中小企业网络安全建设规划
Businesses rely on their networks for their most critical operations and with so much at risk, especially with the increase in cyberattacks, it’s essential you have a comprehensive plan in place for your protection. In this post, we’ll look at how to create a small businesses network security plan that’s fit for purpose.
企业依靠其网络来执行最关键的操作,并且面临着巨大的风险,尤其是随着网络攻击的增加,您必须制定一个全面的保护计划。 在本文中,我们将研究如何创建适合目的的小型企业网络安全计划。
为什么需要网络安全计划 (Why you need a network security plan)
According to Small Business Trends, 43% of all cyberattacks are on small businesses. Of those companies where an attack is successful, 60% go out of business within 6 months. These figures, alone, should be enough to persuade most SMBs to take action. However, if you need more convincing, Small Business UK tells us that, on average, every UK business was targeted 230,000 times during .
根据小型企业趋势 ,所有网络攻击中有43%是小型企业。 在攻击成功的公司中,有60%在6个月内破产。 仅凭这些数字,就足以说服大多数中小型企业采取行动。 但是,如果您需要更多说服力, Small Business UK会告诉我们,平均每个英国企业的目标定位为230,000次。
Only one of these two hundred and thirty thousand attempts needs to be successful for harm to be done. SMBs need to consider the damage a network security breach can cause – we’re not just talking about a loss in sales, there’s business reputation on the line as well as the potential for lawsuits if personal data is breached.
在这二十三万次尝试中,只有一次成功需要进行伤害。 中小型企业需要考虑网络安全漏洞可能造成的损害–我们不仅在谈论销售损失,在线业务信誉以及个人数据遭到泄露的潜在诉讼。
And not all the threats are external either. Staff are often the cause of problems, unwittingly creating vulnerabilities or, even worse, deliberately sabotaging your network or stealing your data. It happens.
而且,并非所有威胁都是外部威胁。 员工常常是问题的根源,无意间造成了漏洞,甚至更糟的是,故意破坏网络或窃取数据。 它发生了。
The only way to protect your business is to create a comprehensive plan that secures your entire network.
保护您的业务的唯一方法是创建一个全面计划,以保护整个网络。
先决条件 (Prerequisites)
Before starting to create your plan, you need to be aware that this cannot be a one-person job done in isolation. The strategies brought into force will affect the whole company and so it is important that representatives from across the organisation are asked to contribute. Whilst it is obvious you’ll need to look at technology, you’ll also need to consider staff training, day to day procedures and even the physical security of your network.
在开始创建计划之前,您需要意识到,这不可能是一个孤立完成的单人工作。 生效的策略将影响整个公司,因此请整个组织的代表做出贡献非常重要。 很明显,您需要研究技术,同时还需要考虑人员培训,日常程序甚至网络的物理安全性。
One thing you will need to make decisions about, is your acceptable risk policy. The only way to have a 100% risk free network is to have no network at all. Even a network of a single, standalone, offline computer can be at risk if someone plugs in an infected pen drive.
您需要做出决定的一件事是可接受的风险政策。 拥有100%无风险网络的唯一方法是完全没有网络。 如果有人插入受感染的笔式驱动器,则即使是一台独立的脱机计算机网络也可能受到威胁。
Whatever you do will involve risks, and sometimes you may need to take those risks to operate your business. Once you decide which risks are acceptable (or necessary), you are the then in the position of looking for ways to minimise them.
您所做的任何事情都会带来风险,有时您可能需要承担这些风险才能开展业务。 一旦确定了哪些风险是可以接受的(或必要的),您便可以寻找将其最小化的方法。
网络安全策略清单 (Network Security Policy Checklist)
When you begin to put your network security plan together, you should ensure that it covers every vulnerability or risk that your network faces. Here is a checklist of policies that should be included:
当您开始将网络安全计划放在一起时,应确保它涵盖了网络面临的所有漏洞或风险。 以下是应包含的政策清单:
1.可接受的风险 (1. Acceptable risk)
As mentioned above, the first policy you need is a statement which defines a) what risks you need to take to carry out your business, b) what risks you are prepared to take and c) those risks which you are unwilling to take. What is in this policy will inform many of the others below.
如上所述,您需要的第一个策略是对以下内容的声明:a)开展业务需要承担哪些风险,b)准备承担哪些风险,以及c)不愿意承担的风险。 此政策中的内容将为以下许多其他内容提供信息。
2.可接受的使用 (2. Acceptable use)
This is a policy that applies to all personnel and which they must read and abide by. It explains what employees can and cannot do on the business network. For example, many companies forbid employees to log in to personal email accounts in case they open infected emails. Others ban the use of personal external drives.
这是一项适用于所有人员的政策,必须阅读并遵守。 它说明了员工在业务网络上可以做什么和不能做什么。 例如,许多公司禁止员工在打开受感染的电子邮件时登录到个人电子邮件帐户。 其他则禁止使用个人外部驱动器。
3.电子邮件 (3. E-mail)
Besides personal emails, you may need to regulate how business emails are handled. You may want to encrypt and authenticate emails being sent out by using services likePersonalSignand want incoming email scanned for threats using advanced technologies like Mimecast.
除了个人电子邮件,您可能还需要规范如何处理企业电子邮件。 您可能需要使用PersonalSign等服务对发送的电子邮件进行加密和身份验证,并希望使用Mimecast等高级技术对传入的电子邮件进行威胁扫描。
4.身份 (4. Identity)
It is vital that only authorised users have access to your network and for that reason, it is important to have an identity policy. This should begin with the protocols of the ID which is needed to be given an account in the first place and then be followed by looking at what ID the user has to supply to prove identity when logging in.
只有授权用户才能访问您的网络,这一点至关重要,因此,拥有身份策略非常重要。 这应该从ID的协议开始,首先需要给它一个帐户,然后再查看用户在登录时必须提供哪些ID以证明身份。
Besides identity of the individuals, it is also possible to require the identity of the client on which they are connecting. This way you can restrict unauthorised clients from connecting to your network from a public port, for example, employees logging in remotely can be restricted to using company machines instead of their home computers.
除了个人的身份外,还可能需要他们所连接的客户端的身份。 这样,您可以限制未经授权的客户端从公共端口连接到您的网络,例如,可以限制远程登录的员工使用公司的计算机而不是其家用计算机。
5.防病毒 (5. Antivirus)
Your antivirus policy should not just ensure you have antivirus software, firewalls and intrusion protection in place; it should go further and cover the management of these technologies, making sure they are updated, are constantly in operation and that reports are analysed.
您的防病毒策略不仅应确保已安装防病毒软件,防火墙和入侵防护,还应确保您的防毒策略有效。 它应该走得更远,涵盖这些技术的管理,以确保它们得到更新,持续运行并分析报告。
Beyond this, your antivirus policy should look at ways to prevent malware getting onto your network: vulnerable unused ports, network shares such as IoT devices with weak passwords, etc.
除此之外,您的防病毒策略还应研究防止恶意软件进入网络的方法:易受攻击的未使用端口,网络共享(例如密码弱的IoT设备)等。
6.远程访问 (6. Remote access)
The internet makes it possible for your employees to access your network from anywhere, however, you need to make sure they do so safely. A remote access policy needs to look at the rules you insist on when this takes place. For example, you may not wish your staff to connect using public, unsecured wi-fi or on personal devices. You may want to prevent some things, such as personal data, being accessed remotely at all.
互联网使您的员工可以从任何地方访问您的网络,但是,您需要确保他们这样做安全。 远程访问策略需要查看发生这种情况时所坚持的规则。 例如,您可能不希望您的员工使用不安全的公共wi-fi或个人设备进行连接。 您可能希望完全阻止某些事情(例如个人数据)被远程访问。
7.密码 (7. Passwords)
Hackers use incredibly sophisticated software tools to crack passwords, including dictionaries of common character patterns found in previously hacked passwords. They can break even complex passwords in a matter of hours. For this reason, it is essential that you have a strict password policy in place. For more information see our post:How to choose a secure password.
黑客使用令人难以置信的复杂软件工具来破解密码,包括先前被黑客破解的密码中常见字符模式的词典。 他们甚至可以在几个小时内破解复杂的密码。 因此,必须有严格的密码策略。 有关更多信息,请参见我们的文章:如何选择安全密码 。
8.加密 (8. Encryption)
Encryption is essential for protecting data, for example, to stop emails and their attachments being intercepted and tampered with or to prevent credit card details being stolen during online transactions. As an organisation, you will need a policy about what steps you will take to encrypt your data, such as usingSSL certificatesand PersonalSign.
加密对于保护数据至关重要,例如,阻止电子邮件及其附件被拦截和篡改,或者防止在线交易过程中信用卡信息被盗。 作为组织,您将需要一个有关将采取哪些步骤来加密数据的政策,例如使用SSL证书和PersonalSign 。
您需要考虑的其他网络安全措施 (Other network security measures you need to consider)
Besides putting these eight policies into play, there are other things you need to consider to keep your network secure. These include ensuring you have an adequately configured firewall, that intrusion prevention, such asMTvScan, is in place and that your data is regularly backed up. Finally, you also need to make sure that your network security meets compliance regulations.
除了实施这八项策略外,还需要考虑其他事项来确保网络安全。 这些措施包括确保您具有适当配置的防火墙,入侵防御(例如MTvScan)到位并且定期备份您的数据。 最后,您还需要确保您的网络安全性符合合规性规定。
结论 (Conclusion)
There is a lot to think about here. The number of policies needed for network security can seem quite daunting, especially when you consider the groundwork which is needed before implementing them. However, putting these things in place can significantly reduce the risk of a cyberattack being successful.
这里有很多事情要考虑。 网络安全所需的策略数量似乎令人望而生畏,尤其是当您在实施策略之前考虑必要的基础工作时。 但是,将这些东西放在适当的位置可以大大降低网络攻击成功的风险。
One way to protect your company from the catastrophic effects of a successful cyberattack is to choose a hosting company that provides much of what you need. Here at eUKhost, for example, we provide Mimecast email scanning, PersonalSign authentication, remote backups, MTvScan intrusion protection, SSL certificates and Fortigate firewalls to keep you secure. You also have 24/7 access to expert technical support who can give you all the advice you need to put robust security into place.
保护您的公司免受成功的网络攻击的灾难性影响的一种方法是选择一个托管公司,该公司可以提供您所需的大部分东西。 例如,在eUKhost,我们提供Mimecast电子邮件扫描,PersonalSign身份验证,远程备份,MTvScan入侵防护,SSL证书和Fortigate防火墙,以确保您的安全。 您还可以24/7全天候获得专家技术支持,他们可以为您提供所有必要的建议,以实现强大的安全性。
You can find links to our wide range of hosting services onour homepage, or alternatively, call us on 0800 862 0380.
您可以在我们的主页上找到指向我们广泛的托管服务的链接,或者致电0800 862 0380。
翻译自: /blog/webhosting/small-business-guide-to-network-security-planning/
中小企业网络安全建设规划
如果觉得《中小企业网络安全建设规划_小型企业网络安全规划指南》对你有帮助,请点赞、收藏,并留下你的观点哦!
