Take a city park district, for instance.
While there are cost savings to be found in making sure that your IT department doesn’t have to drive all over town to maintain your computer systems, there are risks to simply putting all of your devices in one network. All too often, organizations with multiple locations will jump on board with getting their computer network upgraded, and getting all of the sites centrally managed, but aren’t aware of many of the risks that need to be considered.
It’s not that you shouldn’t centrally manage, but there’s a right way to do it.
An analysis of your accessible ports, network shares and your file permissions needs to be performed. Users should be limited to viewing or editing only those files that they need to get their job done. Unfortunately, network administrators are not always aware of how exposed their network resources are until their network has already been compromised.
Let’s go back to CryptoWall as an example.
If a user at one location opens an email with a CryptoLocker or CryptoWall infected PDF (as we recently had happen on a client network), their computer will start encrypting everything that it has access to. As it encrypts your files, it will leave behind notes or popups demanding money to unlock your files. If the user has access to the company backups, QuickBooks, or RecTrac files, then the park district may find itself in a tight spot. The virus may find those network resources and encrypt them even though they are not in the same building as the infected workstation.
There are a variety of ways to protect your network, but the important thing to remember is that no single one is failsafe. Security is about having layers, not about each layer of protection being impenetrable. A good managed IT services porvider can help you develop several layers to protect your network.
7 Ways to Protect Your Network:
- Run a network discovery tool to find open ports, file shares, and to document user permissions. Review the reports and lock things down to what users really need on a daily basis.
- Keep a paid antivirus solution up-to-date on each computer. Free antivirus is never quite as good as paid.
- Subscribe to a spam filter service to prevent the infected emails from reaching users.
- Use a high quality network firewall such as Cisco Meraki at each of your locations.
- Keep daily automatic backups both onsite and off-site. If you do get infected then it will be a simple matter of just restoring the files from last night’s backup.
- Limit access to your backups to your server or a limited number of workstations. Create a VLAN, put it on a different switch and port on your server or use USB to connect it to your server. The idea is that you don’t want an infected workstation to have direct access to your backups. Make your workstation back up to the server and have your server push those backups to the backup device.
- Run a second-opinion virus scanner at least once a month on your servers and workstations. MalwareBytes Anti-Malware is a good free option. (I know I said free is never quite as good as paid. While this is largely true, you also never want two antivirus programs actively protecting your computer, as they will usually fight each other and make your system unusable. An IT consulting firm can help you navigate some of these confusing issues.)