Network security best practices

Strong network security protects against outsider and insider threats, maintains network resilience when breaches occur, and balances security with ease of use. It's also a significant factor in protecting business integrity.

IBM reports that the average data breach cost rose from $3.86 million in 2020 to $4.35 million in 2022. 83% of organizations report suffering more than one data breach, suggesting that network security best practices are not universal.

With the correct planning and policies, it should always be possible to achieve network security. This network security best practices introduction will be a solid basis for protecting your assets against contemporary threats.

Network security layers of protection

The best way to approach network security best practices is by applying the layered security model. Modern networks generally involve three layers. Each has its own set of best practices to guarantee network security.

Physical network security

This layer involves physical hardware such as computers, cabling, routers, data storage devices, and security tools like alarms and locks. The primary goal at this layer is to deny unauthorized access to physical premises. Common methods include biometric authentication, ID cards, and combination or padlocks.

Technical network security

Controls at the technical level involve dealing with data and device security. Devices need to be properly secured via antivirus and anti-malware software. IT teams must secure sensitive data at rest in segmented containers, while data in motion must be encrypted and rendered invisible to outsiders. This layer also involves software designed to limit access and prevent lateral movement across network assets.

Administrative network security

The administrative layer handles security policies designed to ensure security and regulatory compliance. This layer deals with people. It involves logging user behavior, assigning privileges, on and offboarding staff when required, and training staff to understand how the corporate security policy functions. Change management is a vital aspect of this layer, including software and device infrastructure alterations.

Network security best practices for your business

The three layers described above should guide network security policies. Each layer should have a dedicated planning process, while an overall security policy combines them into an organization-wide vision.

But what elements should be part of this security vision? Here are several network security best practices that can contribute to network security. Network landscapes vary, and some of these measures may not apply to your situation.

1. Carry out a network infrastructure audit

Awareness and visibility are the starting points of robust network security, and it is vital to base your security posture upon a comprehensive inventory.

This audit should include documentation of all endpoints (IoT devices, on-premises laptops, routers, smartphones, and remote working devices). Combine this with a full audit of applications residing on network storage and any cloud services used by your organization.

IT teams should check all connected device configurations like port settings, unnecessary services, and other potential vulnerabilities. And any devices should be available for scanning whenever they establish connections.

This audit process provides a sound basis to counter insider threats via ongoing threat monitoring. It also informs the second recommended best practice.

2. Apply network segmentation to protect core assets

Network segmentation allows managers to create zones of trust accessible only to privileged users.

Data centers containing critical data can be segmented from open network traffic according to the principle of least privilege, ensuring that access is only permitted when required. Segmentation also restricts lateral movement within your network infrastructure, containing threats if they emerge.

There are various styles of network segmentation, such as older VLAN models. However, micro-segmentation via Software Defined Networking (SDN/SDP) provides more precise traffic control.

SDN/SDP conceals whether infrastructure is on-premises or cloud-based, creating a VPN-style perimeter at the network layer. Software defines the network perimeter, not hardware – the ideal solution for businesses that depend on cloud assets.

Whatever segmentation style you use, IT teams should have access to real-time information regarding threat alerts and suspicious traffic. They also need the ability to change segmentation settings as required.

3. Create an in-depth data loss prevention strategy

As a rule, network security strategies should seek to prevent breaches instead of detecting them. Prevention-focused approaches require wide-ranging strategies beyond standard perimeter defenses such as VPNs and firewalls (although those tools can still be security components).

Defense in depth means extending encryption to apps and cloud services and could entail a variety of complementary technologies:

• Intrusion Detection and Prevention (IDP) systems can provide instant updates when potential breaches arise.
• Software Defined Perimeter/Software Defined Networking (SDP/SDN) tools can hide traffic from outside observers across the entire network, not just the network edge.
• Endpoint Detection and Response (EDR) tools can scan connected devices and watch for malware intrusions.
• Identity and Access Management (IAM) tools handle network access and determine what individuals can access inside the perimeter.

Knowing where sensitive data is stored and how it is protected is also vital. Make a registry of every data container, and assign them to proper network segments. If cloud storage partners are involved, assess their integrity and make changes if needed.

4. Use Identity Access Management (IAM) to manage user privileges

IAM tools allow security teams to prevent unauthorized users from accessing network assets. They are an essential component of Zero Trust Network Access (ZTNA) approaches, which apply the principle "never trust, always verify."

Zero Trust access management involves role-based user authentication. These controls set out privileges linked to professional roles and can vary depending on seniority, project status, and whether users are on staff or contractors. Under the principle of least privilege, users should have access to resources they need and nothing more.

IAM tools also include Single Sign On (SSO) portals that provide a point of entry for network users. These tools should feature multi-factor authentication (MFA) as an alternative to vulnerable password access.

IAM can be automated successfully. Automation reduces the risk of human error (for instance, when assigning access to confidential data). It also makes managing employee or contractor offboarding easier, reducing the risks posed by orphaned accounts.

5. Always backup data

Backing up data is essential when protecting core assets, whether they are client databases or project workflows. Only 41% of companies back up data daily, leaving significant holes in their security posture.

84% of companies rely on cloud storage to make backups. In that case, create a specific cloud security strategy for each storage location. Ensure that containers are secure and that third-party providers are reliable.

Additionally, remember that backups can be prone to failure. Studies suggest a failure rate of 37% when restoring backed-up data. Minimize this risk by carefully choosing a reliable storage location and testing recovery procedures regularly.

6. Consider using secure email

Insecure email communication is one of the most common vectors for phishing attacks, accounting for around 90% of all data security breaches. One effective mitigation action is to enforce the use of email signing certificates or Personal Authentication Certificates (PACs) for all internal messaging.

These certificates attach a file to emails that applies encryption from end to end. The presence of the certificate informs recipients that the message is authentic, and the encryption adds a valuable layer of security to hide sensitive information from snoopers.

7. Ensure that all staff receive proper security training

Verizon's 2021 Data Breach Investigations Report found that human error was behind 85% of data breaches. Security teams must train staff in best practices and the penalties for breaching security policies.

Create a comprehensive staff training policy that reaches every role, no matter of senior or junior. This training should include anti-phishing awareness, password security, and the use of MFA. It should also feature general rules regarding remote workers and BYOD.

Trainers should remind staff to use patched antivirus and anti-malware tools. And it's important to stress that employees only use authorized sources for updates and patches.

Training is a process, not a single event. Plan regular refresher courses and checks to ensure that staff follows best practices. Create training that features real-life scenarios. Don't rely on multiple choice quizzes or lectures. Role-playing security situations can be a very effective way to communicate best practices.

8. Create a comprehensive incident recovery plan

When attacks occur, companies need relevant and easy-to-follow recovery plans to restore functionality and security.

Create a recovery team with clearly defined roles and responsibilities to follow when needed. This team should have the authority to reach across departments and escalate requests to the highest level.

Recovery plans should detail all core applications, network devices, and resources, including the location of recent backups and plans to restore functionality. This process should include an assessment of any data breaches and losses alongside actions to counter those threats.

Security managers can find guidance on incident recovery best practices in NIST 800-61. Use that document as a basis for your recovery plans but take care to cover your specific needs. Specimen recovery plans are also available from the SANS Institute and should be relevant for most organizations.

9. Prioritize software updates and patches

Companies should have a unified policy regarding software updates, including every app connected to network infrastructure. Any delayed updates can leave the kind of security gaps that attackers seek. Unpatched firmware on a router or poorly configured IoT devices can often be enough.

Create an inventory of all apps connected to the network and grade them according to risk and vulnerability. High-value apps used across the network or data storage containers are high risk, while specialist design tools used by a single department could carry lower risk.

If possible, consolidate different versions of the same app to apply the latest updates. When more than one app performs the same function, choose one to serve across the entire network.

IT teams can apply automated patch management to deliver updates as soon as they are available. Choose vendors with a reliable record in communicating patches. Not all software partners will instantly inform users. That matters when even slight delays can be crucial.

10. Create a watertight policy to govern third-party access

44% of organizations reported a data breach in 2020, and 74% attributed it to a third party. 60% of organizations work with over 1,000 third parties, so that statistic is not surprising. The partners you work with are as important to network security as employees.

Third parties could include freelancers and contractors brought in for a few weeks, cloud storage providers, or SaaS partners. All must be security assessed before they or their products interact with network infrastructure.

The best way to approach this is via a Third Party Risk Management Plan (TPRM). This plan should feature a list of all third-party vendors assessed according to risk. This risk rating should take into account the probability of a data breach and the likely consequences of that breach.

By collecting information about cybersecurity performance, reputation, and quality of service, you can create vendor profiles that inform commissioning decisions. Automate vendor management to save time, but take care when compiling the original risk register.

Improve network security by focusing on prevention, not cures

The best time to prevent a cyber attack is before that attack even begins. And that's why strong network security posture is so important.

By following the best practices discussed here, businesses can create a solid security foundation. Combine robust perimeter protection, efficient threat monitoring, workforce training and measures like network segmentation to make life harder for potential attackers.