In reality, organizations have many other things to do than practice security. Businesses exist to make money. Most not-for-profit organisations exist to offer some service, as in charities, educational centres, and religious entities. None of them exists specifically to deploy and maintain firewalls, intrusion detection systems, identity management technologies, and encryption devices. No business wants to develop hundreds of security policies, implement antimalware products, maintain vulnerability management systems, continuously renew their incident response inclinations, and have to comply with the plethora security regulations (SOX, PCI-DSS, ISO 27001) and federal and state laws. Business owners would like to be able to make their widgets, sell their widgets, and go home. But these simpler days are long gone. Now organisations are confronted with attackers who want to steal businesses’ customer data to carry out identity theft and banking fraud. Corporation mysteries are systematically robbed by intrinsic and external entities for economic espionage missions. Systems are being hijacked and used within botnets to attack other organisations or to spread spam. Company funds are being secretly syphoned off through sophisticated and hard-to-identify digital methods, commonly by or- organised criminal rings in different countries. And organisations that find themselves in the crosshairs of critics may come under constant attack that brings their systems and websites offline for hours or days. Corporations are expected to follow a broad range of security disciplines today to keep their business share, shield their customers and bottom line, stay out of jail, and still sell their widgets.
If a company has the anti-malware software but does not keep the signatures up-to-date, this is a vulnerability. The company is vulnerable to malware attacks. The threat is that a virus will present up in the environment and agitate productivity. The likelihood of a virus turning up in the environment and causing damage and the resulting potential damage is the risk. If a virus penetrates the company’s environment, then a vulnerability has been exploited, and the firm is exposed to loss. The countermeasures in this circumstances are to update the signatures and install the antimalware software on all computers. The relationships among risks, vulnerabilities, threats, and countermeasures are displayed in the diagram.
Defence in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is intended on the military principle that it is more complicated for an attacker to defeat a complex and multi-layered defence system than to penetrate a single barrier.