“The key to protecting network connected devices, and sensitive operational and customer data is to segment your network, which means creating separate network domains for different types of systems and devices – including IoT devices.”
Many IoT devices are just small, Linux computers put in things like light bulbs, refrigerators and thermostats. However, do you care about the cyber security of them? Or have you updated their patches regularly?
It is fundamentally risky to keep all of your devices on a flat network. This kind of security risk can clearly lead to non-compliance with data protection regulations – such as GDPR in Europe – potentially resulting in large fines that many small businesses just can’t afford. And the worst part is it probably would never have happened if the appropriate network segmentation, firewalls and security controls had been in place.
The old way: “flat” networks with just one point of entry
To understand the need for network segmentation, it’s first necessary to understand what a traditional “flat” network architecture looks like (illustrated below). Unlike segmented networks, flat networks have just one firewall router, usually purchased from a retailer, or installed by an Internet Service Provider.
Figure 1: A traditional, flat network architecture
This is called a flat network because there is no firewall or logical separation between any of the devices, so they can talk directly to every other device on the network.
This kind of architecture worked well when most small businesses just had a few computers, which was often the case in the late 90s and early 2000s. Back then, there was no Wi-Fi, no IoT network-connected devices, and very few (if any) mobile phones that had access to the Internet.
Why flat networks are no longer OK
When smartphones with Wi-Fi access became commonplace, many small companies found that the number of devices connected to their network doubled over a very short period of time, increasing networking and – specifically – cybersecurity challenges.
Today, network security is an even tougher challenge, as smart TVs, smart light bulbs, smart refrigerators, and a wide range of other IoT devices are being connected to small business networks at scale – sometimes resulting in literally hundreds of devices on the network.
All of these new devices have a network interface, storage, memory, processors and an operating system. In other words, they are computers, and they are just as vulnerable to attack as any other kind of computer or smartphone.
Additionally, IoT devices in particular are always connected to the Internet, and are rarely patched, making them a relatively easy target for hackers. Remember, hackers can use these devices to access the network as a whole – which could potentially lead to a major data breach and – in the worst cases – large regulatory fines.
Boost your cybersecurity with network segmentation
By segmenting their networks, small businesses can isolate devices and systems on separate sub-networks. This not only allows better sharing of throughput or bandwidth to the Internet, but it also helps to secure systems that contain sensitive data, and separates those systems from people and other systems that don’t need to have contact with them.
In the typical small business, this can be achieved by using two or more routers, and looks like this:
Figure 2: A segmented small-business network with three routers that segment general systems, Payment Card Industry (PCI) compliant systems, and IoT systems – in this case, a video surveillance system.
Isolating problems with network segmentation
Another key benefit of network segmentation is the ability to isolate any problems resulting from cybersecurity breaches. If a laptop gets infected with malware, for example, it won’t be able to get into the IoT network, which is protected by its own firewall. The same is true if an IoT device is compromised; the firewall on the general network will stop the issue from spreading to those systems.
With network segmentation, the old adage “better safe than sorry” definitely holds true. It’s just a question of thinking about which systems need to talk to each other, and which really don’t. Once you’ve figured that out, you can make simple architectural changes that protect your critical systems, devices and data – and ensure you stay compliant with GDPR and other relevant regulations.