Network Security Basics

Network security protects your business data and systems from unauthorized access, disruption, and theft. For small businesses, a breach can mean lost customer data, regulatory penalties (under PIPEDA), and reputational damage that is hard to recover from. This guide covers the foundational concepts and practical steps every small business should take.

1. Common Threats to Small Business Networks

2. Securing Your Router and Wi-Fi

Your router is the gateway between your internal network and the internet. If it is compromised, everything inside is exposed.

• Change default credentials: Every router ships with a default admin username and password (often "admin/admin"). Change both immediately on first setup.
• Use WPA3 encryption: Or WPA2 at minimum. Never use WEP — it can be cracked in minutes.
• Create a guest network: Put visitors and IoT devices (smart TVs, printers) on a separate SSID with no access to your main business network.
• Disable WPS: Wi-Fi Protected Setup has known vulnerabilities. Turn it off in your router settings.
• Update firmware: Router manufacturers release security patches. Check for firmware updates quarterly.
• Disable remote management: Unless you actively need it, turn off remote admin access to your router's web interface from the internet.

3. Firewalls

A firewall controls which network traffic is allowed in and out. Small businesses need two layers:

• Network firewall: Built into your router or a dedicated appliance (e.g., pfSense, Fortinet, Cisco Meraki). Filters traffic at the network perimeter. Block all inbound traffic by default; open only the specific ports your services need.
• Host-based firewall: Software firewall on each computer. Windows Defender Firewall and macOS firewall are built-in and should be left enabled. They add a second line of defence if a device is moved to an untrusted network.

4. Password Policies and Multi-Factor Authentication

Weak passwords are the most common cause of account breaches. Enforce these policies across your team:

• Use a password manager: Tools like Bitwarden (free for teams), 1Password, or Dashlane generate and store strong, unique passwords for every service. No more reusing passwords or storing them in a spreadsheet.
• Minimum password length: 16 characters or more. Length is more important than complexity for resisting brute-force attacks.
• Enable MFA on all critical accounts: Email, banking, cloud hosting, domain registrar, DNS provider. Use an authenticator app (Microsoft Authenticator, Google Authenticator) rather than SMS when possible, as SIM-swapping attacks can intercept SMS codes.
• Monitor for breached credentials: Use Have I Been Pwned (haveibeenpwned.com) to check if business email addresses appear in known data breaches.

5. VPNs for Remote Workers

When staff work remotely or from public Wi-Fi, a VPN encrypts their connection and routes traffic through a secure server. Two common approaches:

• Business VPN: A VPN server your business controls (e.g., WireGuard on a cloud VPS). Remote employees connect through your office network. All internet traffic from their devices is encrypted. Suitable for businesses with technical staff.
• Commercial VPN service: Services like NordVPN Teams or Cisco AnyConnect provide managed VPN infrastructure. Easier to set up but you rely on the provider's security practices.

VPNs do not protect against phishing or malware — they only encrypt the network connection. Combine VPN with endpoint protection for comprehensive coverage.

6. Software Updates and Patch Management

Unpatched software is one of the leading causes of successful cyberattacks. Many well-publicized breaches exploited vulnerabilities that had patches available for months.

• Enable automatic OS updates on all devices (Windows Update, macOS Software Update).
• Update all business software weekly — particularly browsers, email clients, and office suites.
• Patch server software (web server, CMS, plugins) within 72 hours of a critical security update release.
• Track end-of-life dates for operating systems. Windows 10 reached end of life in October 2025 — devices still running it are no longer receiving security patches.
• Maintain an inventory of all software in use so no application is overlooked during patch cycles.

7. Incident Response Plan

When (not if) a security incident occurs, having a plan reduces response time and limits damage. A basic plan for small businesses:

1. Contain: Disconnect affected devices from the network immediately. Do not attempt to clean or investigate while still connected.
2. Identify: Determine what was accessed, how the attacker got in, and what timeframe is affected.
3. Notify: Under PIPEDA, if the breach creates a "real risk of significant harm" to individuals, you must notify the Privacy Commissioner of Canada and affected individuals. Document everything.
4. Restore: Rebuild from clean backups. Do not restore from a backup made after the breach started.
5. Review: After resolution, conduct a post-incident review. Update policies and technical controls to prevent recurrence.