Surely at this point in time we all know that cybercrime is a serious issue that affects everyone. We've heard all about password hygiene, hacking that comes from third-party vendors, and data breaches galore caused by phishing and spear-phishing. We know we could all use better password habits.
We know we could use stronger networks. We know we need to properly scrutinize our third-party vendors. And we certainly know we shouldn't click on any links in emails that look suspicious. So why is hacking still a thing?
Because hackers are still refining their techniques and finding their way past whatever barriers we can throw up in front of them.
This has led to a new security practice: segmented networks.
What are segmented networks and how do they help?
Segmented networks can protect sensitive information even when a hacker penetrates the exterior of the network. In the old trust-and-verify model, the only protection was the outer firewall. In the new zero-trust network, there is a network of firewalls within the network, and security measures are taken to protect each one of them.
According to an NIST/Forrester report, "The Zero Trust Model is simple: cybersecurity professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted." This includes both insider and outsider data access, which should be treated as suspect and secured.
Only give minimal privileges to users whenever possible - people should only have access to what they need to scrutinize all log traffic to determine whether there are any breaches right away
No longer is it effective to give everyone in your organization access to your network and hope for the best. Humans are the weakest link in cybersecurity, and problems with reusing passwords or making passwords that aren't complex enough account for a significant number of data breaches. When you segment a network so that everyone doesn't have access to everything, you are protecting your organization's most sensitive data from the most basic forms of vulnerability.
According to the Department of Homeland Security, "Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network.
On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation.
Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network."
In short, keeping intruders out in the first place is the best defense.
How do you build a segmented network, anyway?
This can be a tricky problem for small businesses to solve. Unless you have a full IT department, or at least one network security specialist on your team, there's not a great likelihood this is something your business can handle in-house. Fortunately, this is one thing that you can hire out for.
There are entire companies that specialize in this sort of network security practice, and they can even manage it for you.
It's not enough to just set up a segmented network and forget about it. Security isn't a set-it-and-forget-it proposition. It requires constant monitoring, scrutiny, and support. Your CSO has to inspect the logs every day to ensure everyone who has gained access to the network is supposed to be there. Your CSO has to ensure that everyone who has access to the network only has access to what they need and nothing more.
Your CSO has to ensure that people are changing their passwords on a regular basis, not using those passwords anywhere else, and using passwords with the proper amount of complexity.
This, of course, means that your summer intern can't serve as your company's CSO. Neither can Bob in the accounts receivable department. You have to have someone whose dedicated job is to maintain the security in your network. If you have a small-to-medium-size business and you can't afford this, hiring a third party to manage this for you is probably going to be your best option.
Learn more about the latest recommendations in network security from this infographic by Tufin. Network segmentation may not be the gold standard forever, but for now they are your company's best bet in preventing data breaches.