Nearly all businesses today use a computer network to standardize processes and improve communication and efficiency. The recent advent of affordable network solutions has been especially helpful for small and medium-size businesses (SMBs). The ability to use a centralized, easily updatable database and to network printers and scanners helps SMBs save time and money by eliminating redundancy. The ability to communicate quickly and easily improves efficiency, which improves the customer experience. Taken together, networks enable SMBs to grow the business to the next level affordably.
However, this interconnectivity can also cause security headaches. The central server and each workstation are all potential entry points for security threats that can then spread through the entire network. Most SMBs do not have an IT department; they have at best one IT person. At worst, the owner becomes the default "IT guy," but the owner may or may not really understand how the network works.
As a result, network security is often a hit-or-miss proposition in SMBs, but it should not be. All networks are subject to the same risks, regardless of size, and protection is vital to ensuring continued functioning of the business.
> Potential Security Risks <
* Viruses/malware
Viruses often arrive in emails, and other malware may hitch a ride on unauthorized software downloaded by an employee. New threats emerge constantly.
* Removable storage devices
An infected flash drive or external hard drive attached to one workstation can infect the entire network.
Any connections outside the network
The biggest threat is, of course, the internet. Within minutes of connecting to the internet a computer has been scanned by a hacker looking for a way in. The hacking risk continues to exist as long as any part of the network is listening for and accepting outside connections.
In addition, employees visiting dangerous websites may inadvertently infect their workstations. One compromised computer leaves the entire network vulnerable.
* Dishonest employees
No manager wants to believe it, but some employees do not have the company's best interests at heart. Be proactive and protect your business.
* Drive failure
Hardware fails. Ensure that a dead drive does not also spell the demise of your business.
> Impact of Security Breeches <
Network downtime, no matter the reason, negatively impacts business. If you are unable to conduct any business at all you lose not only revenue but customer confidence. You risk losing current customers as well as potential new customers.
Protecting client data is not only good business; it's the law. If a business suspects that even one customer's data has been compromised, all customers must be notified. Every time this happens, customer confidence erodes. Once again, you risk losing customers to the competition.
So how do you protect your business and your reputation? Depending on your unique situation, you have a number of options.
> Network Security Solutions <
- General Network Controls -
* Firewall
A good firewall on the central server limits incoming traffic. It blocks hackers and interferes with self-propagating worms. Firewalls can also be set to limit internal traffic. You can control which employees have access to sensitive data, such as human resources or payroll computers.
* Virtual Local Area Networks (VLAN)
Internal traffic can be further separated using VLANs. These allow you to hide sensitive information behind an additional layer of security within the larger network. The company network essentially contains a number of smaller networks. Each VLAN has its own authentication, easily limiting access to these segregated areas.
* Virtual Private Networks (VPN)
If employees absolutely must connect to the network remotely, consider using a VPN. These ensure completely private communication using high-level user authentication. Only employees who truly need this access should have it. You can further restrict access to specific services based on the location of the originating computer. Certain services, such as private customer information, should still be restricted to on-site access.
* Encryption
The ideal situation is encryption of all files stored anywhere on the network. This may not always be feasible or desirable, but at the very least anything transmitted over the network should be encrypted. This includes passwords, file-sharing services and anything else traveling the network. If you are using a VPN, be sure the use the strongest encryption technology.
* Switching
Switching protects the network from "sniffing," in which a workstation has been set up to monitor internal traffic and "sniff out" sensitive data. Most networks transmit data to the whole network, but only the intended recipient(s) can understand it. A sniffer is able to understand this data even if it is not the intended recipient. Switching creates virtual paths that ensure only the intended recipient can see it, rendering the sniffer blind.
* Read-only Access
Most employees do not need to modify the files they use. They should only be granted read-only access. This limits the potential for corruption of critical files.
* Back-up and Disaster Recovery
Even the best security is not foolproof and computers crash (even servers). Perform backups of the entire network on a regular basis. At a minimum, nightly backups will allow you to restore function with minimal loss of time and data. If at all possible, send duplicate backups off-site. This will allow you to recover from physical damage to your business location.
- Individual Workstation Controls -
* Anti-Virus Software
Every workstation should have up-to-date virus software installed. This is true even if you have anti-virus software on your server. The server doesn't see threats that enter an individual workstation from an infected storage device, for example.
This software should be set to scan everything downloaded to the workstation. This includes emails, files saved from the internet and files transferred from removable storage devices.
* Limit Non-essential Services
Each workstation should be evaluated on the basis of the work performed on it. Any service not needed on that station should be turned off. In other words, any workstation that does not require internet access, removable storage or FTP service should not have access to that service.
Any new computer brought into the network should be evaluated prior to connection. Keep in mind that some computers come with certain services turned on by default, for example Windows machines have file-sharing turned on by default. Be sure to consider every service on every workstation. The fewer potential entry points to the network the better.
Even machines that need internet access don't need access to the entire web. Browsers and other security software can be set to block suspicious websites. Ensure that the software regularly updates its list of suspicious sites.
* Control All Workstation Software
Use only software that is fully supported by the manufacturer and keep it updated with the latest patches. Unsupported software cannot be protected against new threats. Set the programs to auto-update or set a convenient schedule to update all computers on the network at the same time.
Allow only authorized software on networked machines. Employees should not be allowed to install software themselves. Limit installation authority to a few people with administrative access.
Do not allow employees to bring personal laptops to attach to the network onsite. You cannot control what software is on these machines nor ensure it is up-to-date.
- User-Level Controls -
No matter how good your security controls, the network is only as secure as the weakest link. That weak link is the user. Firewalls cannot protect from attacks from within the network, which are the ones most likely to be inadvertently launched by employees.
For this reason, all employees who use the network (and these, days that's likely to be everyone) should be educated in the basics of good security. They should feel they are part of the team, keeping the business secure.
* Passwords
Employees should understand strong passwords and the need to change them regularly. Password length and frequency of change can be regulated with software. But other things, like choosing a hard-to-guess password, are the responsibility of the user.
* Emails
Emails are the main ways viruses get onto a system. Although emails should be scanned, it's still possible for new threats to get through. Employees should understand how to spot dangerous links and why they should not open attachments.
> A Few Final Thoughts <
This article has assumed a fully wired network. Wireless networks have become very popular, but they are much more difficult to secure. Radio waves cannot be directed only to individual computers, and radio wave encryption is weak and simple to defeat. Although wireless security is improving, it's still not as strong as a wired network. Unless your business truly needs the mobility, you are better off sticking with a fully wired network.
Not all companies will need the same level of security. Extremely small companies may share responsibilities to the point that all employees need access to everything. A company with very little sensitive information may be able to store it off-network, on a machine with its own limited access. These companies will be less concerned with internal security, but will still need protection from external threats like hackers, viruses and other malware.
Consider scalability when evaluating security solutions. Businesses grow and needs change. The ability to add additional stations and security protocols as needed will be invaluable to keeping your business competitive.
The network really is the backbone of a business these days, so get the best security you can afford. Your reliability and commitment to your customers will be evident, and when your competition's network goes down you will be there, ready to serve.