Network Security & Your Business
Every organization that has computers on the Internet needs to be concerned with network security. Neglecting it will lead, sooner or later, to malware infections or data breaches. Security involves many factors, including hardware, software, and people. Understanding its basics is the first step toward having safer data. Through this guide, we will walk you through everything you need to know about network security and provide you with tips for creating a plan for securing your network.
What is Network Security?
The Local Net and the Internet
The traditional view of a local network is a set of machines connected to the Internet through a router. Today's situation is more complex. Wireless access points, cloud services, and mobile devices often are parts of a network's perimeter. The boundary is less well marked, and there are more points of entry. Any device which can be reached through the Internet needs to be protected.
A business's network may not all be in one place; it could be a wide-area network (WAN) rather than a local one. The facilities which make up the WAN may be connected over the Internet, using secure protocols. They may use dedicated lines or microwaves to communicate. Simply defining the extent of the network is often a challenging task.
As the Internet has grown, the range of dangers on it has kept pace or exceeded its growth. The term "hacker" has the wrong connotation for the modern cybercriminal. The brute-force methods of the past still have wide use, but the most dangerous attackers use finesse and subtlety. They know how to fool people and how to take advantage of hidden weaknesses in software.
A report by McAfee estimates the global cost of cybercrime at $600 billion. It reports that a major Internet service provider saw 80 billion malicious scans per day. Every network, large or small, is at risk. The largest breaches dominate the headlines, but a comparatively minor ransomware attack or theft of records can be devastating to a smaller business.
Risk assessments quantify and prioritize the dangers. A network may have multiple vulnerabilities, but the focus must be on the ones who are most easily exploited or could have the worst consequences. Some risks might apply only to situations which will never occur in normal business practice. Others may open a path for outsiders to obtain critical information. The most severe risks need to be addressed first.
Human error is one of the most prevalent risk factors. Anyone can occasionally be fooled by a well-crafted message or hastily click on a malicious link. The extent of the risk depends on how much damage the user can inadvertently do.
Setting Security Policies and Procedures
A good set of security policies will minimize risks. Policies need to cover the configuration of the network, the management of machines and software, and the actions users can take.
At the network level, all points of access need protection. Servers which perform critical functions need the highest level of protection, and access to them must be strictly limited. A firewall that restricts incoming traffic is a necessity, and any machine with a direct Internet connection needs close watching. Network monitoring will detect activity by infected machines.
Each device in the network requires its own protection. Anti-malware software will prevent many types of attacks from succeeding. Keeping software up to date will fix known vulnerabilities. Mobile devices are a special concern since they spend a large part of their time connected to networks beyond the organization's control.
A "bring your own device" (BYOD) policy is convenient for employees who are comfortable using their own phones, but it must be carefully managed to minimize the risk. Business data storage should be segregated from personal data, and the devices ought to be individually approved to make sure they have adequate protection. Any unrecognized wireless device should not be allowed on the local network.
The actions that people may take are the least predictable aspect of network management. However, two security policy elements will significantly lower their risk.
The first is training. People may not naturally understand what actions are risky and why. Regular training sessions will help them to develop habits that will keep them clear of most mistakes. Exercises, such as sending them test phishing messages, will reinforce those habits with practice and feedback.
The second way of lowering risk is to limit user privileges. Users should have the power to perform only the actions which they need to do. If they are unable to do something, malware which takes over their accounts will also be unable to do it. Users who occasionally need administrative privileges should use a special account for that purpose and stay logged in no longer than necessary.
Building a Secure Network
You may have heard of these terms, but are unsure what WAN and VPN mean. Wide area networking is technology that companies use when they need to connect locations that are geographically separated. Typically, the purpose of this connection is to share data or voice traffic between locations. The separation between sites could be a short distance across a busy road or railroad tracks or it could be in another country. The two main requirements are; 1-the inability to lay a fiber or ethernet connection between the locations and 2- available high-speed internet access. This same technology can also be used to allow an individual user with internet access to connect back to the corporate network and do so securely.
Ransomware & Security
With the increase of Ransomware that we are all seeing, securing your network has never been more important and wide area networking (WAN) is a critical piece of that security. There are two primary ways to set up a WAN. The most secure option is to use a “dedicated circuit” or “leased line." Your Telco and ISP handle this solution, and typically they manage the circuit between the locations. This can be your best option because when you have a problem, you only need to make one phone call. This connection is up or on all the time and it tends to be the “cleanest." When I say clean what I’m talking about is the experience we have all had on a cell phone conversation where one of the parties was in an area with poor signal. Words get clipped or they do not come smoothly and this tells you that the connection is experiencing delays and the (QOS) Quality of Service is poor or the connection is not “clean." Dedicated circuits are usually more expensive but if QOS and consistent reliability are important, then this is probably your best option.
Virtual Private Network (VPN)
The next option would be a VPN or Virtual Private Network. A strong VPN is usually created between two or more firewalls. When setting up a VPN, a connection is made across the public Internet and so it is Virtually Private rather than truly private like a dedicated circuit. The firewalls are setup to only talk to one another and this is confirmed through a “code." When the firewalls pass traffic back and forth, they encrypt the traffic so that no one else can read it. This creates a virtual tunnel between the locations and like the dedicated circuit mentioned above this connection is on or up all the time. The VPN is done over the public Internet, you normally have a larger amount of bandwidth between the sites. For example, a dedicated connection might be 50MB where a VPN over the Internet could be 200MB or even as much as 1GB. A VPN is using the public Internet, the Quality Of Service is usually lower but the increased bandwidth may make up for the lower QOS depending on your purpose for the connection.
Sometimes you need to connect a remote user to your network and we would suggest using an SSL-VPN. The advantage of this option is that you gain access to the VPN through your web browser. When an SSL-VPN is setup you assign a URL, for example, www.ABCremote.com and then the remote user connects through their browser to that URL. The SSL-VPN software is automatically installed onto the machine making the connection and they login using the same username and password that they use when sitting in the office.
In the age of digital transformation, every business is entrusted with sensitive information from customers, suppliers, and associates. No business is too small to attract the attention of the ever-expanding world of 21st Century cyber-crime.
Whether we call them hackers, the dark web, or malicious actors, the risk of data breaches and network intrusion by any name is usually summed up by the professionals in the network security field as "not a question of if an attack will occur, but when." With that sobering warning in mind, we will review the essential tools and practices which can prevent and deter security breaches at your business.
Antivirus software provides protection by scanning computer files and memory to detect patterns or "signatures" that indicate the presence of known malware programs. The keys to optimized antivirus protection are to scan regularly and ensure that the antivirus software is continuously updated. New and updated malware is identified by antivirus providers on a daily basis, and it is essential to keep antivirus definitions current, so the software can effectively detect, block, and cleanse new forms of malware from the system.
Firewalls, Access Controls, and Privileges
Firewalls enforce access control between networks such as an organization's LAN and the risky environment of the public internet. The firewall functions as the front door security guard, blocking or permitting traffic and even aiding in the apprehension of offenders. The firewall protects in 3 ways:
- It blocks incoming data which could be a cyber-attack.
- The firewall uses NAT (Network Address Translation) to hide network information. Outgoing information appears to have originated at the firewall rather than the actual network address. A good firewall should conceal its IP address as well as IP addresses on the LAN. To launch an attack, hackers need to know the IP address of the target.
- Limits internet use or access to remote sites by screening outgoing traffic.
Firewalls not only block attacks, but they can alert network administrators when an attack is detected and track the data back to the malicious sender. The usual best practice for firewall setup is to configure it to deny access to all incoming traffic, and then open discriminating incoming traffic gates as required for operations.
Patches & Updates
By now it is obvious that updating antivirus and security software is critical, but all software updates can optimize performance as well as security. Patches plug holes and security weaknesses discovered in software and operating systems. Hackers are quick to share this information and black hat coders go to work to exploit these specific vulnerabilities. Updates also remove outdated features, fix bugs, update drivers and add the latest new improvements. The best practice for updates is to install and restart as soon as they are available. Choosing the "Remind me later" option can leave the network door open to known threats.
The most sophisticated firewalls and IDS can all be defeated by a single compromised password. The password is the key that can get a hacker inside the firewall where he can masquerade as a legitimate user and wreak havoc on the network. Any Network Use Policy should include strong passwords as a priority, following the guidelines below:
- 12 characters or longer. The longer, the better.
- Contain a combination of upper and lower case letters.
- Include at least one numeric and/or special character (&, @, etc.), punctuation, and spaces.
- Avoid saving or storing passwords on software.
Using a complete sentence as a passphrase or easy to remember mi55pelling$ simplifies the use of strong passwords. All personnel should be briefed on phishing scams which entice a user to reveal a password and best practices for maintaining strong password integrity.
Securing a Wireless Network
Wireless connections are convenient, but deploying them carelessly can pose serious security risks. Unless they are well protected, intruders can get into the network without going inside the office or touching the equipment. They can bypass its defenses and steal data or install malware.
Proper wireless management will keep these risks to a minimum. Only authorized people and devices should be able to use your wireless network. To keep the access points safe, you need to set them up correctly and give their use ongoing attention.
Securing the Access Points
The easiest and worst way to set up an access point is to make it public. There is no password, and anyone can get into the network. Worse yet, anyone within range can use some simple equipment to intercept all the data going back and forth. They can read passwords, email, database responses — anything.
Shopping malls and libraries use public access points because they are convenient, but they put them on networks that do nothing but connect through to the Internet. There is nothing to steal. A network that holds business data needs to be more cautious.
Business networks should always select a secure access protocol for their networks. They admit only users who have the password. Equally important, they encrypt all traffic. Anyone intercepting the data will see only meaningless bits.
The designers of wireless protocols have created several over the years. The older ones, WEP and WPA, have known flaws that severely weaken their security. The state of the art is WPA2. It's been around long enough that every device that is not ancient supports it, so there is no excuse for using less.
Keeping access points updated with the latest firmware is important. Last year, a vulnerability was discovered that affected all WPA2 access points. Firmware patches are available now for most devices to avoid the problem. Access points that never get updates, though, could be exploited, letting an intruder decode encrypted data.
The password needs to be a strong one. If it is one that's easy to guess, like the company name, the access point will not stay secure for long.
After setting up a secure network, good practices will further help to avoid break-ins. Here are some steps, most of them relatively easy, to take:
Most access points allow administrative access to change their settings. Change the administrative account and password from the default (typically something like "admin" and "111111") to something else. If you have the option, allow access to the account only from the local network.
Set policies on what devices people can use to access the network. A BYOD (bring your own device) policy is convenient for employees, but letting possibly infected phones onto the network is dangerous. Only devices with approved configurations should have access to the network. Mobile device management software is available to enforce policies.
Use an SSID (access point name) that provides no identifying information. There is no point in calling attention to your network. You do not have to be cryptic; something unique and neutral like "WIRELESS7520" will do nicely.
If it is feasible, segment the network so that wireless devices do not have access to sensitive data. Usually, there is no need for them to have direct access to databases.
Enable the access point's firewall if it has one, or put a firewall behind the access point. That will make it harder for infected devices or intruders to do damage.
If you can control the signal strength, make it just strong enough to cover the area of legitimate use. The closer the bad guys have to get, the fewer chances they have. This is only mild protection, though, so avoid turning the signal down so much that authorized users have slow connections.
Keep your access points physically secure. Protecting any device against people with hands-on access is hard.
You never know who is lurking outside your office walls. Paying attention to wireless security will make your network safer and prevent costly problems.
Some small businesses operate under the misconception that they are too small to be the target of cyber-attacks. The reality today though, is that cyber-criminals are most likely to target those businesses which they see to be most vulnerable. Cyber-attacks are much more likely to be directed toward the "low hanging fruit" of marginally secure small organizations as opposed to more elaborate attempts at breaching the data fortresses of large corporations with enormous security resources.
It is an accepted fact in the IT field today that the probability of cyber-attacks on any digitally active organization is not a question of "if" but "when." 40% of businesses this year will experience network access by a hacker, and 50% will never even be aware that they have been hacked.
Cyber-attacks are just one form of disaster scenario beyond the control of enterprises. An effective Backup and Data Recovery (BDR) plan protects against data loss in any event, whether from natural disasters such as fire, flood, earthquake, or blizzard as well as data breaches caused by malicious actors or simple human error. There are also the unpredictable risks of hardware failure and power outages, which are among the leading causes of downtime reported by businesses.
Data Loss Expenses and Business Failure Rates
According to the National Archives and Records Administration 90% of companies which experience just one week of data center downtime go out of business within 12 months. Companies lose an average of $84,000 for every hour of downtime after a disaster. Even small data breaches of 100 files or less can cost a company between $18,120 and $35,730 according to a Verizon report at Entrepreneur.com.
An even more sobering statistic reported by the Gartner Group states that 43% of companies were put out of business immediately after a major data loss and another 51% went out of business within two years. That leaves us with a data loss survival rate of just a meager 6%.
The need for effective BDR plans encompasses all enterprises and organizations which rely on secure uncompromised digital data. While the disaster recovery needs naturally vary from business to business, there are elements of BDR which they all have in common.
Key Elements of Backup & Data Recovery
Data backup needs to operate consistently to ensure it is up to date and immediately available in the event of a server crash. Three components provide the ideal data backup including:
- Multiple incremental backups throughout the day. Near real-time backups every 15 minutes
- On-premise storage of current data. A second copy stored locally enables quick recovery time, especially with large files which can be slow to pull from an off-site location.
- Off-site backup is insurance against natural disaster losses. Off-site storage enables bare-metal restorations to get your new equipment online after the building has been unavailable because of disaster conditions. Off-site storage should be redundant in 2 locations, one locally for quick retrieval and one out of the region for natural disaster protection.
Scalable Pricing allows for vigorous business growth. As your business grows so will the data storage and application demands. A versatile BDR can grow with your business. Not all businesses require the most costly zero downtime BDR solutions, and more affordable BDR plans can be deployed based on, for example, a tolerable 2-hour downtime period.
Data Encryption ensures that data is not accessible to anyone on or off-site at the remote storage facility without a passkey.
Virtualization software can enable the BDR appliance to function as a standby server in cases where the physical server fails to restore on the device. The virtual image can provide a working server within 60 minutes of notification of the actual server crash while continuing backup of additional servers.
Bare Metal Restore is used to restore new or dissimilar hardware with the latest backup image.
Incident Response Plan
If you think your small or medium-size business is safe from a cyberattack, think again. According to the Verizon Data Breach Investigation Report, more than 60% of cybercrime—including ransomware, malware and distributed denial of service (DDoS) attacks were aimed at small businesses last year, up from 53% in 2016. Those attacks are serious, costing small companies exorbitant amounts of money, and potentially putting them out of business. Consider, for example, the following metrics:
- On average, cyberattacks cost small businesses between $84,000 and $148,000.
- Three of every five small businesses which are victims of such an attack go out of business within six months
- Despite these dire numbers, an alarming 90% of small businesses have no data protection plan in place
Why Are Small Businesses at Risk?
You might assume that a small business like yours is relatively safe because you do not have enough money to attract hackers. In fact, hackers do not target businesses based on their size—they target them based on their vulnerability. Most cyberattacks these days are automated, with hackers launching bots that scan the internet to find businesses that don't have adequate security protections in place. That means that your business could be next and that you need a smart plan to manage it if it happens to you.
What Is an Incident Response Plan?
An incident response plan is a strategy to deal with, and in some cases, prevent a cyberattack against your business. The Incident Response Consortium describes such methods as follow:
"An incident response plan gives you the thought-out guidance you need in order to effectively handle a cyber-attack, whether it be malware, ransomware, or a DDoS attack. It'll also help you strategically evaluate which aspects of your business are most at-risk and how you can help mitigate damage after a breach. In the end, a strategic and comprehensive incident response plan can be the difference between a thwarted attacker and a multimillion-dollar loss."
How Can My Business Create an Effective Incident Response Plan?
The operative word here is "effective." It is not enough to have a plan in place—that plan needs to be carefully researched and thoughtfully executed. Although every business is different, and for this reason, there will be variations in the best way to construct a plan for yours, in general, every incident response plan should have the following four elements:
1. Perform an Asset Audit
Your first step is to carefully evaluate which of your assets are most at risk, and which would cause the most financial and reputational damage to your business if they were compromised. This process is sometimes referred to as an "asset audit."
Effectively performing such an audit means assigning specific dollar figures to each asset. With this information in hand, you can better prioritize which assets need the greatest security protections.
2. Determine the Nature of Your Risk
Different companies face various kinds of risks. For example, if you have many employees who use email accounts, your most significant danger might be an email phishing attack. On the other hand, if your company performs a great deal of data processing, you could be at risk of faulty coding.
Unfortunately, the specific nature of your company's risk might not be evident until after an attack has occurred. For a reason, an increasing number of businesses are partnering with IT and cybersecurity experts to help them construct their incident response plans.
3. Construct Your Action Plan
Once you have determined which assets are most critical to your business and the nature of your risk, you need to construct specific policies which mitigate those risks. This detailed action plan is sometimes called a playbook. Your company playbook should include several components, such as policies to prepare, detect, analyze and contain an attack, as well as those which will guide your people through the recovery phase in the event of an attack.
4. Create an Incident Response Team
It is important for everyone at your business to know precisely what the role is in preparing for, preventing and responding to a cyberattack. One of the best ways to do this is by creating an incident response team.
Each member of the team needs to know how he fits into the incident response plan, and which actions and policies outlined in the playbook are his or her responsibility. Key players on your incident response team typically include the incident response manager, security analysts, and threat researchers.
As cyberattacks against businesses of all sizes become more pervasive, it is important for your business to take the steps necessary to protect sensitive data, including any customer data stored on your system. Although having the latest cybersecurity tools is an important first step, those tools are exponentially more effective when paired with a robust incident response plan.
Security Best Practices
The term "security breach" is often used in news stories, and is something that all businesses -- from the smallest to the largest -- should do their best to avoid. How effective are your network security practices? If you're unsure, here are some questions to ask yourself.
Is my company's data protected from outside threats?
One of the most basic foundations to any network security plan is protecting data from outside threats through a robust combination of virus and spyware protection. However, even strong protection won't necessarily stop all attempts to undermine your network security. The ability to monitor any breakthrough intrusions is a must-have, as well.
What about inside threats?
Not all threats to your network's security come from the outside. Whether it is a disgruntled employee or simply one who does not know better, a company's network is also vulnerable to inside threats unless precautions are taken. Ensuring that employees, vendors, and contractors only have access to the information that they need to do their jobs and limiting access to potentially dangerous content through filtering are two important steps to take when implementing a new security plan or strengthening an existing one.
What about personal devices?
Personal mobile devices are changing the workplace, allowing efficiencies to users like never before. Unfortunately, your company's Wi-Fi is also providing an additional avenue for security breaches. The best network security plans include provisions for the use of mobile devices and implement controls for third-party software, strong authentication and password controls, and secure communications.
How much do my employees understand about network security?
In a perfect world, your employees are valuable members of your network security team. While we don't live in a perfect world, providing your employees with a comprehensive security plan, and the education and resources they need to help keep sensitive data protected from such threats as phishing is possible and highly recommended.
Does my company's security policy comply with federal regulations?
If your company is subject to HIPAA or PCI requirements, there is an even greater need for a strong network security plan. The penalties can be severe for companies who fail to meet HIPAA or PCI regulations and to provide proper documentation. Regular risk assessments on your compliance are a necessary part of your security plan.
Is my company's data recoverable?
Is your data backed up regularly? Is there continuous backup of files to prevent the loss of time that occurs due to human errors, such as an accidental overwrite? If there is an equipment failure, do you have the ability to quickly access the data needed to continue doing business? Do you have the ability to bring applications and data back online after a disaster such as a tornado or a fire? If you're using best network security practices, then your answer to all of these questions should be "yes." If not, then your security plan needs to be strengthened.
Do I need help strengthening my company's network security plan?
Effective network security is a many-pronged effort, involving not only your physical equipment and environment, but the security of your data in the cloud, as well.
Questions to Ask a Security Consultant
Perhaps your business has experienced a ransomware or malware attack, or maybe you want to ensure that you do not become the victim of one in the future. Whatever the reason, there might come a time when it becomes necessary for you to beef up your security. The question is, what do you do about it? How do you best ensure that the problem will be resolved, now and in the future?
What Is a Security Consultant?
"Security consultant" is a very broad term, covering professionals who manage a wide spectrum of specialties—everything from employee training to emergency planning, intrusion detection, building design issues, IT security and video surveillance. Some security consultants know a little about many of the areas in which these professionals work, while others are highly specialized. What they all have in common is their sole focus on serving their clients. As Campus Safety explains:
"A security consultant is an individual or group of individuals who have specialized knowledge in some facet of the security industry. A consultant should serve only the interest of his or her client. Persons who work with, for or receive compensation from a vendor, integrator or anyone else who may directly benefit from your project fall into a separate category."
Since security consultants cover so many bases, they serve their clients in different ways, depending on those clients' specific needs. Some, for example, are hired to assess their client's comprehensive IT security needs, while others might help provide recommendations to address a specific issue.
How Can I Hire the Best Security Consultant for My Business and Needs?
Hiring the best security consultant for your business begins by defining the IT (or other) problem you face. Once you've clearly defined the nature of your security challenge and what work you need to be done, you should speak with several candidates and ask each of them these five questions:
1. Can You Give Me a List of References?
For each consultant you interview, it is important to get references. Who have they worked with before? What type of work did they do for them? What were the results?
Of course, it is also necessary to speak with each of those clients to verify the consultants' assertions. However, you should also take it one step further, identifying previous clients who are not listed as references. After all, any consultant could cherry pick only those clients with whom they've had a positive experience. You need to know what clients not listed as references have to say about them.
2. Have You Worked on Projects Similar to Mine?
A consultant might list a particular specialty on his resume (like email migration or disaster recovery) and might even have training in that area—but it's important that he also has experience working a security problem like yours. Ask for a detailed description of work similar to the work you need done. How long did that consultancy last? What was the final cost? Most importantly, what were the results?
3. Who Will Be Working My Project?
If your consultant has a team with whom he works, you need to know who those people are and what experience and strengths they have. You also need to know which of them will be working on your project, and how much of the work each of them will do. Finally, make sure you find out who your principal contact will be. If problems arise during your consultant's work, you need to know whom you can contact, how to contact them, and how quickly they'll get back to you.
4. How Many Other Clients Do You Currently Have?
A solo consultant, or one who works with a relatively small team, can quickly become overwhelmed with too many clients, which could mean unreasonable delays and missed deadlines. Ask each consultant whether he's experienced such delays in the recent past, and, if so, whether any of those work interruptions have resulted in cost overruns. Be sure when you check with previous clients that you verify what the consultant tells you.
5. What Are Your Deliverables?
Don't forget to obtain a clear description of what the security consultant will deliver to you at the completion of the project. If training is involved, will they provide you with a training manual, or will they perform the training themselves? Will they write a report or series of recommendations, and if so, what will be included in the report? This might seem like an unnecessary step, but you don't want to engage a consultant only to discover that you did not get what you expected.
This might at first blush seem like a lot of work, and a lot of questions—but it is critically important to do your homework—after all, your company' security matters, and it matters that you get the best possible advice, guidance, and tools to most effectively serve both your business and your customers.