Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

iQ MAGAZINE

Addressing Network Security
Many SMBs do not have adequate network security. Here's how to make sure you do.
By James A. Martin
Illustration by Peter Hoey
Article Contents:
Start Clean | Put It In Writing | Network-Security Checklist
Now more than ever, small and mediumsized businesses (SMBs) are relying on their networks for internal and external communications, inventory, billing, sales, and trading with partners—in short, for just about everything. And yet, many SMBs haven't adequately protected their networks.

Why? Because to many SMBs, network security can seem too complex and too resource intensive to tackle. Many companies see network security as an expense that won't help them grow. "They would rather use any extra resources they have on sales and marketing," says Larry Clinton, chief operating officer of the Internet Security Alliance (ISA).

In addition, some SMB leaders believe that their companies are less likely to become targets of hacker attacks than are larger companies. Meanwhile, many larger enterprises have further bolstered their network security. As hackers and others with malicious intentions find it increasingly harder to infiltrate the networks of larger enterprises, they will turn their attention to SMBs networks.

The numbers bear this out. For example, the Mydoom worm in 2004 affected one out of three SMBs, but only one out of six larger companies, according to Clinton.

Start Clean
To begin, broaden your view of network security. Rather than categorizing it as an IT concern, you should instead consider it as a business-continuity issue. Networks have become an intrinsic part of conducting business, making security planning as important as sales and marketing planning.

Before any planning, start with a clean slate. Most SMBs have at least some network security in place. But is your current level of security enough? It will serve you well to question everything and assume nothing.

Back to top

Put It In Writing
Once you've finished an internal network-security assessment, it's often useful to have an outside consultant perform an independent assessment. Compare the consultant's results to your own in order to identify any gaps. Armed with this information, you can develop (or revise) your written network-security plan. If you've enlisted outside help, your consultant can help you with this task. It's critical to document your plan in order to maintain a consistent approach to network security; with a written plan in place, you can compare results over time, troubleshoot, educate employees, and track your progress in each area.

Finally, it's important to realize that your network security must be both consistent and flexible. Policies—especially those created with your business's most important assets in mind—aren't likely to change significantly unless your business itself does. However, you should evaluate and update the procedures used to enforce these policies when the need arises.

The following tips should help you develop—and win support for—an effective network-security plan:
In discussions with financial or other officers, focus on return on value rather than return on investment. Point to the potentially devastating impact of security breaches—such as loss of revenue or customer litigation.
Never assume network attacks will only come from outsiders. Loyal employees can inadvertently create security vulnerabilities, and disgruntled or former employees can cause considerable damage.
Develop a companywide security strategy. Don't be tempted to confront security concerns with a piecemeal approach rather than a single, unified strategy.
Work with other company officers to develop and implement security strategies, focusing on technology, training, physical site security, and more.
Find the right balance between security and usability. The more secure your network is, the more difficult it is to use.

Ultimately, a process of continual revision is critical to the success of any network-security plan. "The most effective network-security plan," concludes Clinton, "is one that is always a work in progress."

Back to top

Network-Security Checklist
Every SMB should have a written (and thoughtfully prepared) network-security plan in place. Answering the following questions can help you develop your own policy:

Take Inventory of Your Current Security Technologies
Do you have any of the following?
Firewall
Virtual private network
Intrusion prevention
Virus protection
Secured wireless network
Anomaly detection
Identity management
Compliance validation

Identify Your Most Important Digital Assets and How They Can Be Accessed
Exactly what are your company’s digital assets?
What are they worth?
Where do those assets reside?
Who has access to these assets, and why?
Do all employees have the same level of network and application access?
Do you extend access to partners and customers?
How do you control, validate, and monitor that access?

Evaluate the Potential Impact of a Security Breach
What is the potential financial impact of a network outage due to a security breach?
Would a security breach be likely to disrupt your supply chain, and (if so) how?
What would happen if your Web site went down? How long could the site be unavailable before you suffered a significant financial impact? Minutes? Hours? Days?
Do you have e-commerce features on your site? How long could your storefront be unavailable before you suffered a significant financial impact? Minutes? Hours? Days?
Does your company have insurance against cyber attacks, or against the misuse of your customers’ data? If so, is this insurance adequate?

Consider Both Current and Future Needs
In what ways do you expect your business plan to evolve over the next few years?
How recently have you updated your network equipment? Software? Virus definitions?
What type of security training—if any—do you provide to your employees?
How will growth affect your digital assets and their value to your business as a whole?
In the future, are you likely to have a greater need for remote employees, customers, or partners to access those digital assets?

Back to top

iQ Magazine, Second Quarter 2005
About the Author
James A. Martin writes frequently about network security and is a Principal of Martin Parham Group in San Francisco.
Download this Article
Addressing Network Security [219 KB]

Further Reading
Next Steps
Learn about the latest adaptive security solutions, which make it easier for SMBs to keep network defenses current, in “Self-Defending Networks.”

Use the Cisco Security Policy Builder, a free and simple online tool, to help you start developing a sound network-security policy.