About  •  Libelium UK  •  IoT Test Vehicle  •  Careers  •  News    Support: +44 1624 639437  •  Sales: +44 1624 777837

Blog

Small Business IT Security Guide

We receive a lot of enquiries from small business (SMB) and SME customers looking at ways they can enhance the security of their IT and network environment. We thought we’d share a Small Business Security Blueprint which provides advice, examples and suggested products that can enhance the security of any small business.

Small Business IT Security Advice

Please note – this is by no means an exhaustive list and is designed to offer some essential advice on SMB security. When a customer is concerned about security, it is best to take a risk-based approach and to understand the needs and operational nuances of their business entirely. Doing so allows us to propose a secure, relevant and good-value security solution.

This blog post is designed to be ever-evolving – check back for updates

Updates

16th July 2019 – Initial Version.

Multi-Layered Approach to IT Security

In this guide, we propose a layered approach to security, along with a good measure of common-sense and best practice. The idea of a layered defence is not a new concept, picture how Castles were traditionally constructed; you had the keep at the centre, surrounded by inner walls, outer walls and multiple gatehouses.

Around the perimeters, the Castle would feature lookouts, battlements, baileys and towers – designed to spot would-be attackers and provide vantage points. Many of these design principles apply to modern IT security.

In this blog post – we briefly describe the different systems and controls that we would recommend any small business should employ as part of their IT security architecture.

End-Users

End-users (i.e. your staff) are often the weakest link!

Basic

  • Limit administrator access and have separate administrator accounts on the domain and local PCs.
  • Mandatory cybersecurity training – we provide this to our IT support and managed security clients using the Sophos product set.
  • Adopt an IT Security / Internet Access policy that your staff read and understand.

Endpoint

Sophos
We recommend Sophos Central Endpoint and Intercept-X for our clients

Endpoint security is focused on the security and integrity of your desktop, laptop and tablet devices.

Basic

  • Standard users should not have local administrator permissions.
  • Modern endpoint security (antivirus) with an active support/maintenance agreement. We recommend Sophos Central Endpoint.
  • Windows Updates should be enabled, and automatic updates enabled.

Advanced

  • Enable BitLocker drive encryption (particularly important for laptops).
  • Use Multifactor authentication such as DUO.
  • Install an advanced endpoint security agent such as Sophos Central Intercept-X

Server

Servers often form the centre of your network; hosting critical applications and services – so it is vital to make sure they are secured.

Basic

  • Change default credentials, including IPMI/IDRAC/iLO management and enhance the security of these interfaces.
  • Modern endpoint security (antivirus) with an active support/maintenance agreement. We recommend Sophos Central Endpoint.
  • Windows Updates should be enabled, and automatic updates enabled.
  • Undertake an exercise of Active Directory hardening and security best-practice. See ‘Best Practises for Securing Active Directory’

Advanced

  • File and User Auditing software such as the products supplied by IS Decisions.
  • Install an advanced endpoint security agent such as Sophos Central Intercept-X.

Local Area Network – Wired

cisco-small-business switches
Cisco Small Business Switches support MAC security, 802.1X and private VLANs

Local Area Network (LAN) security concerns the wired or wireless network on which your devices communicate with the server and the internet. Small Business IT Security should always include your network environment. We find many clients have invested in the technology (i.e. managed switches) but rarely utilise its full capabilities.

Basic

  • Ensure network devices have secure passwords and optionally, access-lists restricting access to the management interface.
  • Separate VLANs for Production, Voice and DMZ networks. VLANs are supported by most modern, managed or smart-managed network switches. We recommend Cisco or HP switches.
  • Ensure the switch firmware is up to date and the default credentials are changed.
  • Enable MAC-Address security or a similar switch security mechanism. The exact implementation changes by switch vendor – but it helps prevent random devices being plugged in — examples for Cisco Small Business Switches and HP Small Business Switches.

Advanced

  • Implement private-VLANs or port-isolation, preventing endpoints from talking to one another, but allowing communication to the server and Internet. Most modern managed switches support these. Some careful configuration is required to make sure client-server/internet/printer communication is unaffected. Cisco Example here.
  • Security policies or internal segmentation firewall controlling access between networks. For devices to communicate between networks, rather than use the L3 features of a switch, force traffic through the firewall – with security policies and UTM functionality. See our article on Internal Segmentation Firewall and here.
  • Implement a NAC appliance or enable 802.1X port authentication to control wired access to the network. With NAC and SSO – you can manage who, when and what-basis, people can access your business network. Windows 2019 Network Policy Server can be used. We supply and install FortiNAC.

Local Area Network – Wireless

The WIFI or WLAN (Wireless Local Area Network) is just as crucial as the cabled network – arguably more so, given the ability to access the system wirelessly.

Basic

  • Always change the default credentials.
  • Isolate or Firewall the wireless network from your LAN and other systems.
  • Ensure firmware is up to date.
  • Use secure encryption such as WPA2

Advanced

  • Use advanced security such as EAP-TLS or 802.1X with single-sign-on (users require a username+password to connect).
  • Purchase access points or controllers that support wireless-IPS (wireless intrusion prevention system).
  • Use 2FA/MFA.
  • Use an advanced access point such as FortiAP, Cisco Small Business or Cisco Meraki.

Local Area Network – Internet Access / Perimeter Security

FG200E
Fortinet Firewalls provide high-levels of IT security for small business owners.

The perimeter security is the border between your trusted LAN, and the untrusted Internet – so it is easy to see why this is perhaps the most crucial element of a small business’s IT security.

Basic

  • Use a Next Generation / UTM Firewall with web filtering and antivirus. We recommend Fortinet FortiGate firewalls in all cases.
  • Use a secure DNS / internet gateway product such as Cisco Umbrella. We provide Umbrella to all our IT support and managed security clients.
  • Enable Logging and Alerts. You need to know about the activity and anomalous behaviours taking place!
  • Strictly control outbound access and enable SSL inspection.
  • Rules
    • Develop the firewall policy with least-privilege in mind (i.e. start with no internet access, and work back to the point where people can work).
    • Do not use rules such as ‘Allow All’ or ‘Allow Anywhere’.

Advanced

  • Use time-based rules. Only allow internet access from your end-users in core business hours (but you need to ensure there is a way for systems to update).
  • Where inbound access is required, consider the use of SSL VPN technologies and 2FA.
  • Utilise SD-WAN to enhance security further.
  • For inbound services, rather than allow from ‘Any’, instead use geographic restrictions. If your staff only access the VPN from the UK – limit access to the UK.
  • Use services such as Data Leakage Prevention and IPS, to prevent data disclosure and zero-day attacks. See our article on DLP here.
  • Consider a managed security service.

Printers

Printers are often overlooked when businesses are assessing their security.

Basic

  • Change default credentials.
  • Ensure firmware and software is up-to-date.
  • Disable unnecessary services or features.

Advanced

  • Enable PIN printing and print auditing.

Summary – Small Business IT Security

These are simple recommendations for you to consider in the contact of your small business (or enterprise) IT and network security.

If you would like to review the IT security, firewall or network security of your small business – contact our solutions team.

Manx Technology Group works with companies throughout the UK and Ireland to help implement, enhance, support and manage their IT environments. E-mail us today – sales@mtg.im, call +44 1624 777837 or complete the contact form on the right.

References

Previous ArticleNext Article
Joe Hughes is the CEO of Manx Technology Group. Joe has a background in software development, information security, networks, datacentres and enterprise IT.
Request a quote
+44 1624 777837