What Small Business Owners Should Know About Network Segmentation

Our clients often ask us what IT specialists mean by “network segmentation.” Well, if you’ve ever watched a submarine movie, there’s usually a scene where ships on the surface are dropping depth charges on the sub. Inevitably there’s a hull breach somewhere that threatens the whole ship. The sailors struggle to plug the leak, but having failed, they retreat through a portal and seal the hatch behind them. That stops the water at that point of entry and spares the ship. So it is with network segmentation.

Like the submarine, your network is under attack from outside forces, seeking to create a breach through which to enter and cause harm. Your network has a hull that seals it off from the outside world, consisting of firewalls, passwords, multifactor authentications, antivirus software, and employee training. But if they’re hit hard enough, hulls can be breached. When that happens, network segmentation limits the incursion. The hacker or the malware hits a locked hatch, and cannot run wild within your entire system.

Network segmentation is a viable and effective defense strategy for any organization consisting of separate departments. If your workers’ tasks are confined to a portion of your system, there’s no reason for them to have easy, immediate access to the whole system. And if they don’t have easy, immediate access, neither do the intruders who capture their devices.

These days, larger companies often talk in terms of silos. Workers from specific teams are practically quarantined among themselves, rarely interacting with workers from other departments who labor in their own silos. Good for intensive immersion in niche areas, not so good for cross-articulation and synergy. But the “silo farm” is an excellent model for network segmentation, because it tells you where to place your hatches, your shut-off valves, your firewalls, your barbed wire, your castle moats, or any other name you assign to your barriers to entry.

However, a small business is not as bureaucratic, and workers in single departments often perform overlapping tasks. Thus, small businesses do not lend themselves as easily to network segmentation. But it can be done, and given the cost of a security breach that could impact your entire network, some level of segmentation must be done.

Here then, are the basic steps for small businesses to design and implement a network segmentation:

• Visualize workflow — If you’ve never made a flowchart of your business processes, now is the time. Chart out how tasks are initiated, and how they move along the pipeline to completion. You’ll see that you have major systems with tributaries and eddies, as well as smaller systems that barely connect. From this chart, you’ll understand who communicates most frequently with whom, who most often accesses what assets, and where contact is rare. Those rare points of contact are the prime candidates for reinforcement. You might also find some flow that can be re-routed, so you can completely shut down some points of entry for greater security without loss of convenience.
• Inventory your devices — Network assets, such as desktops, laptops and smartphones and various software applications, give your workers access to your network. But not ever device should have access to your whole network. For example, smartphones generally have less antivirus protection than computers. It’s also highly unlikely that an employee would have to access customer data from a smartphone. So, why risk a customer data breach through an infected smartphone? Better to deny smartphone access to that part of your network.
• Sort data by storage requirements — Not every piece of data needs to be stored in Fort Knox. But data that contains your customers personally identifying information requires optimal security. You can create network subgroups, placing sensitive data on discrete servers with robust network defenses.
• Strengthen access controls — There’s much to be said for ease and efficiency when traversing the segments of your network. But easy access is the opposite of security. You need to harden your defenses by limiting access. First, decide who in your network should not be allowed to go where. If someone’s job does not require them to access sensitive data, why should their device be able to? Shut access down. As for the folks who need occasional access, add multifactor authentication as an additional hoop to jump through. What amounts to 10 seconds of an employee’s time could stop a hacker dead in his tracks.
• Review and reassess — Network security is a continually evolving field, as hackers invent new tools and the good guys in IT security try to keep a step ahead. It’s important to occasionally review and stress-test your strategy to make sure it’s still serving your needs, especially as your business grows and your requirements change.

Every small business is different, but all face a common enemy: the cybercriminal. The IT security pros at KMF Technologies can help give your company the protection it needs.