Basic Network Security For Your Small Business
There are 3 basic principles of network security – 3 basic layers to protecting your information, the lifeblood of your business. Whether you are in research and development, marketing, law or the nonprofit sector, getting these three things right will ensure you have the proper defenses in place the next time a big attack like WannaCry happens.
Infrastructure can be broken down into so many sub components that I’d be able to expound limitlessly. For the sake of brevity, let’s take a top down view and call this “all the technology that your IT and infosec team use to protect the network”. These are things like:
Perimeter defenses like firewalls and UTM (unified threat management) appliances. When looking at starting a business or replacing aging equipment, these devices should be your top priority. The router you get from your ISP or an aftermarket WiFi router are woefully ineffective when it come to perimeter security. They may say on the box that they have a firewall included, but unless the unit is capable of deep packet inspection and advanced threat detection, they will not stop “bad data” from entering your network. Even the most sophisticated UTMs can’t stop everything, but a consumer grade router stops nothing. Be sure to invest in commercial grade products built for this job. A variety of good options are available from these manufacturers.
User control. This is creating user permissions and IT policies. This is applying policies to any and all computers allowed to connect to your network. In today’s world, this means using Windows Server Active Directory. It’s what allows a network administrator to block or enable, depending on use case, the capabilities of a computer. Without Active Directory (AD) in place, your network is not and cannot be secured. There is a version for Macs too, called OSX server. A bit less sophisticated, but just as crucial if your LAN is made of or includes Mac computers.
Encryption. To most people encryption is an ephemeral word that really doesn’t mean anything. At its essence, it is the scrambling of information such that it is unreadable without the proper access keys.
Here is an example: You have a Windows computer, and you have a password on the login (great first step). This would protect you from someone sitting down at your computer and copying data from it. But, if you lost your computer in a taxi, for example, anyone could take the hard disk out of that computer (the hard disk is what stores said data), pop it into any other computer, and then copy everything off it. With encryption in place if the hard disk is removed and connected to another computer, all the data is scrambled and unreadable.
People will always be the weakest link in network security. There are entire fields of study on “social engineering”. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme. User education helps reduce successful social engineering attacks. A few examples of social engineering:
Phishing. You’ve all heard this term before and have likely personally seen many examples. Emails that look like they are from your bank, or a shipping company or texts that try to get you to click a link. Realistically, the only way to defeat phishing attacks is to ensure your staff treat every email and unknown caller as suspicious. They all need to assume that every communication is a potential attacker. With this vigilance always at the top of mind, you can minimize the potentially disastrous effects.
Spear phishing. We’ve seen a few examples of this in the news lately. As an example, an attacker does a little reconnaissance work and sends an email posing as the CEO who will ask a bookkeeper for all staff SIN numbers. The bookkeeper assumes the request is legit and proceeds to send the information to the attacker. These are usually the second attack after a successful initial phishing attack. If you have an untrained person with access to sensitive information, they may be duped into sharing sensitive information.
User education includes regular review of the IT policies in place and regular review of common phishing and spear phishing attacks. You can cover these topics at monthly team meetings or post notices to the communications board in your staff break room.
A laptop left in a cab.
An employee signing into work email on a public computer and forgetting to sign out.
A cell phone left at a restaurant.
41% of data exposure is a result of loss or theft as innocent as the scenarios above. All the scary things you hear about concerning big hacks only make up 25% of data breaches.
Proper mobile device management can negate loss and theft related data breaches. Employing tools like “remote wipe” for all devices that connect to the company’s mail server can help you protect company data if devices are lost or stolen (or if an employee is fired).
The aforementioned encryption, especially when applied to laptops and USB sticks, will protect you from almost all losses of equipment. Which brings us back to the Windows AD server. It is this server that enforces the policies of encryption against the equipment you intend to run it on. While you can enable encryption on the devices individually, without enforcement, there is nothing stopping a user from disabling it if they find it irksome or slows down their workflow. And this is why we say that without Active Directory, your network is not and cannot be secured.
Certainly, this is an investment for your small business. Most small businesses spend just under 7% of their revenue on IT. Initial expenditures may be a little higher. If you find yourself spending far less, you may want to consider the benefits of IT security improvements.If you want to be a bigger business tomorrow, it is better to implement security today, not after you “need” it.
It is wiser, safer, less costly to implement and a”cleaner” implementation when you start with good security. However, it’s never too late to make improvements. Not only does adequate network security protect your data, intellectual property, and reputation by limiting loss events, it can help you win business from larger vendors. Many of them will have their own infosec minimum requirements and require you to be compliant in order to do business with them. They don’t have to wait on you to catch up. They can simply move on to a competitor who has prioritized network security from the start, and is ready to do business.
When addressing your network security keep these 3 tenets in mind, and you will be far ahead of most small businesses.
Network Setup, Security & Management in Toronto
Whether you are starting right or catching up, we can help you work more securely. We are TUCU – a Toronto IT Support company since 2003. We offer network setup services and network security audits in Toronto. Let us help you assess your needs and provide or implement recommendations. Call us today at (416) 292-3300 to learn more.