An employee gets an email that says their invoice is attached. Opening the attachment downloads a computer virus that encrypts the files on their computer in seconds. The virus spreads to other computers in the company and soon the entire network is taken down and a cyber-criminal is demanding a hefty ransom in return for the encryption key that’s required to release the data.
This is what cyber experts call – a cold, dark day. It’s the day when you have a cyber-attack.
While cyber-attacks like this ransomware scenario can happen quickly, these days it’s more common for the bad guys to take their time lurking around a network in order to get to a bigger target. In fact, a report from IBM found that the average time to identify a breach in 2020 was 228 days.
That’s a lot of time to pick off account credentials, and wiggle into the networks of your customers and vendors. So if it’s possible that an intruder could be moving around undiscovered in your network for months and you won’t know it until they make their big strike, you need to do something different.
What you need is a layer in your security strategy that limits lateral movement through your network. Limiting movement limits the potential damage that a cyber intruder can do, and network segmentation is a cybersecurity tactic to help you do that.
What is Network Segmentation?
Network segmentation is the practice of dividing your corporate network into a series of smaller networks so that people and systems only have access to what they need. It’s one of the tactics used in a Zero Trust approach to cybersecurity strategy.
Related: Learn about Zero Trust
If you have separate Wifi access for guests so that they can only get to the internet, and not your corporate files, you’re already practicing network segmentation. You also might have your backup files separated from your main network too. There’s more that you can and should do with network segmentation, however, to stop intruders in their tracks.
How to Implement Network Segmentation
As a business leader or manager, you don’t need to know the technical details of how to segment a network, but you may need to participate in the planning process so that the segmentation makes sense for your business operations. However, a large part of network segmentation is deciding what network traffic is allowed and what is not and that gets into the technical weeds pretty fast.
For example, all of the workstations need to connect to the file server for file serving and nothing else. Likewise, they can connect to the domain controller for the permissions they need and nothing else.
After the information gathering process, a network architect will create a segmentation plan that takes into account all of your devices and cloud connections, and all of your ports that organize and direct traffic, and break them off into sections.
The result is that if an employee inadvertently clicks on a phishing email that unloads malware, the infection can’t travel and the damage is contained. Additionally, you’ll be controlling internal access to network locations on a need basis, and that decreases your risk of insider threats.
Implications for Remote Workers and Connected Devices
If you have all or some of your employees working from home, then your network is spread out to every individual location. Whether you’re using SSL or VPN you still need to think about what data employees can access.
In the case of VPN, make sure that the employee can get to their remote desktop but not the whole network so that you’re not inadvertently opening up a connection between the employee’s home network and yours.
Likewise, consider other equipment that you might have connected to the internet – security cameras, environmental controls, machinery, and equipment. Security standards for these Internet of Things (IoT) devices are sketchy at best, so using network segmentation to separate these connections is a best practice that you should start.
Moving Towards Zero Trust
The Zero Trust approach to cybersecurity assumes that an intruder is present. Don’t give them an open invitation to damage and steal your data and exploit your connections by having an open network. The goal of network segmentation, similar to the Principle of Least Privilege, is to minimize the scope and impact of a compromise.
Include network segmentation in your cybersecurity strategy so that when the intruder starts jiggling the handles to find a way in, all they’ll find are locked doors.
Related: Learn about The Principle of Least Privilege
Bellwether Cybersecurity Services
Here at Bellwether, we wrap security around everything we do because we understand that managing cyber risks is essential to business success and sustainability. We have dedicated cybersecurity experts on our team who stay up to date with evolving threats and tactics so that we can bring business leaders the information they need to make wise decisions about cybersecurity.
Contact us to explore how managed IT and security services from Bellwether can bring you confidence that you don’t have any gaps when it comes to managing cyber risks and using technology to move your business forward.