Today, I’m going to show you a complete small business network security checklist.
In fact, this checklist is one of the main reasons that our customers are able to stop attackers before they do damage to their organizations.
So, if you’re looking for an effective way to secure your computer network, this checklist is for you.
- Step #1: Inventory Your Hardware & Software
- Step #2: Automate Patches
- Step#3: Restrict Administrative Privileges
- Step#4: Start a Security Awareness Program
- Step#5: Filter Web Traffic
- Step #6: Block Malicious Emails
- Step #7: Install Endpoint Protection Software
- Step #8: Backup Your Data
- Step #9: Secure WiFi Traffic
- Step #10: Control User Accounts
- Step #11: Create An Incident Response Plan
✓ Step #1: Inventory Your Hardware & Software
The first thing you need to do in your security program is inventory the software and hardware that you have in your environment.
You’ll want a list of the devices such as laptops, desktops, printers, mobile devices, etc.
Typically, your inventory should include these points: the device make and model, the device MAC address, IP address if one is assigned, network communication methods (WiFi or Ethernet), licensing and warranty information, and the department and individual where the device is located.
Similarly, you should know the software and firmware on every device in your network.
You can’t implement good network security if you don’t know it exists, right?
So, your software inventory may end up being an extension of your hardware inventory, or you may handle it completely separately.
Either way, come up with a plan to deal with unauthorized and software that is not supported by the vendor.
For example, Windows 7 is no longer supported by Microsoft.
If you realize that your small business is still using Windows 7 during your inventory, be sure to come up with a plan to resolve the vulnerabilities.
✓ Step #2: Automate Patches
Patching is one of the most important things you can do to improve your SMBs network security.
According to a survey conducted by Tripwire, one in every three data breaches were caused by missing updates.
That’s hundreds of breaches that can be prevented quite easily!
If you are using Windows 10 or Server 2012, 2016, or 2019, you can easily set your devices to automatically apply updates.
✓ Step#3: Restrict Administrative Privileges
You should only work in an administrative account when you are performing administrative tasks.
There are two types of accounts on your computer – regular users and administrative users.
Regular users aren’t able to perform administrative tasks such as changing certain settings and installing software.
If they attempt to, they will be greeted with a UAC prompt requesting admin credentials.
This is good.
If you are working in a regular account and accidentally click on a malicious link that tries to install software, it won’t be allowed to because admin credentials are required.
So, conduct an audit of each of the computers in your environment and check which users on the computers have what access.
You can find all of this information in the control panel.
Similar to restricting administrative accounts, always change the password from the default when you set up a new device.
✓ Step #4: Start a Security Awareness Program
Implementing a security awareness program should absolutely be on your small business network security checklist.
It’s probably the security control with the most return on investment.
There are free resources, tools and solutions available to use.
And given that 97% of cyber attacks involve humans in some way, it’s something you should focus on.
Here are some points to keep in mind about a successful security awareness campaign for small businesses:
- Your employees will look for the simplest way to do their jobs. Give them solutions that are simple and more secure.
- Annual security awareness isn’t successful. You must keep security constantly present in their minds. Having monthly or bi-monthly training sessions is much more effective. (With solutions like Wizer and KnowBe4, this is very easy to do)
- Testing employees is a great way to reinforce the message. Simulated phishing and social engineering leave a lasting impression that training alone can never achieve.
Resources you may be interested in: Small Business Cybersecurity Roadmap
✓ Step #5: Filter Web Traffic
The internet is a very dangerous place.
There are so many ways that your company can be attacked via web surfing.
For example, a recent study showed that one in five organizations had been affected by malware from social media links.
Pretty astounding, right?
As a result, a very important aspect of securing a small business is limiting what websites employees can visit.
The best way to do it is to only permit access to websites that are needed to conduct business.
Everything else is blocked by default.
However, this can cause problems for some small businesses.
Another approach is to block malicious websites.
Most modern firewalls have the ability to do this automatically.
✓ Step #6: Block Malicious Emails
Most small businesses should use an email security solutions system.
This means that you will point your email DNS records to the security provider and have all incoming (and sometimes outgoing) emails scanned for malware and other malicious items before they ever reach your employees’ inbox.
Since, around 28% of email is spam or malicious, you can’t overlook this control.
Resources you may be interested in: Check out our email authentication protocol guide to learn how SPF, DKIM, and DMARC can drastically improve your email security
✓ Step #7: Install Endpoint Protection Software
Every workstation and server in your network should have endpoint protection (antivirus) installed.
These devices are the main tool of your small business activity.
They should be protected with the utmost care.
Make sure you have the anti-malware solution installed on every device and that they are regularly updated.
You can typically run reports to verify this from the control center.
Removable media (USBs, CDs, DVDs, etc) should be automatically scanned when they are inserted into any of your devices.
You should also configure your systems to never autorun content.
✓ Step #8: Backup Your Data
Backup your critical data!
Any data that you don’t want to lose should be backed up automatically.
Your backup plan should also include several locations.
If you have an onsite backup, for example, you should also have cloud backup.
Or if you have a cloud backup, you should have a second cloud backup.
Critical systems like domain controller servers should have complete backups performed at regular intervals or whenever changes are made.
That way, should something go bad, you don’t have to completely start over.
Finally, make sure that your backups are encrypted both in transit and wherever they are stored.
So many small businesses have to close after security incidents simply because they don’t have backups in place.
✓ Step #9: Secure WiFi Traffic
Wireless networks are a vulnerable part of your small business network.
Begin securing your WiFi network by ensuring that you are using WPA2 instead of the insecure WEP.
WPA2 uses more robust encryption.
Be sure it uses a password so that not just everyone can join.
Next, turn off WiFi outside of business hours.
An attacker can simply park in front of your location and break into your WiFi.
Finally, create a completely separate WiFi network for guests and non-managed devices like your employees phones.
The separate WiFi network should be on a different VLAN or completely physically isolated to be effective.
✓ Step #10: Control User Accounts
There are a few important things you should do to secure user accounts and sessions.
First, whenever an employee is terminated, disable their account immediately.
If possible, even before they leave the building (like while they’re in the meeting with HR).
This will prevent them from taking retaliatory actions.
It will also stop attackers from finding and taking the account over.
Whenever employees aren’t using a device, it should automatically lock.
NIST guidance suggests that you use a timeout of 10 minutes??.
If the device is in an area with public traffic though, you may want this to be even shorter.
Alternatively, you can use a solution like bluetooth lock?? To logout a user when they leave their device.
On all of your accounts, use multifactor authentication wherever possible.
✓ Step #11: Create An Incident Response Plan
Unfortunately, even with all of the small business network security best practices that we’ve discussed, there is still a chance a hacker will break into your systems.
So, you have to have an incident response plan.
This is essentially a plan that outlines how you will respond to security incidents (hacks).
The better prepared you are, the more likely you are to recover quickly.
When you do create your incident response plan, make sure that everyone in your company knows their role and responsibilities.
They should practice how they will respond to various incidents.
Finally, make sure you have updated contact information for everyone involved.
The last thing you want is to not be able to reach someone during an emergency.
Cybersecurity for small businesses could be quite overwhelming.
But if you have the basics covered, you’ll actually be quite far ahead of your piers.
Frankly, even big businesses often miss these basic security controls.
Begin implementing these 11 small businesses network security best practices to prevent hackers from pillaging your network.