Many companies that have "gone remote" have decided to keep some small physical office for occasional team gatherings, customer visits, and regulatory and compliance purposes. However, that has often involved moving from a pre-existing office (often a spacious one) to a more compact one that fits the new normal. A popular request we've received during those transitions is for a small business network setup checklist summarizing the key things that are the largest information security factors in getting a new office network set up safely. Here's our take on that.
One of the first things that happened when a large number of companies "went remote" was a realization that certain business workflows relied heavily on in-office resources. Our least favorite example involves on-premise servers acting as file shares for employees archiving and sharing spreadsheets, presentations, and reports with each other. In this era of abundant cloud-based file storage / sharing solutions, including ones with a wide range of authentication and encryption settings, we're rarely convinced that a small business is equipped to run a more secure internal fileshare than the cloud-based ones widely available for business use. If you are setting up a new small business network, now would be a great time to migrate legacy fileshare servers to the cloud.
Unsure if your router automatically downloads and installs software patches? Now would be a good time to check on that. If it doesn't, it's time to either work through a configuration change or acquire a new wi-fi router that does. We've been surprised to see this item absent from many of the guides we've read about small business network setup: it's one of the most vulnerable parts of your small business network because would-be attackers don't even need to be physically inside of your office footprint to attempt their exploit.
Many small businesses focus their on-premise network security effort around workstations on each employee's desk, and that's a fine start. However, don't forget that printers, conference room phones, smart displays, videoconference equipment, and other devices are often network-connected as well. One of the most common oversights in small business network setup is forgetting to change default administrative usernames and passwords on non-workstation devices, and neglecting to have a gameplan for patching those devices. A business-grade internal network vulnerability scan can help you identify vulnerable network-connected devices that you might otherwise overlook.
This advice is going to sound crazy to some longtime IT professionals. Bear with us here. Before you rush to set up a VPN that allows employees to access the office network from the comfort of your home, ask yourself exactly which office resources they depend on. Is it a file share? A peer's workstation? An internal line-of-business application? Whatever it is, we're skeptical that it's something that really needs to be hosted in an on-premise manner. Tracing back to the root cause of why employees "need" VPN access to the on-premise network is a great way to reveal dependencies that shouldn't be hosted on-premise at all. By moving some of those dependencies to the cloud, you may find that very few (if any) employees really need VPN access to the on-premise network.
Ever find yourself in an office that has dozens, hundreds, or thousands of network taps -- and no one seems to know which ones are active? This story is all too common. And usually it doesn't become an immediate security problem, until some office reconfiguration occurs -- and then it becomes a big problem. In this era of companies reshuffling their office footprint, it's becoming very common for tenants to sublease part of their space. Or to forgo renewal options on portions of their footprint. Or reconfigure the use of various parts of their space. In all of that commotion, it is very easy to end up with an active network tap in an area that shouldn't have it. A good labelling system that helps you keep track of which taps are connected to which ports on your switch, will help you stay sane (and secure).
We're a small business too, so we certainly understand the pressures of trying to do "a lot" with "a little" (budget-wise, we mean). However, one of the areas where we would absolutely not recommend making price the dominant factor in your search, is on your firewall selection. It's very tempting to look at the huge gap between the low price of bargain firewalls and the large price of well-known brands, and to fall victim to "sticker shock" that leads you to purchase the lowest-cost firewall you can find. Please don't. This is an area where a solid investment will help you stay safe for years to come.
Here's an item that will make "zero trust" fanatics squirm. Before we share our advice here, let us just say that we love the trend towards zero trust. In it's most mature form it may eventually make on-premise networks "no different" than any other network -- meaning, that the office network may supply internet access but have no other implicit privileges that you wouldn't have from any other network location. We love the theory and the move in that direction. However, for now, most networks aren't cleanly managed in a way that makes that a reality. So, for now, we continue to urge you to keep Guest Wi-Fi and Employee Wi-Fi separate.
If your small business is like most, you don't spend a ton of time ensuring that your administrative passwords for infrastructure components (firewall, etc) are rotated on a recurring basis. If you are moving offices and going through this small business network setup checklist, now is the time to (at a minimum) change all of those passwords. Even better: maybe it's time to set up a recurring calendar item to rotate those passwords every quarter.
This item is the one that has generated some of the best "laughs" from our clients. Fortunately, they've been laughs that have lead to increased security. Here's how the conversation goes. Q: "Hey, what's that workstation over in that empty part of the office used for?" -- and A: "Not sure. Jim from accounting used to use that one. When he left, he said that machine helps us with the ABC part of the XYZ workflow." Guess what: it's time to track down exactly what workflow that mysterious workstation in the corner really is crucial for. There is a good chance that it's no longer used for anything important at all, and that it might be the weak link in your company's cybersecurity perimeter.
Thanks for reading. If you are in the midst of a small business network setup, please be in touch if we can be helpful by being your expert advisor on any of these topics. We're glad to deploy internal network vulnerability scans and our fleet of other small business cybersecurity tools to come to the aid of small business owners anywhere.