Insight and analysis on the information technology space from industry thought leaders.

Beyond the Moat: Why There Is Safety in LayersBeyond the Moat: Why There Is Safety in LayersBeyond the Moat: Why There Is Safety in Layers

From medieval castles to modern networks, history proves that robust defense requires multiple barriers.

Picture of Industry Perspectives

Industry Perspectives

August 29, 2025

4 Min Read

moat around a castle

Alamy

By Cam Roberson, Beachhead Solutions

From the castle builders of yore to the cybersecurity experts of today, one lesson never gets old: There's no such thing as the perfect one-layer defense. You can install the deepest moat, or the thickest wall, or the most robust endpoint security protections, but if that's your only protection, it will not hold. Throughout history, those tasked with security have either accepted this fact or learned it again the hard way.

While there's no such thing as a perfect single-layer defense (and arguably no "perfect" defense in general), defenders are much more successful implementing strategies that stack up multiple layers of defenses. Wise medieval architects, to stick with my theme, made the moat just the first of many obstacles designed to stop attackers, placing a deliberate series of external and internal walls and gates in their path. Cybersecurity teams should follow that example by securing systems and data with measures that bar attackers at each step they might take toward achieving a breach. The more layers to get through, the more likely they are to move on to someone else's proverbial castle.

Allow me to share a recent cautionary tale from a colleague in the cybersecurity industry, one that highlights the danger of relying too heavily on perimeter defenses. A business in the oil and gas sector believed that if they could stop attackers at the edge, they could prevent any security issues entirely. That logic makes sense on paper, but it breaks down in practice. You have to assume that attackers will always find the cracks.

In this case, the business had just about every device and attack surface as locked down as you can get ... with the exception of a single postal meter. That one overlooked endpoint wasn't missed by attackers, who snuck in through that gap and then collected all the data they wanted with extraordinary ease. In the aftermath of that disaster, my colleague (part of an MSP) was brought in to stand up additional layered security protections that could have prevented the negative incident and saved the business a heck of a lot of trouble.

Interior Defense: Layered Encryption and Access Controls

Data encryption is crucial to ensuring that even when attackers do manage to reach sensitive data, they can't grasp it. Introducing layered encryption multiplies that protection by rendering data unreadable at both the network and the device level.

With single-layer system-level encryption (BitLocker, for example), network-borne attacks that manage to evade a business's network firewall and remotely log into a PC will see all data in its decrypted form. However, including additional device-level encryption will make it so that a network breach is not synonymous with a data breach.

At the same time, segmenting data access and practicing the principle of least-privilege access is crucial to a layered security strategy. If an attacker who compromises a single set of login credentials is allowed to have the run of an organization's data and systems, that business is in for a bad day. In contrast, if each employee's access is limited to only the data they require, the scope of any breach is greatly compartmentalized, and risks are kept to a minimum.

Ransomware Without Leverage

Ransomware attackers have two nefarious methods for profiting from the data they manage to compromise. The traditional method (that gave ransomware its name) is to encrypt an organization's data and disallow access until that business pays their ransom. To thwart this method, organizations need another layer of data protection in the form of secure data backups, meaning that a business can simply restore its systems and ignore the ransom request.

However, attackers also have a backup plan, Ransomware 2.0: Their second method is to hold data hostage by threatening to sell it to buyers on the dark web, or simply release it if a ransom isn't paid. Fortunately, layered encryption defeats this method. Ransomware attackers might think of themselves as masters of encryption, but they can't read data to expose it if an organization has its own device-level encryption in place.

Defense That Holds

Cyberattacks come in myriad flavors, and no one layer of security protections can hope to defeat them all. By adopting a layered security strategy that places protections throughout an organization's proverbial castle (while limiting attack surfaces and risks), it becomes possible to build a defense capable of holding strong against nearly any challenge.

About the author:

Cam Roberson is Vice President at Beachhead Solutions .