The Onion Strategy: How SMEs Can Build a Bulletproof Defence in Depth

Protect your SME with the “Onion” strategy. Learn how DNS filtering, endpoint security, and the 3-2-1 backup rule create a multi-layered defence against hackers.

If you run a small business or work as a freelancer, you’ve likely heard the term “cybersecurity” and felt a mild sense of dread. It sounds expensive, technical, and frankly, a bit like something that only happens to giant corporations.

The reality? Small businesses are often the preferred targets because they tend to be “softer” targets. To protect yourself, you need to adopt a strategy called Defence in Depth.

Think of your business security like an onion. One layer isn’t enough; you need multiple layers of protection so that when one fails (and eventually, one will), the next one holds the line.

Layer 1: The Human Element (The Soft Outer Skin)

Let’s be honest: you are the most vulnerable part of your business. Whether you’re a solopreneur or leading a small team, you are the “soft outer skin” of the onion.

We’ve all been there—juggling three tasks, distracted by a ringing phone, when an email pops up asking for a password or a “quick click.” With the rise of AI-generated scams, these “phishing” attempts look more convincing than ever.

• The Defence: Realise it’s not a matter of if you’ll be targeted, but when. Slow down. If an email creates a sense of urgency, that’s your first red flag.

Layer 2: Secure Your DNS (The Gatekeeper)

Every time you type a website name into your browser, a system called DNS (Domain Name System) translates that human-friendly name into a numerical IP address.

If a hacker “poisons” your DNS, they can quietly redirect you. You think you’re at your bank’s website, but you’ve actually been sent to a carbon-copy site designed to steal your login details.

• The Defence: Don’t just rely on the default DNS provided by your internet provider (which often tracks your browsing habits anyway). Use an external, secure DNS provider like Cloudflare, Quad9, or AdGuard. These services filter out malicious domains before they even reach your network. It’s like having a bouncer at the door who knows exactly who is on the “no-entry” list.

Layer 3: Endpoint Protection

Suppose you do click that link. This is where your third layer—your computer’s software—comes into play.

• The Defence: If you’re on Windows 11, you have decent protection built-in, but don’t ignore the prompts. Endpoint protection looks for patterns of suspicious behaviour. If a program suddenly starts trying to encrypt all your files, a good security layer will step in and kill the process before the damage is done.

Layer 4: The Immutable Backup (The “Safety Net”)

If a clever bit of ransomware breaches your DNS and bypasses your antivirus, you face a terrifying choice: pay a ransom in Bitcoin or lose your data.

Never pay the ransom. It fuels the industry and doesn’t guarantee you’ll get your files back. Instead, rely on a 3-2-1 backup strategy:

1. Have 3 copies of your data.
2. On 2 different types of media.
3. With 1 copy stored off-site and disconnected.

Note for Mac users: Time Machine is fantastic for recovering a file you accidentally deleted yesterday, but it’s not a complete defence against ransomware. If your backup drive is constantly plugged into your computer, the ransomware will just encrypt your backup too.

You need immutable backups—backups that cannot be changed or deleted by the malware. Using professional services like Acronis or Backblaze ensures that your data is “shovelled” to a safe location where the ransomware can’t reach it.

The Bottom Line

No single layer is perfect. The goal of Defence in Depth isn’t to build an impenetrable wall, but to create enough hurdles that a threat is stopped before it reaches your “core.”

If the worst happens and your computer is compromised, a solid backup strategy turns a potential business-ending catastrophe into a mere “bad Friday” where you lose an hour or two of work while you restore your files.