Most small business networks grow and evolve as the business
grows. In one way, this is good. It shows the business is
growing, becoming stronger. Unfortunately, from a network
perspective, it can be a disaster in the making.
Most small business networks are setup in a peer-to-peer (P2P)
format. In contrast, large corporate networks are setup in a
domain format. What does this mean to you?
First, let us define the two network formats. In a P2P format
every PC is responsible for its own security access. Basically,
each PC is equal to every other PC in the network. These
networks generally consist of less than ten computers and
require a large amount of administrative overhead to function
securely.
In this format the attitudes of the user population is of prime
importance. If they have a high level of security conscience
then your network will be more secure, if they don’t your
network will be wide open to insider exploitation.
You can see the problem. Ten computers and ten administrators
equal little accountability.
In a domain system there is a single point of administration,
your network administrator. He is responsible for maintaining
the network.
A network setup in this format consists of at least one server,
a domain controller, to administrator the rest of the network.
This domain controller manages user and computer access, freeing
the network administrator from the necessity of touching every
PC in the network.
When a user logs onto her PC in a P2P network she only
authenticates on it, in a domain system it is a little more
complicated.
In a domain system she logs onto her computer, her login ID is
first checked with the domain controller. If it is found she is
granted access to the network resources assigned to her. Then
she is allowed to log on to her desktop. If her ID isn’t found
then she only has access to her local PC.
Now that you know a little about the two network structures you
can see the advantages of the domain design.
As stated earlier this format requires planning to achieve. You
must sit down and outline what you want your network to
accomplish.
Consider what access your users really need to do their jobs. In
the computer security world this is called granting the least
amount of access required to do the job. Do your sales reps
really need access to your financial files? What about external
vendors?
All of this needs to be thought out and addressed.
Here’s an example of how I setup a small sales organization.
This business consisted of about eight employees and the two
owners. With the assistance of the owners we defined three user
groups.
The owners group was granted full and complete access, while
each of the other groups received lesser and different accesses.
The admin group received access to the financial and
administrative functions, and the sales groups receive assess to
the sales and customer management data. Specifically, they were
excluded from the financial and administrative and the owner’s
functions.
Additionally, we setup auditing of both successful and
unsuccessful attempts to view certain types of data. We did this
to add a layer of accountability to the network. This increases
the security of their customer’s data because we can now tell
who and when the data was accessed.
Network security personnel know that most network security
breaches occur from the inside! In my experience most small
businesses use the P2P format because it is the easiest to
implement and because they don’t know the security compromises
they are working under.
This can be a ticking time bomb for your business. Eventually,
you will experience a security lapse that could land you in
court.
For instance, you have an employee leave your business. This
employee downloaded all of your customer data before he left.
Next, he sells this data to someone who uses it to steal the
identity of several of your customers. Eventually, this theft is
discovered and traced back to your employee.
Your former customers in fully justifiable outrage take you to
court charging you with negligence. Specifically, they hold you
responsible for failing to safeguard their personal information.
Your case will be much stronger if you can show you have
positive control of your network. You can point out your
security procedures. Employee logon auditing, security updates,
acceptable use agreements, etc. In short you can show that you
have taken the steps that a reasonable person would take to
secure your network and customer data.
Hopefully, your lawyer can then place the blame directly where
it belongs. On the employee who stole the information in the
first place. Ask you attorney about this! Don’t just take my
work for it, I’m not a lawyer.
Remember, network security is a result of through planning, not
hap hazard improvisation. Give your network the same attention
you give to the rest of your business.
If you do not have the skills or the time to be your own network
administrator, you can contract with someone to handle this for
you on a part-time basis. Just make sure they are reputable, you
are putting your business in their hands.
About the author:
Rick Parrott, MCP – SA Secure, a San Antonio Texas company
specializing in desktop support and help desk services for small
to medium businesses. Our goal is to provide an alternative to
maintaining an expensive in-house IT staff or relying on many
different individual computer repair technicians. We have over a
decade of experience in both the Government and Private business
sector. Visit our website: http://www.sasecure.net