Skip links

By 2025, it’s estimated that cybercrime will cost the global economy a huge $10.5 trillion annually. It’s easy to understand why. As organizations embrace cloud tools and hybrid working, the attack surface is growing rapidly.

At the same time, cyber-attackers are becoming more conniving and sophisticated, meaning more organizations are falling victim to successful attacks – and suffering from the reputational and financial damage that comes alongside.

The expansion of networks beyond the traditional office walls means that discovering, managing and mitigating cybersecurity risks is becoming more challenging and increasingly dependent on multiple solutions layered on top of each other. In some circles this is called “Defense in Depth”, but we like to call it the Swiss cheese model for risk.

What is the Swiss Cheese Model?

The Swiss cheese model advocates a multi-layered approach to combating potential risks. It’s based on the notion that, within each layer of risk mitigation or defense, there will undoubtedly be flaws or holes. So, you need to build multiple, distinct, stacked layers of defenses to combat potential risks.

In this way, if a lapse occurs in one layer of your defense, the threat still won’t come to fruition, as the other layers of defense will impede it.

While the Swiss cheese model isn’t designed specifically for cybersecurity, it’s a very useful analogy for business leaders trying to understand why they need to invest in multiple cybersecurity solutions. As the model shows, one tool isn’t enough. You need a multilayered defense.

· You’d probably start by implementing Multi-Factor Authentication on all your company accounts to help reduce the risk of an account takeover.

· You could take it one step further by implementing geographic sign in limitations, so that the account can only be accessed in specific locations.

· From an internal perspective you would want to ensure that user access is limited by permission groups – unfortunately our Cyber Security plans also need to account for disgruntled or malicious employees. By granting access only to specific users or groups you can reduce the risk of unauthorized access, theft, sharing, or deletion.

· And finally you would want to implement a backup and recovery plan so that you can restore any data that may get lost or damaged.

You can see from the example above that each layer is designed to reduce your risk from a specific set of circumstances and that multiple layers are required to lower your risk to the most acceptable level.

The Swiss Cheese Model In Practice: Look To NIST

The Swiss cheese model is great for understanding why you need a multi-layered defense. But it’s not a how-to guide on how to implement one. Luckily, the NIST Cyber Security Framework (CSF) is.

This in-depth guidance offers organizations a comprehensive cybersecurity risk management framework, using a multi-layered approach – just like the Swiss cheese model advocates!

It is based on several industry standards and best practices, combined together to create gold-standard guidance for organizations looking to improve their approach to security. NIST has written the guidance free of jargon, in everyday language, so non-technical staff members can understand and benefit from the documentation.

What Does The CSF Contain?

The core of the CSF is based around five critical risk management steps:

1. Identify: Identify and comprehend your critical systems, operations and data. Map out the potential cybersecurity risks to these elements, so you can focus on prevention.

2. Protect: Put in place certain safeguarding solutions to protect critical infrastructure, systems, data and services. As outlined in the Swiss cheese model, the aim is to create multiple layers of protection.

3. Detect: Put in place solutions and processes to detect potential security incidents, so that you can respond quickly and efficiently, with minimal damage caused.

4. Respond: Build an incident response capability to empower you to swiftly respond to and eradicate an attempted attack.

5. Recover: Design and utilize plans to return operations back to normal after the incident is dealt with.

Implementing the NIST Cyber Security Framework In Your Organization

NIST’s CSF is one of the best ways to move the Swiss cheese model from an abstract concept to reality. The trouble for many SMBs is knowing where to begin. The document outlining the framework is 55 pages of in-depth reading. You’ll need at least a foundational knowledge of cybersecurity in order to implement it.

Unfortunately, though, smaller organizations don’t often have the internal IT resources to carry out and manage a multilayered security program.

To combat this issue, we sometimes see these companies choose to purchase multiple layers of defense from a single technology vendor, but this isn’t wise. If you purchase all your solutions from one cybersecurity vendor, you’re unlikely to get the best-in-breed tools across the board. You may also miss out on much more cost-effective options.

If this sounds like your organization, the best way forward is probably to work with a managed cybersecurity services provider like us. We work with numerous cybersecurity vendors to bring our clients a multi-layered defense in depth approach to cyber resilience, which closely follows the NIST CSF.

With our support, you can implement the NIST CSF in your organization without any of the heavy lifting. We’ll discover, manage and mitigate all of your cybersecurity risks for you – at the fraction of the cost of hiring an in-house cybersecurity professional!

Ready To Get Started? Get In Touch With Us Today!

With cyber-attacks on the rise, you need a multi-layered security approach. Let us implement and manage your security tools for you. Contact us today, and let’s get started.

Jesse Hill


When you entrust your business to an I.T. company, it should be more than a contract – it should be a relationship built on the assurance that your I.T. advisors are ready to help in any situation. As the owner of Tier 3 I.T. Solutions, Jesse is familiar with key business operations and strives to assess challenges within businesses and find opportunities for growth. He has a constant curiosity and drive to help cut down on operations costs and take away the frustration of technology. Keeping his customers happy motivates him to develop detailed technological strategies to assist with business development. Jesse knows that technology isn’t the answer for every problem, and strives to bridge the gap between problem solving and implementation of best practices.