies manage their energy use. The company recently rebranded its name from Ecova to better aligned with its French parent company.

However, beyond energy use and name changes, Engie has worked to meet the challenges that come with modern security practices, namely data protection and improved alertness. The company recently achieved Service Organization Control (SOC)2 Type 1 for data security and availability trust principles in its utility business efficiency platform, which shows a significant commitment to data security.

(Source: Pexels)
(Source: Pexels)

To learn about how enterprises can improve their own data protection and make better use of employee security training, Security Now spoke with Paul Carugati, Engie's director of information security.

In the company's experience, the most comprehensive way to defend against modern cyber attacks is to layer multiple preventative and detective controls to ensure maximum protection and response capabilities at all times, according to Carugati.

"This is known as 'Defense in Depth' and is a best practice for enterprise information security programs," Carugati said.

One of the most intriguing aspects of data protection for an organization after having been a victim of a cyber attack is to know how other companies protect and secure their data.

In order to ensure its client and sensitive data remain unsullied the information security program is aligned with industry standards such as the NIST Critical Infrastructure Protection and ISO 27001-2013 framework, which focus on a combination of people, process, technology and risk management controls to minimize incident and response, containment and recovery.

Society thinks of health prevention as a wise step, something that keeps us away from being victims of illness and virus attacks and, for Carugati, it's no different in the enterprise. "The more prevention the less risk [there is] to let unattended vulnerabilities damage and steal our data," he said.

For Carugati, technology such as next-generation firewalls, intrusion prevention, data leakage detection and anti-virus are all valuable, foundational security controls for prevention, or early detection.

The fundamentals of network security are being redefined – don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

"But true prevention lies with the understanding of critical information assets and the knowledge of associated enterprise risks which drive right-sized controls around the data that is most crucial to the organization," Carugati said. "A purpose-fit information security program must be well-rounded and driven by the data of concern."

Together with prevention and the understanding of critical risks the enterprise might be exposed to, is security education. And humans, if not educated in how to prevent security threats, represent the most serious internal risk a company can have.

"Above all else," Carugati added, "people are the most critical component to any information security program. People are the new threat landscape and as such, are the primary targets in modern cyber attacks. Users are the attack vector, but also the first line of defense."

Proper security education, coupled with frequent assessment and testing, is an organization's greatest preventative control to thwart an impending cyberattack.

"Enterprises should never underestimate the power of their people to report the early warnings signs that could lead to a major data breach," Carugati said.

Related posts:

Susan Fourtané is a science and technology journalist and content writer, whose work has appeared in global publications and Youris.com, the European Research and Innovation Media Centre. She is based in Europe. Follow her on Twitter @SusanFourtane.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Incorporating a Prevention Mindset into Threat Detection and Response
Threat detection and response systems, by definition, are reactive because they have to wait for damage to be done before finding the attack. With a prevention-mindset, security teams can proactively anticipate the attacker's next move, rather than reacting to specific threats or trying to detect the latest techniques in real-time. The report covers areas enterprises should focus on: What positive response looks like. Improving security hygiene. Combining preventive actions with red team efforts.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-27
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype. This vulnerability can occur in multiple ways: 1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption ...
PUBLISHED: 2022-05-27
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
PUBLISHED: 2022-05-27
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
PUBLISHED: 2022-05-27
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
PUBLISHED: 2022-05-27
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. These vulnerabilities are due to insufficient va...