Network Security Essentials for Small Businesses
Table of Contents
A small business needs security as much as its larger enterprise counterparts. Some would argue that smaller companies, especially micro-organizations, are at a higher risk due to a lack of skilled staff and security solutions. A study by insurer Hiscox found that almost half (46%) of small businesses in the USA suffered a cyberattack. With cyberattacks come costs. No business, small or large, should be forced to spend money on fixing criminal activity against their network and data. Research from Microsoft sums up the issues for small businesses: "The cost in expenses, reputation, and productivity if an attack occurs is significant".
Network security helps small businesses reduce the risk of a cyberattack. Reducing this risk helps to mitigate the financial damage caused by cybercriminals. Microsoft research found that 80% of SMB business leaders are likely to increase their cybersecurity spend. However, a small business must determine where to focus its budget.
What is Network Security?
A network is the heart of small business communications and data sharing. Networks in the past were closed systems, which meant that companies could keep tight control over who had access. Today, most networks are made up of many components, including cloud infrastructures, SaaS apps, multiple endpoint types, and home networks that link back to the corporate one. This expanded network means that there is no longer a distinct and closed perimeter. Instead, securing a nebulous network requires a layered approach to the protection of its resources.
Protecting networks typically involves implementing a broad range of technologies. However, some security measures are essential in reducing the risk of a successful cyberattack.
What Kind of Cyberattacks Target a Small Business Network?
Understanding how cyberattacks work and the types that target small businesses can help determine the most effective measures to protect a network. The following are popular forms of cyberattacks that small businesses should look to prevent:
Ransomware
Data is a commodity that cybercriminals use to exploit businesses for financial gain. Ransomware used to involve encrypting all of the files and documents on a company's expanded network. Now, ransomware may or may not encrypt company data; either way, the data is stolen by the attackers and used to leverage a ransom payment. Ransomware is often initiated by using stolen login credentials, which may have been obtained by phishing emails or by another type of malware known as an infostealer.
Infostealers and Other Malware
Malware infections can cause significant damage to computers and devices. Infostealer malware is used to steal information from infected computers. This data may be login credentials, company secrets, or financial information. Infection from infostealers and other malware can occur through several routes.
Attack vectors include malicious attachments in emails, infected websites, and malicious ads. Often, network vulnerabilities, such as insecure VPN login credentials, are exploited to allow attackers to gain administrative-level access, thereby granting them the rights to install software across the network.
Initial Access Brokers (IABs) are hackers who operate on the dark web to facilitate malware infections and utilize the data gathered from infected networks. The dark web plays a large role in cyberattacks against networks. Dark web monitoring is used to identify stolen information and data that may be used by IABs to target a company.
Botnet
A botnet works by infecting network endpoints, like computers and other internet-connected devices, with malware. The malware is controlled by a cybercriminal or "Botnet Herder". The botnet-infected devices become zombie bots or zombie devices. Botnets are used to cause distributed denial-of-service (DDoS) attacks that can shut down websites and web servers.
They are also used to mine cryptocurrencies and can have a significant impact on productivity and electricity costs, as computer resources are consumed by mining and DDoS attacks. Like other malware, botnet malware is often delivered as an infected attachment or via a malicious website or online ad.
Distributed Denial of Service (DDOS)
DDoS attacks are highly damaging to the availability of a company's network and cloud infrastructure. If a company suffers a DDoS attack, it can lose both customers and its reputation. DDoS attacks are sometimes used to hold a company to ransom.
Man-in-the-Middle (MitM)
Unsecured networks, including those used by remote workers connecting to the company network or accessing insecure Wi-Fi, are at risk of a MitM attack. An MitM attack can occur if data is not protected when shared.
Human-Centric Attacks
A human element is involved in around 60% of attacks, according to the Verizon Data Breach Investigations Report (DBIR). Human beings, such as employees, are prone to attacks like social engineering. Human beings are also involved in accidental data breaches, which can lead to the exposure of sensitive company and customer data, leaving the company at risk of non-compliance fines and lawsuits.
Why is Network Security Essential, Even for Small Businesses?
Research from Microsoft on the impact of a cyberattack on a small to medium-sized organization reveals the financial costs associated with a security breach. A breach's costs include the recovery from damage, fines for regulatory noncompliance, reputation damage, and loss of customers. It all adds up. The researchers suggest that, at a minimum, a company can expect to pay out over $250,000 on average after a security incident.
Average and high end of cyberattack costs:
| Average cost | High end of cost | |
|---|---|---|
| Investigation and recovery | $77,957 | $3,930,000 |
| Fines | $20,623 | $655,000 |
| Cost to reputation | $73,393 | $1,310,000 |
| Missed opportunities | $23,806 | $6,550,000 |
| Other costs | $55,666 | $3,275,000 |
Source: Microsoft Research
Securing a network helps to reduce the risk of an incident that could close the doors of a small company.
Essential Best Practices for Robust Network Security
Microsoft's research explored the best options for protecting a network and a company's data. The following core areas of focus can be mapped to the essentials of network security.
Where will SMBs focus their spending?
Source: Microsoft Research
These best practice security measures to protect your business network are as follows:
Firewalls and Web Application Firewalls (WAFs)
By deploying a firewall, a company can help to prevent attacks as the firewall monitors network traffic and identifies unusual or suspicious traffic. A WAF is part of the defense against DDoS attacks and should be considered a first line of defense.
Encryption
Data should be protected during storage (e.g., in a database) and during transfer over the internet using Transport Layer Security (TLS). Encryption is the best form of protection for company data.
Access Control
Unauthorized access is a fundamental part of many cyberattacks. Small companies should focus on controlling access to sensitive resources. Identity management is an important aspect of cybersecurity. Tools like Microsoft Entra ID can be used to assign appropriate access rights (privileges) to each individual or role in an organization. These privileges should be assigned on a least privilege basis, i.e., assign an employee the access rights they need to perform their duties and no more.
Authentication
Robust authentication complements strict access control rights. Methods such as multi-factor authentication and passwordless authentication help to mitigate risk and make it harder for cybercriminals to gain access to a network.
Phishing Prevention
Phishing is used to trick employees and others into sharing sensitive data, including login credentials. It can also be used to deliver infected attachments that lead to malware and ransomware infection. Phishing prevention is delivered through security awareness training, which educates employees and others on the signs of a phishing attack. The training is regular and personalized, helping to change risky behavior over time.
Phishing simulation exercises are often included in training. These are fake phishing emails, delivered to all staff members, that help to teach them what phishing emails look like and how to respond to the threat.
Email Filtering
Security awareness training can be augmented by using an email filter. These are often built into email services, such as M365. However, AI-assisted email filters can provide a more advanced service that detects emerging threats.
VPNs
Home workers and employees who travel for work should use a virtual private network (VPN) to access the corporate network and to share data.
Backups
Ransomware attackers rely on disrupting a company's operations. Utilize secure backups that are resistant to ransomware to minimize the disruption caused by a ransomware attack.
Patch Management
Network vulnerabilities are typically exploited by cybercriminals as part of an attack chain. Ensure that your network and endpoints are regularly and promptly kept up to date and patched. Patch management does not protect against zero-day exploits, i.e., vulnerabilities that have not yet been patched. This is why layers of protection are needed.
Mobile Device Management (MDM)
MDM solutions help to extend your patch management to mobile devices. MDM solutions also extend the ability to control the mobile environment and ensure it is secure.
Managed Security Services
Security measures such as managed detection and response (MDR) are a cost-effective way for smaller organizations to gain access to security expertise and continuous monitoring, threat detection, and incident response across an expanded network. This will help to identify incoming threats, including emerging threats that rely on advanced AI-assisted security tools.
Your business network is a vital part of your company's success. The data that flows through that network is an essential productivity tool, encompassing intellectual property, documentation, competitive material, and company secrets. Protecting your network and its assets is part of everyday corporate life. Achieving this as a small company is a challenge. Small businesses have tight budgets and are less likely to employ security professionals. However, by utilizing some network security essentials tailored to meet the needs of smaller businesses, you can reduce the risk of a damaging cyberattack.
FAQs
What options are available for small businesses to adopt enterprise-grade security?
Managed service providers that specialize in providing small businesses with cybersecurity tools can be a cost-effective way to secure your network. The MSP will provide security expertise as well as enterprise-grade security solutions. They have buying power and can agree on an affordable price that is then passed on to their clients. An MSP typically employs a subscription model that scales with a business, ensuring the company pays only for what it needs.
What are the basic measures of network security that can benefit a small business?
As a small business, you may need to make hard decisions about security. Some basic ways you can help to protect your network are as follows:
- Control who can access your apps by setting up user accounts. If possible, use multi-factor authentication to access apps. Only grant extended privileges to those who truly require them, such as administrators.
- Back up your files and documents securely; this may involve using an offline service or device that cannot be easily infected with ransomware.
- Ensure that any employee who travels for work or who works from home uses either a secure Wi-Fi connection or a VPN connection.
- Patch your network and devices regularly and promptly when patches become available.
Are there free tools to help with network security?
Patching is an essential network security measure that is usually free. If you use solutions like M365, they typically come with built-in security features, such as email filters. There are also some freely available security tools, like free antivirus software and free VPN tools. It is worth noting that free software may have limited features and capabilities; therefore, caution should be exercised when evaluating these tools.