Phil loved conducting security assessments and penetration testing. It was always satisfying to see the look on the client’s face when he showed them how easy it was to hack into their network and plant a virus or steal their data. Phil knew that most small companies were reactive in their security planning: if a threat was known, they would address it, but it was rare that a small business would proactively assess the security of their network. In most cases, it was an issue of budget. Sometimes the owners and managers of the company simply couldn’t find the time to have the assessment performed. It wasn’t that they didn’t take network security seriously, but rather, it never seemed like a threat was imminent, so any assessment could wait until a later date.
One of Phil’s favorite things to do was leave brightly colored USB sticks on a table in the break room of the client where he was performing the security assessment. Without fail, a curious employee would insert the USB key into a company machine to find out what was on it….at which point Phil’s software script would infect every machine on the network with a harmless – but nonetheless real – virus. For Phil’s clients, it was a point well taken.
Every network has vulnerabilities. Even large enterprises that employ teams of security experts still face an ongoing challenge when it comes to keeping the network and company data safe. If the information or assets on a company’s network have enough value, a nefarious party will eventually try to penetrate that network and derive value from those assets for themselves. The more value held in the information or data, the more aggressive and complex the attack will be. But the reality is that small businesses are targets of more successful cyber-attacks than large businesses, not because the assets are worth more, but because protective measures are so lacking. A world class team of hackers might spend months trying to hack a banking system with no success, but a single hacker of average skill might be able to penetrate the network of a small retail establishment and steal customer credit card information.
Here are five of the most common vulnerabilities to small and medium business networks, as well as suggestions for how to fix them before they cause trouble.
- The Internet. The most obvious vulnerability to your network is the mere fact that it is connected to the internet in the first place. If you are not monitoring your employee internet activity (including email) then no other amount of protection is likely to help you. It’s not enough to restrict “adult and gambling websites.” From .exe files on emails to websites and forums that shouldn’t be trusted, your battle to secure your network begins on the internet itself. Many browsers warn employees against untrusted sites and a number of third party applications can restrict or limit what employees can download. Our advice is to have all downloads go through a knowledgable IT administrator and to restrict access to sites that don’t directly apply to work productivity.
- Foreign Hardware. An employee that brings a personal tablet to work should not be using the company network to access the internet. Unless you have a dedicated Guest Network partitioned away from the company network, the only devices that should access your network are devices under centralized IT administration. If you allow employees to work from their own hardware, make sure that the policies and tools governing company hardware extend to those devices as well. A single laptop or tablet on the network that isn’t properly protected can expose the entire company to intrusion.
- Consumer Network Devices. A startling number of small businesses think that consumer-grade firewalls provide robust security for a business network. If you bought your firewall or wifi router off a retail shelf for a super low price, the chances are good that the built in network protection will be wholly inadequate to stop even the most rudimentary network attack. If you are going to spend hundreds of dollars on workstations and thousands of dollars on servers or cloud services, go ahead and invest in an enterprise or business-grade firewall, as well.
- Password sharing. From the receptionist giving out the wifi password to employees giving their machine passwords to coworkers, it defeats the entire point of a password to protect a device if you don’t monitor who is using it. If everyone in the building knows how to access the workstation in the warehouse using the same password, then there is no way to know who was responsible for the trojan download that just happened. If anyone who walks in the building can access the wi-fi network while waiting in the reception area, then what’s the point of having a password at all? Instruct employees that passwords are to be kept confidential. Setup a guest wi-fi network for visitors. Furthermore, it is a good idea to require any passwords associated with the network to be changed on a regular basis (every 90 days is sufficient) to protect against unknown entities accessing your network.
- Mobile access. Managing and monitoring all workstations and wireless networks is a good start, but what about the mobile devices your employees carry with them and use for personal business, as well? If the devices are under company management, then make sure that the access and content protections and policies you place on workstations apply to smart phones, as well. If the devices are not under your management, you should at least consider restricting access to the network completely. It’s usually safe for employees to use smartphones for company email or accessing cloud-based tools, but giving a smartphone direct access to network databases or applications means opening the doors to your network should that device be lost, stolen, or misused.
As in many situations, network security is only as strong as its weakest link. Addressing the items above and other vulnerabilities is only useful if your organization addresses ALL the vulnerabilities it can find. Hackers and cyberthieves are unlikely to be impressed by your expensive firewall if your employees give out the Wifi password to anyone in the reception area. Network security requires proactive diligence; anything less may as well be no effort at all. Common network vulnerabilities like those above can be managed by policies, software tools, and hardware monitoring all working in unison to keep your data and applications safe from those that would do you harm. Click here to learn more about how Mosaic NetworX can protect your network!