Sausage Pizza and Onions: A Plain-English Guide to Cyber Security Layers
Cyber security can feel complicated because there are so many products, services and acronyms.
Firewalls. Antivirus. Endpoint detection. SmartScreen. Browser protection. Multi-factor authentication. VPNs. Email filtering. Dark web monitoring. Backups. Vulnerability scanning. Managed detection and response. Zero trust.
For many small and medium-sized businesses, especially those without their own IT support in-house, this can quickly become confusing. It is easy to feel that cyber security is either too technical, too expensive, or something only large organisations need to worry about.
That is not the case.
Most businesses now depend on technology every day. Email, cloud storage, online banking, payroll, client portals, accounts systems, websites, laptops and mobile phones are all part of normal business operations. If those systems stop working, are accessed by the wrong person, or are held to ransom, the impact can be serious.
A useful way to think about cyber security is not as one product, but as a set of protective layers.
Like an onion.
Each layer adds protection. One layer on its own is rarely enough. A firewall is useful, but it will not stop someone reusing a stolen password. Antivirus is useful, but it will not help if no one has backed up the company data. Multi-factor authentication is excellent, but it does not replace patching, device management, staff awareness or secure configuration.
The stronger approach is layered security.
The more important the system or data, the more carefully you should think about the layers around it.
This does not mean every business needs every cyber security product on the market. A five-person consultancy does not need the same cyber security design as a bank, hospital or defence contractor. Security should be proportionate to the business in question.
A useful model for understanding these layers is the OSI model.
What is the OSI model?
The OSI model is a way of describing how technology communicates. It breaks communication down into seven layers, starting with the physical equipment at the bottom and moving up to the applications people actually use.
A common way to remember the seven OSI layers is:
Please Do Not Throw Sausage Pizza Away
That stands for:
Physical
Data Link
Network
Transport
Session
Presentation
Application
That phrase may sound silly, but it is useful. It gives us a simple way to remember the seven layers.
For business leaders, the OSI model is helpful because it shows that cyber security is not just one thing. It is not just the firewall. It is not just antivirus. It is not just Microsoft 365. It is not just passwords. It is not just backups.
Security sits across multiple layers.
This is where the onion comes in.
The onion idea
Imagine your business systems and data sitting in the centre of an onion.
Around that centre are different protective layers. Some are physical, such as locks on doors and secure storage for laptops. Some are technical, such as firewalls, endpoint protection, encryption and browser security. Some are procedural, such as staff training, access reviews and backup testing.
If an attacker gets through one layer, they should meet another.
For example, imagine a member of staff receives a phishing email.
The first layer might be email filtering, which tries to block the message before it reaches the user.
If the email gets through, browser security or Microsoft Defender SmartScreen may warn the user that the link is dangerous.
If the user still enters their password into a fake login page, multi-factor authentication may stop the attacker using the password.
If the attacker tries to install malware, Microsoft Defender or a managed endpoint tool such as SentinelOne may detect and block it.
If the attacker tries to communicate out to a malicious service, a firewall such as Cisco Meraki MX may block or alert on the traffic.
If credentials have already been exposed elsewhere, a dark web monitoring service such as CyberSight may identify that risk before the attacker uses it.
If the worst happens and data is deleted or encrypted, backups may allow the business to recover.
That is layered security in practice.
No single layer is perfect. But each sensible layer reduces the chance that one mistake becomes a major incident.
Layer 1: Physical
The physical layer is exactly what it sounds like. It is the hardware and physical environment that technology depends on.
This includes laptops, desktops, servers, routers, switches, mobile phones, comms cabinets, office access, storage rooms and sometimes data centres.
Security at this layer includes:
-
Locks on doors
-
Secure storage for laptops and devices
-
Access control systems
-
CCTV
-
Visitor controls
-
Asset tagging
-
Secure disposal of old equipment
-
Protection from fire, flood and power loss
-
Uninterruptible power supplies for key equipment
For a small business, this does not have to be complicated. It may simply mean knowing who has company equipment, ensuring laptops are not left unattended in public places, making sure old devices are wiped before disposal, and keeping networking equipment away from public access.
A business using a shared office, serviced office or home working model still has physical security risks. A laptop left in a car, an unlocked home office, or an old phone sold without being wiped can all create security problems.
Physical security is often overlooked because it feels basic. But basic does not mean unimportant.
Layer 2: Data Link
The data link layer is about how devices communicate on a local network. This is the layer where devices connect to switches, Wi-Fi access points and local network segments.
For non-technical business leaders, the key point is this:
Not every device should automatically be trusted just because it is connected to your network.
Security at this layer includes:
-
Secure Wi-Fi configuration
-
Strong Wi-Fi passwords
-
Separate guest Wi-Fi
-
Network segmentation
-
Managed switches
-
Blocking unknown or unauthorised devices
-
Monitoring for rogue devices
For a small business, one of the most practical examples is guest Wi-Fi. Visitors, contractors and personal devices should not usually be placed on the same network as business systems.
Another example is separating business devices from other devices. In a home office, this could mean keeping work devices separate from smart TVs, games consoles and personal devices where possible. In a larger office, it may involve creating separate network areas for staff, guests, phones, printers and servers.
Products such as business-grade wireless access points, managed switches and cloud-managed networks can help here. A Cisco Meraki network, for example, may be used to provide managed Wi-Fi, guest networking and network segmentation, depending on the design.
This layer is about reducing unnecessary trust.
Layer 3: Network
The network layer is where routing happens. It is about how traffic moves between networks, including between your office, cloud services and the wider internet.
This is where many people first think of cyber security, because this is where firewalls commonly sit.
Security at this layer includes:
-
Firewalls
-
Router security
-
Network segmentation
-
IP filtering
-
Intrusion prevention
-
Secure VPN configuration
-
Cloud firewall rules
-
Restricting unnecessary inbound access
-
Blocking known malicious destinations
A firewall is an important control, but it is not magic. It can reduce exposure, block unwanted traffic and control what is allowed in and out of a network. However, it will not solve every problem.
If a user gives away their password, a firewall may not help. If a laptop is already infected, a firewall may only detect some of the traffic. If a cloud system is misconfigured, the office firewall may not even be involved.
That does not make firewalls unimportant. It simply means they are one layer, not the whole onion.
Cisco Meraki MX is a good example of a product that sits strongly in this area. It is commonly used as a business firewall and security appliance. Depending on the licence and configuration, it can provide firewalling, VPN connectivity, intrusion detection and prevention, content filtering, anti-malware features, application visibility and control.
For SME leaders, the practical questions are:
-
Can our business network be accessed from the internet?
-
Are remote access services properly protected?
-
Are old firewall rules still needed?
-
Is the firewall still supported and receiving updates?
-
Are cloud systems exposed unnecessarily?
-
Is there a clear reason for every open port or remote access route?
-
Is someone reviewing security alerts?
The aim is to reduce the number of easy routes into the business.
Layer 4: Transport
The transport layer is about how data moves reliably between systems. In practical security terms, this often involves protecting the connection between one system and another.
Security at this layer includes:
-
HTTPS and TLS
-
Secure VPN tunnels
-
Certificate management
-
Restricting insecure protocols
-
Blocking unnecessary ports
-
Secure email transport controls
-
Monitoring unusual traffic patterns
When you visit a website and see HTTPS, that is part of securing data in transit. It helps protect information as it moves between your browser and the website.
For a business, this matters because data is constantly moving. Emails are sent. Files are uploaded. Payments are processed. Staff log into cloud systems. Customer information moves between platforms.
If data is not protected while it moves, it may be exposed.
A Cisco Meraki MX, or a similar business firewall, may also provide protection at this layer by controlling ports, protocols, VPN traffic and traffic flows between networks.
For SMEs, the most practical considerations are:
-
Make sure websites use HTTPS
-
Avoid old or insecure remote access methods
-
Use supported VPN or secure access tools where needed
-
Do not expose services to the internet unless there is a strong reason
-
Keep certificates current
-
Remove outdated systems and protocols
This layer is often managed by IT providers, hosting companies or cloud platforms, but business leaders should still understand why it matters. If your business handles personal data, payment information, contracts, legal documents or commercially sensitive files, protecting data in transit is not optional.
Layer 5: Session
The session layer is about managing connections between users, devices and systems. In business terms, this is where we start thinking about whether a session should be allowed, how long it should last, and whether the person using it is really who they claim to be.
Security at this layer includes:
-
Multi-factor authentication
-
Single sign-on
-
Conditional access
-
Session timeouts
-
Login monitoring
-
Privileged access management
-
Blocking risky sign-ins
-
Reviewing active sessions
This is one of the most important layers for modern SMEs because so many businesses now use cloud services.
In the past, business systems were often inside the office network. Today, email, files, accounts, CRM systems, HR platforms and project management tools are often accessible from anywhere. That flexibility is useful, but it changes the risk.
If your business uses Microsoft 365, Google Workspace, Xero, QuickBooks, Dropbox, Shopify, HubSpot, Salesforce or similar platforms, identity security is critical.
A stolen password can become a business-wide incident.
Multi-factor authentication is one of the most effective controls at this layer. It means that a password alone is not enough. A user must also prove their identity in another way, such as through an app, security key or other approved method.
Browser security can also support this layer. For example, browsers may warn users about unsafe websites, suspicious login pages or compromised saved passwords. Microsoft Edge includes features such as Password Monitor, and Google Chrome uses Safe Browsing to warn about dangerous websites and downloads.
Dark web monitoring services such as CyberSight also support this area. They do not stop a login directly in the way MFA does, but they can alert the business when credentials connected to its domain appear in known breaches or dark web sources. That gives the business an opportunity to reset passwords, check affected accounts and reduce the chance of those credentials being used.
This is why dark web monitoring should be understood properly. It is not a firewall. It is not antivirus. It does not make weak passwords safe. It is an early warning and visibility tool.
For businesses without internal IT, this is an area where a good managed service provider can add real value. Identity is now one of the main battlefields in cyber security.
Layer 6: Presentation
The presentation layer is about the format of data. It covers how information is prepared, encoded, encrypted, compressed or translated between systems.
For business leaders, the simplest way to think about this layer is:
How is the data protected so that the wrong person cannot easily read or misuse it?
Security at this layer includes:
-
Encryption
-
Data loss prevention
-
Secure file handling
-
Email encryption
-
Document classification
-
Certificate use
-
Protection of sensitive information
-
Secure storage formats
Encryption is a key control here. It helps make information unreadable to unauthorised people. For example, laptop encryption helps protect data if a device is lost or stolen. Email or file encryption may help protect sensitive information when it is shared.
Windows security features can support this layer. For example, Windows devices may use BitLocker encryption to protect data stored on a laptop. Microsoft Defender can also help detect malicious files or suspicious activity affecting data on the device.
SentinelOne also has relevance here because endpoint detection and response tools monitor what is happening on devices. If malware attempts to alter, encrypt or interfere with files, an endpoint security platform may detect and respond to that behaviour.
However, encryption is not a complete answer on its own. If an attacker logs in as a legitimate user, they may still be able to access encrypted data because the system believes they are authorised. This is why encryption must sit alongside good identity management, device protection and access control.
For SMEs, practical questions include:
-
Are laptops encrypted?
-
Are mobile devices protected?
-
Is sensitive data clearly identified?
-
Are staff sending sensitive documents by normal email when they should use a safer method?
-
Are files shared with the right people only?
-
Is access removed when it is no longer needed?
-
Would we know if sensitive data was being misused?
This layer is especially important for businesses handling personal data, financial data, legal documents, health information, intellectual property or confidential client information.
Layer 7: Application
The application layer is the layer closest to the user. It includes the systems people interact with directly.
This includes email, web browsers, websites, cloud applications, accounting platforms, CRM systems, file sharing tools, line-of-business applications and mobile apps.
Many cyber attacks target this layer because it is where people work.
Security at this layer includes:
-
Email security
-
Endpoint protection
-
Web filtering
-
Browser security
-
Microsoft Defender SmartScreen
-
Antivirus
-
Endpoint detection and response
-
Web application firewalls
-
Secure configuration of cloud services
-
Patch management
-
Vulnerability scanning
-
Application access control
-
Backup and recovery
-
Security monitoring
-
Managed detection and response
-
Staff awareness training
Phishing is a good example of an application-layer risk. The attacker may not need to break through a firewall. They may simply send a convincing email that tricks someone into clicking a link, opening a file or entering their password into a fake login page.
This is why application-layer security is so important. It is often where technical controls and human behaviour meet.
Several familiar tools sit strongly at this layer.
Browser security features help when users are working on the web. They may warn about dangerous sites, suspicious downloads, compromised passwords or deceptive pages.
Microsoft Defender SmartScreen is designed to help protect against phishing sites, malware sites, unsafe applications and potentially malicious downloads. For a small business using Windows and Microsoft Edge, this is a useful built-in layer that should not be ignored.
Microsoft Defender Antivirus, part of Windows Security, provides real-time protection against malware and other threats. For many smaller organisations, properly configured built-in protection may be a sensible baseline, especially when combined with patching, MFA, backups and user awareness.
SentinelOne is an example of a more advanced endpoint security platform. It is commonly used where a business wants stronger endpoint protection, detection and response capability. In plain English, it watches laptops, desktops and servers for signs of malicious behaviour and can help respond when something suspicious happens.
Cisco Meraki MX can also have application-layer relevance because it can identify and control certain types of application traffic, apply content filtering and support anti-malware and intrusion prevention features, depending on configuration.
CyberSight-style dark web monitoring supports the application layer indirectly. If stolen credentials linked to a business domain are found, the business can take action before those credentials are used to access email, cloud systems or business applications.
For SMEs, this layer normally includes some of the most visible security tools:
-
Antivirus or endpoint protection
-
Email filtering
-
Spam and phishing protection
-
Browser protection
-
Microsoft 365 or Google Workspace security controls
-
Web filtering
-
Cloud backup
-
Website protection
-
Vulnerability scanning
-
Security awareness training
Application security also includes keeping software up to date. Unsupported software, old plugins, unpatched systems and weak configurations can all create opportunities for attackers.
This layer is where many businesses should start, because it directly affects the tools they use every day.

Where familiar cyber security tools fit
The OSI model is helpful, but modern cyber security products do not always fit neatly into one box.
A product may protect several layers at the same time. A firewall may operate at the network layer, but also inspect applications. Endpoint protection may monitor files, applications, behaviour and network activity. A browser may help protect users from phishing websites, unsafe downloads and compromised saved passwords.
The table below gives a practical view.
| Tool or control | Main OSI layers | What it helps protect | Plain-English explanation |
|---|---|---|---|
| Browser security features | Application, with some session and presentation relevance | Websites, downloads, phishing links, browser warnings and saved passwords | The browser is where many users meet the internet. Modern browsers can warn users about dangerous websites, phishing pages, suspicious downloads and sometimes compromised passwords. This is useful because many attacks start with a link in an email or a fake login page. |
| Microsoft Defender Antivirus / Windows Security | Application, presentation, and some network protection where firewall features are enabled | Malware, suspicious files, unsafe applications, device protection and network traffic filtering | Built-in Windows protection helps defend the device itself. It can scan files and programs, provide real-time malware protection and, when Windows Firewall is enabled, help control which network traffic is allowed in and out of the device. |
| Microsoft Defender SmartScreen | Application | Phishing websites, malicious websites, unsafe applications and suspicious downloads | SmartScreen works where the user is interacting with websites, applications and downloads. If a website, app or download looks unsafe, it can warn the user before damage is done. |
| SentinelOne | Application and presentation, with wider endpoint visibility | Endpoint protection, malware prevention, suspicious behaviour, detection and response | SentinelOne is an endpoint protection and detection tool. In plain English, it watches laptops, desktops and servers for signs of malicious behaviour. It is not just looking for known viruses; it can also help detect unusual behaviour that may suggest an attack is underway. |
| Cisco Meraki MX | Network, transport and application | Firewalling, routing, VPN, intrusion prevention, content filtering, anti-malware and application visibility | Cisco Meraki MX is a network security appliance. It helps protect the route between the business network and the internet. It can control traffic, support VPN access, block known threats, filter content and provide visibility of applications using the network. |
| CyberSight / dark web monitoring | Supports session and application security | Exposed credentials, leaked business data and compromised accounts | CyberSight-style dark web monitoring does not sit neatly inside the OSI model because it does not directly protect a cable, device, firewall or application. Instead, it looks for signs that business information has already leaked, such as usernames, passwords or company data. This supports identity and application security because stolen passwords are often used to access cloud systems, email accounts and business platforms. |
This shows why layered security matters.
A browser warning may stop a user visiting a fake login page.
SmartScreen may block a suspicious download.
Microsoft Defender may detect malicious software on the device.
SentinelOne may identify suspicious behaviour that traditional antivirus might miss.
Cisco Meraki may block unwanted traffic at the network edge.
CyberSight may warn that credentials are already exposed and need to be changed.
Each one protects a different part of the onion.
None of these tools should be seen as a complete answer on its own. A business with a strong firewall but no multi-factor authentication may still be exposed if passwords are stolen. A business with good antivirus but no backup may still struggle to recover from ransomware. A business with dark web monitoring but weak password habits may keep finding the same problem again and again.
The useful question is not:
Which product is best?
The better question is:
Which layers do we already protect, which layers are weak, and what level of protection is proportionate for our business?
Product examples in a real business scenario
To make this more practical, imagine a small professional services business with ten staff.
The business uses Microsoft 365 for email and files, Xero for accounts, laptops for staff, mobile phones, a broadband router, a small office Wi-Fi network and a website hosted by a third party.
A proportionate layered approach might look like this:
At the physical layer, the business keeps a record of laptops, ensures devices are not shared casually, and wipes old equipment before disposal.
At the data link layer, it uses secure Wi-Fi, a strong Wi-Fi password and a separate guest network.
At the network and transport layers, it uses a properly configured business router or firewall. If the business has more complex needs, a product such as Cisco Meraki MX may provide stronger firewalling, VPN, filtering and visibility.
At the session layer, the business enables multi-factor authentication on Microsoft 365, Xero and other important cloud platforms. Admin accounts are protected more tightly than ordinary accounts.
At the presentation layer, laptops are encrypted and sensitive files are handled carefully.
At the application layer, the business uses Microsoft Defender, SmartScreen, browser security features, email filtering, regular updates and backups. If the business is higher risk or handles sensitive client data, it may choose a managed endpoint tool such as SentinelOne.
Alongside these layers, CyberSight or a similar dark web monitoring service may be used to identify exposed business credentials. This gives the business early warning if a staff email address and password combination has appeared in a breach.
That is a layered onion.
It is not about buying every product. It is about using sensible controls in the right places.
Why built-in security still matters
One mistake small businesses sometimes make is assuming that built-in security does not count.
That is wrong.
Built-in security features can be very useful, especially when they are enabled, configured and monitored properly.
Browser warnings matter. Microsoft Defender matters. SmartScreen matters. Windows Firewall matters. Encryption matters. MFA matters. Security defaults in Microsoft 365 matter.
For many SMEs, the first security improvement is not buying a new product. It is making sure the security features they already have are actually turned on and set up properly.
However, there is a second mistake to avoid.
Built-in security does not mean “set and forget”.
Someone still needs to check that devices are updated, alerts are reviewed, accounts are removed when people leave, backups are working, and important systems are configured securely.
Technology is only useful when it is managed.
When more advanced tools may be proportionate
Some businesses need more than the basic controls.
This might be because they handle sensitive data, support larger clients, work in regulated sectors, rely heavily on cloud systems, have contractual cyber security requirements, or have already experienced security incidents.
In those cases, more advanced tools may be proportionate.
SentinelOne or another endpoint detection and response platform may be suitable where the business needs stronger visibility of device activity and faster response to suspicious behaviour.
Cisco Meraki MX or a similar business firewall may be suitable where the business needs better network control, VPN, segmentation, content filtering and threat protection.
CyberSight or another dark web monitoring service may be suitable where the business wants early warning of exposed credentials or leaked business information.
Vulnerability scanning may be suitable where the business needs to identify weaknesses in internet-facing systems, devices or applications.
Cyber Essentials may be suitable where the business wants a recognised baseline certification and a structured way to review common technical controls.
Managed security support may be suitable where the business does not have internal IT staff and needs someone to configure, monitor and respond.
The point is not that every business needs all of these.
The point is that more advanced tools should be selected because they address a known risk, not because they sound impressive.
The danger of buying products without a plan
A common mistake is buying security products without understanding the problem they are meant to solve.
A business might buy antivirus because it seems obvious. Then it might buy a firewall because someone recommends it. Then it might add email filtering after a phishing incident. Then it might buy backup after a ransomware scare. Then it might buy dark web monitoring after seeing a report of leaked passwords.
Each product may be useful, but without a plan, the business can still be exposed.
Layered security should be deliberate.
The business should understand:
-
What the product protects
-
What it does not protect
-
Which OSI layers it mainly supports
-
Who manages it
-
Who responds to alerts
-
How it is configured
-
How often it is reviewed
-
Whether it still meets the business need
A security product that is installed but ignored is not a strong control.
A backup that is never tested is an assumption, not a recovery plan.
A firewall rule that no one reviews may become a weakness.
An MFA policy that excludes senior staff or administrators may leave the most important accounts exposed.
Security is not just about having tools. It is about using them properly.
The onion test
A simple way for business leaders to review their security is to use the onion test.
Ask:
If one layer fails, what protects us next?
If someone loses a laptop, is the device encrypted?
If someone clicks a phishing link, will the browser or SmartScreen warn them?
If someone enters their password into a fake page, will MFA stop the attacker?
If that password has already been leaked, would dark web monitoring tell us?
If an attacker tries to install malware, would Microsoft Defender or SentinelOne detect it?
If a device starts communicating with a suspicious destination, would the firewall notice?
If files are deleted or encrypted, can they be restored?
If a member of staff leaves, will their access be removed quickly?
If a supplier is breached, do we know what systems or data could be affected?
If the answer is “we do not know”, that is not a failure. It is simply a gap to investigate.
A practical OSI security view for SMEs
Here is a simplified way to think about the layers.
Physical
Protect the equipment and places where work happens. This includes laptops, phones, offices, comms cabinets and secure disposal.
Example controls: locks, asset lists, secure storage, device wiping, UPS units and physical access controls.
Data Link
Protect local connections. This includes Wi-Fi, guest networks, switches and preventing unknown devices from being trusted automatically.
Example controls: secure Wi-Fi, separate guest Wi-Fi, managed switches, network segmentation and device controls.
Network
Protect how systems connect to other networks and the internet.
Example controls: firewalls, secure routers, Cisco Meraki MX, cloud firewall rules and reducing unnecessary exposure.
Transport
Protect data as it moves.
Example controls: HTTPS, TLS, secure VPNs, certificate management and blocking insecure protocols.
Session
Protect logins and active access.
Example controls: MFA, single sign-on, conditional access, session timeouts, login monitoring and dark web monitoring for exposed credentials.
Presentation
Protect the form and readability of data.
Example controls: encryption, secure file handling, laptop encryption, data classification and protection of sensitive information.
Application
Protect the tools people actually use.
Example controls: browser security, Microsoft Defender SmartScreen, Microsoft Defender Antivirus, SentinelOne, email filtering, patching, web filtering, backups and user awareness training.
No single layer is enough. But each sensible layer makes the business harder to attack and easier to recover.
What should a business do next?
For a small or medium-sized business without in-house IT support, the best next step is usually not to buy another product immediately.
The best next step is to review what you already have.
Start with the basics:
-
What devices do we use?
-
What cloud systems do we rely on?
-
Who has access?
-
Is MFA enabled?
-
Are devices encrypted?
-
Are browser protections enabled?
-
Is Microsoft Defender or another endpoint protection product running?
-
Is SmartScreen enabled?
-
Are backups in place and tested?
-
Are systems patched?
-
Is email protected?
-
Are old accounts removed?
-
Do we know who is responsible for security?
-
Have we checked our external exposure?
-
Do staff know how to report suspicious activity?
-
Would we know if company credentials appeared in a breach?
From there, you can decide what is proportionate.
Some businesses may need only a practical baseline and a small number of improvements. Others may need a more formal review, Cyber Essentials, vulnerability scanning, endpoint detection and response, firewall upgrades, dark web monitoring, policy work, supplier assurance or ongoing managed security support.
The right level depends on the business.
Final thought
Cyber security does not need to be mysterious.
The OSI model gives us a useful way to understand the different places where protection can apply. The “Please Do Not Throw Sausage Pizza Away” memory aid helps us remember the seven layers. The onion reminds us that good security is built in layers, not bought in a single box.
For business leaders, the most important lesson is simple:
Do not rely on one layer.
Protect the physical devices. Secure the network. Protect the data. Control access. Secure the applications. Use browser protection. Keep Defender and SmartScreen enabled. Consider stronger endpoint tools such as SentinelOne where proportionate. Use business-grade firewalling such as Cisco Meraki where appropriate. Monitor for exposed credentials with services such as CyberSight. Train the people. Test the backups. Review the gaps.
The more important the business system, the more carefully you should protect the layers around it.
That is how cyber security becomes practical, proportionate and understandable.
Sausage pizza helps you remember the model.
The onion helps you remember the method.
Layer by layer, sensible protection makes a business safer.