“Our business is too small to worry about security.”
“Who could possibly want any of our information?”
“I trust all my employees when they surf the web. They’re all smart people.”
“Network security is too much of a hassle!”
All various excuses we’ve heard from friends and colleagues with small businesses when asked about their network security protocols. Does this sound like something you or your boss might have said at some point? By all means, then, read on.
What is Network Security?
We get this question, though not always so obviously, all the time. Small business owners all seem to have their own ideas about what constitutes network security and what is an acceptable level. Some are completely clueless about the entire process. Others, and these are generally far harder to convince others, think that they know exactly what it is and that they’re doing enough. These are the people who say:
“Well, I already have a router with a firewall, so I don’t need anything else!”
“I have an old install of Norton on all my computers. I don’t want to pay money to update it, but it’s there.”
I think we maybe make the employees sign some sort of policy when they’re hired. Hold on, I think I may have a copy somewhere in my back records.”
So what is network security? Network security is making sure that every piece of data, every one and zero that passes through your company, is only seen by the people who it’s intended to be seen by. It means securing yourself from random external attacks, accidents, and flukes, but also making sure that you secure yourself from internal threats, as well as securing all of your publicly shared resources like webpages.
Contrary to popular belief, the biggest threat facing corporate and business data is not the rogue hacker running around attacking specific companies externally. The top 5 corporate network vulnerabilities are generally considered to be:
- Unpatched software exploits
- Web-page attacks
- Smart-phone vulnerabilities
- Use of vendor-supplied login information
- Unmonitored web surfing/downloads
Only two of these things, the web-page attacks and smart-phone vulnerabilities, are what can be considered traditional “hacking” attacks. The rest are all user errors or easily corrected vulnerabilities that are exploited en masse. When you add other common security breaches like lost/stolen phones and computers, it quickly becomes obvious that the things most people think of as network security are the least of your worries.
A good security policy will have a top to bottom approach that covers all eventualities, from an external attack to a careless employee.
What should I do?
There are a couple of simple ways to prevent unauthorized intrusions:
- Make sure you have a router or firewall set up between your intranet and the internet: This is not a set up and forget solution. Routers routinely get firmware updates to protect against the latest threats, and firewalls are constantly being updated.
- Password-protect your hardware: Make sure all devices used for the business are secured with passwords! There have been more than enough stories in the news over the last couple years about laptops and cell phones with sensitive information being lost and having that information leak out.
- Set up a VPN or other secure method of remote access: If any of your employees telecommute or do any work from outside the office, make sure that there is a safe and secure method for them to get into the system without opening yourself up to an outside attack.
- Password Protect your WiFi connection: Or better yet, turn off SSID broadcasting. If you go with the former, make sure that you are using WPA2 encryption, the strongest commonly found encryption setting on commercially available personal and small business routers. An even better approach is to not let yourself even show up as a potential target by disabling your SSID broadcast. Intruders can’t break into your network if they don’t know it’s there. (Note: Even if you disable SSID broadcasting, make sure you still have the network password protected.)
- Keep it updated!: It might be annoying, it might be time-consuming (especially if you have a lot of devices running various software suites), and it might seem tedious and unnecessary, but often times the reason software is patched is because of newly uncovered security issues. Make sure all software is up to date and properly patched.
- Have a software policy: Make sure all employees know your software policy and know what is and what is not allowed to be installed. Lock down your machines and have all installs go through your tech or IT person or department.
- Curb unauthorized downloading: Have an acceptable downloading policy. Make sure that you know who’s downloading what, and why. Make sure that people who shouldn’t be downloading things aren’t. Finally, make sure you enforce this policy. Nothing is more useless than a policy you sign once and never look at again.
- Do not use the same password for all your information: Too many small businesspeople, and people in general, reuse the same password for everything. Keep in mind that if a hacker gets a hold of your password, the first thing they’ll do is try it on all of your other secured data. Don’t give them an easy access.
- For that matter, don’t use personal password for business accounts: You probably take less care with your personal info than you do with your business info. Don’t put all your eggs in one basket: diversify!
- Don’t use common words or phrases: The ideal password is a completely random string of letters, numbers and symbols. something like “dfs435f52f41f4$##@df23d2##D@32!@”. Unfortunately, those are intensely difficult to remember, so we make do with more fallible solutions. However, do not make it easy for potential attackers. Always use numbers, letters, and symbols. Make the words and phrases unrelated to your business or personal lives. Do not use your address, business name, pets name, etc. Try to pick two unrelated words, a meaningless number, and 2-3 symbols, and then mix them up. 6Golf%7Turkey$ is perfect. Easier to remember than random characters, but still impossible to guess.
- Have a central point of contact and control: It doesn’t have to be you personally, but make sure that there is a security chief at your company. Every business should have a CSO (chief security officer) whose job it is to ensure compliance and monitoring. Even if the CSO’s authority is minimal, they will become a single focal point for all reporting to you. It will be their job to draft and enforce all the policies above, monitor and implement software updates, oversee installations, and monitor internet use.
- Have a clear set of policies, and make sure your employees know them: Don’t give employees a giant packet on the day they’re hired, then forget about. Make sure that you have policies in place for all the things outlined above, and that you regularly meet with your employees to explain, expound, retrain, and reinforce those policies. Have them posted somewhere where everyone can see them.
- Schedule a compliance audit or two: Don’t rely on people following the rules or self-reporting issues, and definitely don’t wait for something to go wrong before you start checking things. Make sure you have regularly scheduled audits of every link in the data chain. Make a standard checklist that you can follow as you check each piece of equipment and procedure.
For a more in-depth checklist, check out this great article from Cisco and stay tuned for more security and small business service updates for the rest of this month.