Network security can be complex and confusing, but it’s essential that small businesses get it right. This guide explains basic network security measures and how to implement them on your company’s network.
Network security is analogous to home security: You are fortifying and controlling access to where your business’s data lives. Network security is nothing more than the ability to prevent (and react to) unauthorized access to, and abuse of, your computer network. This simple definition encompasses a range of possible scenarios, from controlling the spread of malware to identifying intruders and tracking their activities on your internal network.
Many small businesses don’t have the time or resources to invest in IT security, which is why cyber-criminals love to attack them. The cost of being unprepared is enormous. According to a Better Business Bureau survey, nearly half of all North American small and medium-sized businesses said they would not remain profitable longer than a month if crucial data were stolen or deleted in a data breach.
Fortunately, there are steps you can take to improve your network security dramatically. Unfortunately, network security is a task that never ends. As new technologies and threats develop, you must continually revisit the protective measures you are taking to make sure they are adequate. In some cases, it might be necessary to work with a trusted IT security vendor.
This guide covers the basics of network security — and what measures you should put in place immediately if you haven’t already.
What is network security?
Your network encompasses any computers, laptops, workstations, servers, tablets, smartphones, or other devices and all of their connections, either to each other over a local area network or to the Internet. Network security simply means having the technological solutions, documentation, and processes in place that allow you to control the access to your network and the flow of data over it.
While networks can vary in size and complexity, from the massive infrastructures maintained by multinational corporations down to the single computer and credit card scanning app used at a flea market, the same underlying security requirements apply. These requirements include installing and using technological security tools, like firewalls and VPNs, and implementing IT security best practices, like having the proper processes in place to recover from malware or intruders already in your network.
Network security for beginners
Part of network security is making a threat model and being realistic about the threats and risks your company faces. If you are a very small business, or you are not primarily an IT business, it may not make sense for you to create your own internal network. This does not mean you can ignore IT security, but instead, you can rely on privacy-focused services to protect your data. These services, combined with the proper application of IT security practices, can help you keep your business’s data safe without the need to invest in overwhelming amounts of new staff or infrastructure.
Privacy-focused services generally rely on end-to-end encryption (E2EE) to keep information inaccessible except to its owner (and, depending on the service, its intended recipient). These services add an extra layer of strong, expertly implemented encryption around your sensitive data, removing the need for your employees’ to learn more advanced encryption techniques.
Email is the backbone of many business’s internal and external communications. ProtonMail is an E2EE email service that keeps your data private. They even provide a feature that allows you to send encrypted emails to non-ProtonMail users, keeping your correspondences private.
Keeping your data secure while is stored and in transit is a major task. Tresorit is an E2EE cloud-based storage service. Your data is encrypted before it leaves your device, and remains encrypted on the Tresorit cloud. Only you and anyone you permit will be able to access your stored files.
A VPN encrypts your Internet traffic before it leaves your device meaning no one, not your Internet service provider (ISP) nor any malicious actors, can monitor your online activity. This lends an extra layer of security to the business you conduct online, be it making payments or accessing files. VPNs also give your employees a way to securely use public WiFi, which is essential as more and more employees work remotely. However, be sure to use a trusted VPN, like ProtonVPN. A VPN essentially becomes your ISP, meaning that if they are malicious, they can monitor all of your online activity.
Take control of your network
The next step in creating a secure network is network access control. This means having a comprehensive overview of all the devices that have access to your business’s network and its data. Network security is only as strong as the weakest link of the chain, and each of these devices represents a potential weak point that needs to be secured. All devices on your network, including smartphones, should have a firewall and full disk encryption enabled. The default password for all network devices should be changed.
Each of these devices are also used by an employee (or at least until the robots replace us all). Your staff is the single largest factor in your network security plan. Even if a computer is protected by a proper firewall and other fancy network protections, it can still compromise your network if the employee using it does not follow IT security best practices. Something as simple as an employee leaving their computer unlocked while they go to grab a coffee undermines your overall security. You need to cultivate a culture of IT security awareness at your company.
You should also restrict both electronic and physical access to your network. No employee should have access to portions of data that are not essential to their day-to-day tasks, and only pre-approved employees should be able to download or install new programs on their device. Sensitive network devices should be physically secured from unauthorized access. By limiting access, you can narrow down the potential weak points that could lead to a data breach.
More advanced network security
Nearly every business needs Internet access to handle day-to-day tasks. To be secure, you need to have your own, dedicated WiFi router. All WiFi routers sold since 2006 use the WiFi Protected Access 2 protocol, which is currently the most secure. If you are concerned, check your wireless card or device for a “Wi-Fi CERTIFIED” label to see if it uses WPA2.
The next step is to make sure you use the Enterprise mode of WPA2—also known as 802.11i. This is more complex to set up than a standard WiFi network, but it offers several important security advantages, the most important of which are the elimination of shared passwords and WiFi snooping.
Personal WiFi networks generally have one password. If multiple people want to log in to that network, they all use the same password. As we have discussed in previous posts, a password should be unique to a single user and a single account. Organizations using Enterprise-level WiFi security eliminate global shared passwords to the network. The Enterprise mode of WPA2 allows each user to create their own individual password and thus allows flexibility and centralized governance for domain accounts. Now, if an employee loses a device or leaves the company, you can change their password or delete their account without affecting the rest of your employees’ accounts.
It also prevents employees from sniffing all the traffic of other users on the network. With personal WiFi, if an intruder is able to connect to your WiFi network surreptitiously, they can passively monitor everyone’s online activity and possibly intercept login credentials that are entered on unencrypted sites. But with Enterprise mode, no user can snoop on the online activities of another employee, reducing the information a malicious actor could collect.
Set up a network firewall
A firewall filters the data of your network or device and only allows permitted traffic through. If your corporate network is connected to the Internet, a perimeter firewall will prevent bad actors from accessing your network by blocking traffic that doesn’t meet a predetermined set of criteria. More advanced firewalls can even be configured to recognize attachments, filter URLs, and monitor DNS queries, allowing your company to prevent high-risk behavior. Setting up a firewall correctly will likely require the assistance of a trained IT professional.
It is also necessary to understand what firewalls cannot do. Just like malicious actors, they cannot recognize or decrypt encrypted traffic. Most firewalls cannot read traffic that is protected by SSL or TLS encryption. Second, and perhaps more apparent, a firewall only protects the network or device it is enabled for. The firewall you set up for your company’s network will not protect your employees that are working remotely. Host-based firewalls (firewalls installed directly on a device) will protect end-users even outside the corporate network and are another defensive measure companies should take. A properly configured firewall is your network’s first line of defense.
Segment your network
Segmenting your network is the best way to prevent a full system failure from occurring if a malicious actor or malware make it past your firewall. If your network is segmented, even if one server is compromised, the malware can be contained and the rest of your network can continue functioning.
Segmenting a network is a long, complicated process and it can take many different forms, from software-defined segmentation that divides and classifies different types of network traffic, to setting up separate physical networks for specific purposes. This process will need to be led by an IT security professional, but no matter how you decide to segment your network, there are some key steps your company should take.
Your employees’ devices’ should not have their own, public IP addresses. Network address translation (NAT) allows several computers on the same network to share one public IP address at the same time. If your company employs a dynamic NAT, you add another layer of protection between your internal network and the Internet, as the NAT will only allow connections that devices from your network initiates. No outside actor can latch onto an employee’s device’s IP address and use it to compromise the device.
Next, you should maintain separate WiFi networks for your employees and guests. Even with WPA2 Enterprise, allowing unknown, unsecured devices onto your WiFi is a good way to introduce malware into your network. It also prevents guests from accessing other corporate WiFi-connected devices, like printers. Finally, it gives you a greater measure of control over your guests’ WiFi without affecting your employees’ WiFi.
The third way you should segment your network is to make sure that your employees’ devices and your corporate servers are connected to different virtual local area networks (VLAN). A VLAN is an example of software-defined network segmentation. It partitions and isolates parts of a single physical network so that network applications can be kept apart. Keeping the servers that contain your data on separate VLAN from your employees’ devices prevents a compromised device (or an employee not following IT security protocols) from putting your data at risk. It also gives network supervisors more control over who can access the servers and under what circumstances.
In summary, the decision of how to segment your network should be based on the sensitivity of the data being handled and where the traffic is initiated from. A server that is accessible from the Internet should not be located on the same the network as a server containing sensitive data. It’s always important to think of what the ramifications would be if a server is compromised. With proper segmentation, even if a malicious actor gains control of one server, the other servers, and especially the servers holding sensitive data, should remain secure.
Use a corporate VPN
A firewall will protect your network, but today, more and more employees are working remotely. You need to find a way for them to securely access your corporate data so that they can do their jobs. This is different from a VPN service that will encrypt your Internet connection. While it will use the same type of protocols (OpenVPN or IKEv2), a corporate VPN creates an encrypted connection over the Internet to your company’s corporate server, letting your employees safely download and transmit files without any fear of malicious actors intercepting or manipulating your data.
Monitor your network
Keeping logs of your network activity is often legally required and can be vital to discovering and reacting to a data breach. Some of the most important records to keep are Dynamic Host Configuration Protocol (DHCP) logs, DNS logs, VPN logs, and SSH logs, among others.
DHCP is the protocol used to manage the distribution of IP addresses within a network. These logs can be an invaluable diagnostic tool in the hands of an expert. They provide a wealth of information regarding your DHCP servers’ functionality and how access is distributed on your network.
Setting up a remote syslog service for your servers and network equipment can make monitoring your network much simpler. These services can consolidate all your records into one place, making them easier to search through. They also allow you to monitor all your logs in real time from one central location.
This list should help you take control of your network and secure your business’s data. However, it should be viewed as the start of a long, ongoing process to maintain network security. Implementing portions of this list may require the assistance of trained professionals, but this does not mean it is a task that can wait. Poor network security puts your data, your users, and your business at risk.
By training your staff on IT security best practices and installing the necessary technological solutions, you can avoid a catastrophic data breach.
The ProtonMail Team
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.