ProtonBlog(new window)
Subscribe by RSS

Network security for small businesses: An essential guide

Richie Koch(new window)

Share this page

Many small businesses don’t have the time or resources to invest in IT security, which is why cyber-criminals love to attack them.

And the cost of being unprepared is enormous. According to security outfit Kaspersky’s(new window), a single cyberattack on small businesses and larger enterprises can cost owners between $86,500 and $861,000, losses that could destroy a company’s ability to profit – or even remain open.

Fortunately, there are steps you can take to improve your network security dramatically. Unfortunately, network security is a task that never ends. As new technologies and threats develop, you must continually revisit the protective measures you are taking to make sure they are adequate. In some cases, it might be necessary to work with a trusted IT security vendor.

This guide covers the basics of network security — and what measures you should put in place immediately if you haven’t already.

What is network security?

Your network encompasses any computers, laptops, workstations, servers, tablets, smartphones, or other devices and all of their connections, either to each other over a local area network or to the Internet. Network security simply means having the technological solutions, documentation, and processes in place that allow you to control the access to your network and the flow of data over it.

While networks can vary in size and complexity, from the massive infrastructures maintained by multinational corporations down to the single computer and credit card scanning app used at a flea market, the same underlying security requirements apply. These requirements include installing and using technological security tools, like firewalls and VPNs, and implementing IT security best practices, like having the proper processes in place to recover from malware or intruders already in your network.

What’s at stake in a cybersecurity attack on your small business? 

If your small business is targeted in a cybersecurity attack, the repercussions go far beyond dollars and cents; all manner of sensitive data is at risk, including customer lists, credit card details, and banking information. Any of that information can be used to commit identity theft or fraud, calling into question the trust you work so hard to build with your customers. 

The results can be devastating. For example, a ransomware attack in 2019 on the Brookside ENT and Hearing Center in Michigan led to a complete erasure of the provider’s system(new window), which included vital patient records and appointment schedules. The attack ultimately forced the practice to close, leaving patients with lost medical histories.

For businesses in the EU/UK, a data breach not only jeopardizes sensitive information but also constitutes a breach of the General Data Protection Regulation (GDPR), potentially subjecting your business to crippling fines. Those fines can be as much as €20 million or 4% of annual global turnover(new window)

Investing time into building robust network security could be critical in not only protecting sensitive data that’s meant to stay private but preserving the very future of your business. Few companies could recover from a total loss.

Network security for beginners

Part of network security is making a threat model and being realistic about the threats and risks your company faces. If you are a very small business, or you are not primarily an IT business, it may not make sense for you to create your own internal network. This does not mean you can ignore IT security, but instead, you can rely on privacy-focused services to protect your data.

These services, combined with the proper application of IT security practices, can help you keep your business’s data safe without the need to invest in overwhelming amounts of new staff or infrastructure.

4 privacy-focused services to secure your data

Privacy-focused services generally rely on end-to-end encryption(new window) (E2EE) to keep information inaccessible except to its owner (and, depending on the service, its intended recipient). These services add an extra layer of strong, expertly implemented encryption around your sensitive data, removing the need for your employees’ to learn more advanced encryption techniques.

1. Email

Email is the backbone of many business’s internal and external communications. Proton Mail is an E2EE email service that keeps your data private. They even provide a feature that allows you to send encrypted emails to non-Proton Mail users(new window), keeping your correspondences private.

2. Cloud storage

Proton Drive uses end-to-end encryption to make sure files, photos, videos, and your most sensitive documents are stored in a secure space only accessible to authorized personnel. Because files can’t be decrypted on the server, your data is protected even in the event of a data breach.

3. VPN

A VPN encrypts your Internet traffic before it leaves your device meaning no one, not your Internet service provider (ISP) nor any malicious actors, can monitor your online activity. This lends an extra layer of security to the business you conduct online, be it making payments or accessing files. VPNs also give your employees a way to securely use public WiFi(new window), which is essential as more and more employees work remotely. However, be sure to use a trusted VPN(new window), like Proton VPN. A VPN essentially becomes your ISP, meaning that if they are malicious, they can monitor all of your online activity.

4. Password managers

It’s easy to forget there’s often just one thing standing between your most sensitive business data and an attacker: your password. You might consider using Proton Pass for Business, a tool we designed to enhance your organization’s data security with an encrypted Swiss vault for storing and sharing organizational login details, bank cards, and secure notes. Proton Pass not only safeguards passwords but also encrypts metadata like usernames and web addresses. As part of our commitment to security and transparency, Proton Pass is open source and regularly audited by third parties, offering a comprehensive solution to protect your digital assets.

Take control of your network

The next step in creating a secure network is network access control. This means having a comprehensive overview of all the devices that have access to your business’s network and its data. Network security is only as strong as the weakest link of the chain, and each of these devices represents a potential weak point that needs to be secured. All devices on your network, including smartphones, should have a firewall and full disk encryption enabled. The default password for all network devices should be changed.

Each of these devices are also used by an employee (or at least until the robots replace us all). Your staff is the single largest factor in your network security plan. Even if a computer is protected by a proper firewall and other fancy network protections, it can still compromise your network if the employee using it does not follow IT security best practices. Something as simple as an employee leaving their computer unlocked while they go to grab a coffee undermines your overall security. You need to cultivate a culture of IT security awareness(new window) at your company.  

You should also restrict both electronic and physical access to your network. No employee should have access to portions of data that are not essential to their day-to-day tasks, and only pre-approved employees should be able to download or install new programs on their device. Sensitive network devices should be physically secured from unauthorized access. By limiting access, you can narrow down the potential weak points that could lead to a data breach.

More advanced network security

1. Use WLAN Security

Nearly every business needs Internet access to handle day-to-day tasks. To be secure, you need to have your own, dedicated WiFi router.

Until 2018, most WiFi routers used the WiFi Protected Access 2(new window) protocol, which for many years was the most secure option. However, WiFi security has evolved with WPA3, which builds on its aging predecessor’s strengths. WPA3 offers updated features like improved password security, individualized data encryption, and protection against brute-force attacks(new window).

When setting up your network, aim to – at the very least – use enterprise mode of WPA2, also known as 802.11i, which eliminates shared passwords and WiFi snooping. But for optimal security, upgrade to WPA3 if your devices support it, as it implements Protected Management Frames (PMF)(new window) and perfect forward secrecy(new window), ensuring a higher level of protection for your wireless communication.

Personal WiFi networks generally have one password. If multiple people want to log in to that network, they all use the same password. As we have discussed in previous posts, a password should be unique(new window) to a single user and a single account. Organizations using enterprise-level WiFi security eliminate global shared passwords to the network. The enterprise mode of WPA2 and WPA3 allows each user to create their own individual password and thus allows flexibility and centralized governance for domain accounts. Now, if an employee loses a device or leaves the company, you can change their password or delete their account without affecting the rest of your employees’ accounts.

It also prevents employees from sniffing all the traffic of other users on the network. With personal WiFi, if an intruder is able to connect to your WiFi network surreptitiously, they can passively monitor everyone’s online activity and possibly intercept login credentials that are entered on unencrypted sites. But with Enterprise mode, no user can snoop on the online activities of another employee, reducing the information a malicious actor could collect.

2. Set up a network firewall

A firewall filters the data of your network or device and only allows permitted traffic through. If your corporate network is connected to the Internet, a perimeter firewall will prevent bad actors from accessing your network by blocking traffic that doesn’t meet a predetermined set of criteria. More advanced firewalls can even be configured to recognize attachments, filter URLs, and monitor DNS queries, allowing your company to prevent high-risk behavior. Setting up a firewall correctly will likely require the assistance of a trained IT professional.

It is also necessary to understand what firewalls cannot do. Just like malicious actors, they cannot recognize or decrypt encrypted traffic. Most firewalls cannot read traffic that is protected by SSL or TLS encryption. Second, and perhaps more apparent, a firewall only protects the network or device it is enabled for. The firewall you set up for your company’s network will not protect your employees that are working remotely. Host-based firewalls (firewalls installed directly on a device) will protect end-users even outside the corporate network and are another defensive measure companies should take. A properly configured firewall is your network’s first line of defense.

3. Segment your network

Segmenting your network is the best way to prevent a full system failure from occurring if a malicious actor or malware make it past your firewall. If your network is segmented, even if one server is compromised, the malware can be contained and the rest of your network can continue functioning.

Segmenting a network is a long, complicated process and it can take many different forms, from software-defined segmentation that divides and classifies different types of network traffic, to setting up separate physical networks for specific purposes. This process will need to be led by an IT security professional, but no matter how you decide to segment your network, there are some key steps your company should take.

Your employees’ devices’ should not have their own, public IP addresses. Network address translation(new window) (NAT) allows several computers on the same network to share one public IP address at the same time. If your company employs a dynamic NAT, you add another layer of protection between your internal network and the Internet, as the NAT will only allow connections that devices from your network initiates. No outside actor can latch onto an employee’s device’s IP address and use it to compromise the device.

Next, you should maintain separate WiFi networks for your employees and guests. Even with WPA2 and WPA3 enterprise, allowing unknown, unsecured devices onto your WiFi is a good way to introduce malware into your network. It also prevents guests from accessing other corporate WiFi-connected devices, like printers. Finally, it gives you a greater measure of control over your guests’ WiFi without affecting your employees’ WiFi.

The third way you should segment your network is to make sure that your employees’ devices and your corporate servers are connected to different virtual local area networks (VLAN). A VLAN is an example of software-defined network segmentation. It partitions and isolates parts of a single physical network so that network applications can be kept apart. Keeping the servers that contain your data on separate VLAN from your employees’ devices prevents a compromised device (or an employee not following IT security protocols) from putting your data at risk. It also gives network supervisors more control over who can access the servers and under what circumstances.

In summary, the decision of how to segment your network should be based on the sensitivity of the data being handled and where the traffic is initiated from. A server that is accessible from the Internet should not be located on the same the network as a server containing sensitive data. It’s always important to think of what the ramifications would be if a server is compromised. With proper segmentation, even if a malicious actor gains control of one server, the other servers, and especially the servers holding sensitive data, should remain secure.

4. Use a corporate VPN

A firewall will protect your network, but today, more and more employees are working remotely. You need to find a way for them to securely access your corporate data so that they can do their jobs. This is different from a VPN service that will encrypt your Internet connection. While it will use the same type of protocols (OpenVPN or IKEv2), a corporate VPN creates an encrypted connection over the Internet to your company’s corporate server, letting your employees safely download and transmit files without any fear of malicious actors intercepting or manipulating your data.

In 2023, Proton launched VPN for Business(new window), which supports dedicated IPs, servers, and access controls. If you own a business that requires a high level of security and privacy, using Proton VPN at the office encrypts your online traffic by routing it through a secure tunnel. This keeps your business’ online activity private and safe from hackers and spies. There is no hardware required, meaning you can get your business started with Proton VPN right away with fast, simple deployment and 24/7 support. Further, having your own dedicated IP addresses allows for secure segmented access to software as a services(new window) (SaaS) resources.

5. Monitor your network

Keeping logs of your network activity is often legally required and can be vital to discovering and reacting to a data breach. Some of the most important records to keep are Dynamic Host Configuration Protocol (DHCP) logs, DNS logs, VPN logs, and SSH logs, among others.

DHCP is the protocol used to manage the distribution of IP addresses within a network. These logs can be an invaluable diagnostic tool in the hands of an expert. They provide a wealth of information regarding your DHCP servers’ functionality and how access is distributed on your network.

Setting up a remote syslog service for your servers and network equipment can make monitoring your network much simpler. These services can consolidate all your records into one place, making them easier to search through. They also allow you to monitor all your logs in real time from one central location.

Small business network security checklist

Ensuring the cybersecurity of your small business is crucial in protecting against data breaches, malware attacks, and other cyber threats. Here’s a tailored checklist to guide small businesses in bolstering their network security:

Use privacy-focused services

  • Use services like Proton Mail for email, Proton Drive for cloud storage, Proton VPN for secure browsing, and Proton Pass for password management.
  • These services offer end-to-end encryption and put your privacy and data security first. 

Take control of your network

  • Audit all devices connected to your business network 
  • Make sure only authorized devices have access.

Create a mobile device action plan

Data encryption

Use WLAN security

  • Secure wireless networks with strong passwords and encryption protocols.

Set up network Firewall

  • Install and maintain a firewall to monitor and control incoming and outgoing network traffic. 

Segment your network

  • Use software-defined segmentation to divide and classify network traffic.
  • Use Network Address Translation (NAT) to allow several computers on the same network to share one public IP address.
  • Make sure your employees’ devices and corporate servers are connected to different VLANs.

Use a corporate VPN

  • Use to encrypt your internet connection and protect data.

Monitor your network

  • Regularly review logs and monitor network traffic for unusual activity that may indicate a security threat.

Train employees and manage access

  • Conduct regular cybersecurity training sessions for employees.
  • Use strict access controls, ensuring employees have only the necessary permissions to complete job duties.

This list should help you take control of your network and secure your business’s data. However, it should be viewed as the start of a long, ongoing process to maintain network security. Implementing portions of this list may require the assistance of trained professionals, but this does not mean it is a task that can wait. Poor network security puts your data, your users, and your business at risk.

By training your staff on IT security best practices and installing the necessary technological solutions, you can avoid a catastrophic data breach.

Protect your business with Proton
Get Proton for Business

Related articles

Secure, seamless communication is the foundation of every business. As more organizations secure their data with Proton, we’ve dramatically expanded our ecosystem with new products and services, from our password manager to Dark Web Monitoring for cr
what is a brute force attack
On the subject of cybersecurity, one term that often comes up is brute force attack. A brute force attack is any attack that doesn’t rely on finesse, but instead uses raw computing power to crack security or even the underlying encryption. In this a
Section 702 of the Foreign Intelligence Surveillance Act has become notorious as the legal justification allowing federal agencies like the NSA, CIA, and FBI to perform warrantless wiretaps, which sweep up the data of hundreds of thousands of US citi
In response to the growing number of data breaches, Proton Mail offers a feature to paid subscribers called Dark Web Monitoring. Our system checks if your credentials or other data have been leaked to illegal marketplaces and alerts you if so. Often
Your email address is your online identity, and you share it whenever you create a new account for an online service. While this offers convenience, it also leaves your identity exposed if hackers manage to breach the services you use. Data breaches
proton pass f-droid
Our mission at Proton is to help usher in an internet that protects your privacy by default, secures your data, and gives you the freedom of choice. Today we’re taking another step in this direction with the launch of our open source password manage