05 Aug Small Business Guide to Network Security Planning
Businesses rely on their networks for their most critical operations and with so much at risk, especially with the increase in cyberattacks, it’s essential you have a comprehensive plan in place for your protection. In this post, we’ll look at how to create a small businesses network security plan that’s fit for purpose.
Why you need a network security plan
According to Small Business Trends, 43% of all cyberattacks are on small businesses. Of those companies where an attack is successful, 60% go out of business within 6 months. These figures, alone, should be enough to persuade most SMBs to take action. However, if you need more convincing, Small Business UK tells us that, on average, every UK business was targeted 230,000 times during 2016.
Only one of these two hundred and thirty thousand attempts needs to be successful for harm to be done. SMBs need to consider the damage a network security breach can cause – we’re not just talking about a loss in sales, there’s business reputation on the line as well as the potential for lawsuits if personal data is breached.
And not all the threats are external either. Staff are often the cause of problems, unwittingly creating vulnerabilities or, even worse, deliberately sabotaging your network or stealing your data. It happens.
The only way to protect your business is to create a comprehensive plan that secures your entire network.
Before starting to create your plan, you need to be aware that this cannot be a one-person job done in isolation. The strategies brought into force will affect the whole company and so it is important that representatives from across the organisation are asked to contribute. Whilst it is obvious you’ll need to look at technology, you’ll also need to consider staff training, day to day procedures and even the physical security of your network.
One thing you will need to make decisions about, is your acceptable risk policy. The only way to have a 100% risk free network is to have no network at all. Even a network of a single, standalone, offline computer can be at risk if someone plugs in an infected pen drive.
Whatever you do will involve risks, and sometimes you may need to take those risks to operate your business. Once you decide which risks are acceptable (or necessary), you are the then in the position of looking for ways to minimise them.
Network Security Policy Checklist
When you begin to put your network security plan together, you should ensure that it covers every vulnerability or risk that your network faces. Here is a checklist of policies that should be included:
1. Acceptable risk
As mentioned above, the first policy you need is a statement which defines a) what risks you need to take to carry out your business, b) what risks you are prepared to take and c) those risks which you are unwilling to take. What is in this policy will inform many of the others below.
2. Acceptable use
This is a policy that applies to all personnel and which they must read and abide by. It explains what employees can and cannot do on the business network. For example, many companies forbid employees to log in to personal email accounts in case they open infected emails. Others ban the use of personal external drives.
Besides personal emails, you may need to regulate how business emails are handled. You may want to encrypt and authenticate emails being sent out by using services like PersonalSign and want incoming email scanned for threats using advanced technologies like Mimecast.
It is vital that only authorised users have access to your network and for that reason, it is important to have an identity policy. This should begin with the protocols of the ID which is needed to be given an account in the first place and then be followed by looking at what ID the user has to supply to prove identity when logging in.
Besides identity of the individuals, it is also possible to require the identity of the client on which they are connecting. This way you can restrict unauthorised clients from connecting to your network from a public port, for example, employees logging in remotely can be restricted to using company machines instead of their home computers.
Your antivirus policy should not just ensure you have antivirus software, firewalls and intrusion protection in place; it should go further and cover the management of these technologies, making sure they are updated, are constantly in operation and that reports are analysed.
Beyond this, your antivirus policy should look at ways to prevent malware getting onto your network: vulnerable unused ports, network shares such as IoT devices with weak passwords, etc.
6. Remote access
The internet makes it possible for your employees to access your network from anywhere, however, you need to make sure they do so safely. A remote access policy needs to look at the rules you insist on when this takes place. For example, you may not wish your staff to connect using public, unsecured wi-fi or on personal devices. You may want to prevent some things, such as personal data, being accessed remotely at all.
Hackers use incredibly sophisticated software tools to crack passwords, including dictionaries of common character patterns found in previously hacked passwords. They can break even complex passwords in a matter of hours. For this reason, it is essential that you have a strict password policy in place. For more information see our post: How to choose a secure password.
Encryption is essential for protecting data, for example, to stop emails and their attachments being intercepted and tampered with or to prevent credit card details being stolen during online transactions. As an organisation, you will need a policy about what steps you will take to encrypt your data, such as using SSL certificates and PersonalSign.
Other network security measures you need to consider
Besides putting these eight policies into play, there are other things you need to consider to keep your network secure. These include ensuring you have an adequately configured firewall, that intrusion prevention, such as MTvScan, is in place and that your data is regularly backed up. Finally, you also need to make sure that your network security meets compliance regulations.
There is a lot to think about here. The number of policies needed for network security can seem quite daunting, especially when you consider the groundwork which is needed before implementing them. However, putting these things in place can significantly reduce the risk of a cyberattack being successful.