For anyone managing a network, securing the devices that connect to it is an important consideration.
In fact, it’s vital for safeguarding personal information, protecting business assets, and maintaining overall system integrity.
Every device—from smartphones and laptops to IoT gadgets and smart appliances—poses potential vulnerabilities if not properly secured.
Cybercriminals are constantly on the lookout for weak entry points, so a proactive approach to security measures should be adopted.
Here we look at the best practices and strategies to secure devices connecting to your network, whether in a permanent workplace or on a temporary network.
Use strong authentication mechanisms
One of the first lines of defence in securing network-connected devices is implementing robust authentication protocols. Weak passwords or default credentials can leave devices exposed to brute force attacks. Our preferred approach here is to use pre-authentication for every device, so that passwords aren’t even required. Devices that have been authenticated by the network manager will automatically be able to join the WiFi network.
Strong Passwords
Ensure that all devices use complex, unique passwords that include a combination of uppercase and lowercase letters, numbers, and special characters. Passwords should be at least 12 characters long. We recommend using the ‘suggested’ passwords from your browser and keeping a password safe, rather than using the same password across multiple SaaS platforms.
Multi-Factor Authentication (MFA)
Enable MFA, where possible, to add an additional layer of security. This typically involves combining something you know (password) with something you have (like a smartphone or hardware token) or something you are (biometric data like fingerprints).
Certificate-Based Authentication
For high-security environments, consider using certificate-based authentication for devices. This method uses cryptographic certificates to verify device identity, making it impossible for a device that has not been pre-authenticated to join the network.
We use this approach for our construction site WiFi networks, where we can pre-authenticate all devices for the site workers, keeping it highly secure. A separate guest WiFi network is built for visitors, minimising any security risk for the business network.
Regularly update and patch devices
Outdated firmware and software are common entry points for hackers. Developers constantly release patches and updates to address vulnerabilities, but leaving devices unpatched exposes them to exploitation. Developing your own technology inhouse gives you greater control over updates and patches, limiting your vulnerabilities – providing you have the expertise.
Automatic Updates
Whenever possible, enable automatic updates to ensure that your devices always have the latest security patches.
Firmware Checks
Keep an eye on firmware updates for all devices, especially routers, firewalls, and IoT devices, which may not have automatic updates enabled by default.
Third-Party Software Updates
Besides operating system updates, regularly update third-party applications, which can also be susceptible to vulnerabilities.
Use Secure Network Protocols
Network communication protocols define how data is transmitted across networks. When left unsecured, they can expose sensitive data to interception and manipulation.
Encrypt Traffic with HTTPS and SSL/TLS
Ensure that all devices and websites connected to the network use HTTPS (SSL/TLS encryption) to protect transmitted data from eavesdropping.
Secure Shell (SSH) and VPNs
When accessing network devices remotely, use SSH instead of Telnet (which is unencrypted) and Virtual Private Networks (VPNs) to securely tunnel traffic over public or unsecured networks.
Wi-Fi Security Protocols
Use WPA3 or at least WPA2 encryption for your WiFi network. Avoid using outdated protocols like WEP, which are easily compromised.
Segment Your Network
Network segmentation divides a larger network into smaller, isolated sections to limit the potential impact of a breach. This method enhances security by restricting the movement of malicious actors if they gain access to one segment.
Guest Networks
Create separate networks for guest devices, ensuring that they do not have access to your primary or corporate network. This strategy should also be implemented across temporary WiFi networks used for events, building sites, promotional tours and production teams.
For events in particular, this can be expanded further to create a separate network for each contractor team on site – production, hospitality, traders etc to provide them each with their own secure network.
IoT Devices
Place IoT devices on a dedicated network segment. Many IoT devices lack advanced security features, making them prime targets for hackers. Isolating them reduces the risk of these devices serving as entry points to other sensitive parts of the network.
VLANs
Implement Virtual Local Area Networks (VLANs) to segregate internal traffic. Critical systems, such as databases or administrative networks, should be isolated from general traffic.
Implement a Strong Firewall and Intrusion Detection System (IDS)
Firewalls and IDS/IPS (Intrusion Detection/Prevention Systems) are critical tools in monitoring and controlling network traffic.
Configuring Firewalls
Use firewalls to block unauthorized access by defining rules for incoming and outgoing traffic. Make sure to configure both hardware and software firewalls to filter malicious traffic at multiple levels.
Intrusion Detection/Prevention
IDS/IPS systems monitor the network for suspicious activities and known attack signatures. These tools provide early warnings or take automatic actions to mitigate potential threats.
Application Firewalls
For web applications, consider using web application firewalls (WAF) to protect against specific threats, such as SQL injection and cross-site scripting.
Device Hardening
Device hardening refers to reducing the attack surface by disabling unnecessary services and features on a device.
Disable Unnecessary Ports and Services
Many devices come with default settings that include open ports and enabled services that may not be needed. Disable these to minimise the entry points for attackers. We have seen this in the events space, where traders plugging their own devices into routers have impacted the performance and integrity of the WiFi network.
Change Default Credentials
Ensure that default usernames and passwords are changed immediately after setting up any device. Default credentials are widely known and are often the first things attackers try.
Limit Administrative Privileges
Only provide administrative privileges to users who need them. Devices should have separate accounts for general use and administrative functions.
Monitor and Audit Network Activity
Active monitoring and auditing are critical to detecting and responding to suspicious activities early.
Real-Time Monitoring
Use network monitoring tools to track real-time traffic and identify unusual patterns, such as large data transfers or traffic spikes that could indicate a security breach.
Audit Logs
Regularly review device logs to detect any abnormal behaviour, failed login attempts, or unauthorised access. Set up alerts for critical events to ensure quick response.
Security Information and Event Management (SIEM)
SIEM tools provide centralized logging and advanced analysis of network events, offering deeper insight into potential threats.
Enable Endpoint Security
Endpoint security solutions provide direct protection for individual devices, reducing the likelihood of malware, ransomware, or phishing attacks infiltrating your network.
Antivirus/Antimalware Software
Ensure that all devices connected to the network have up-to-date antivirus and antimalware software installed.
Endpoint Detection and Response (EDR)
EDR solutions continuously monitor endpoints for malicious activities and provide rapid response to isolate threats, preventing them from spreading across the network.
Mobile Device Management (MDM)
For mobile devices, implement MDM solutions to enforce security policies, such as encryption and device wiping, in case of theft or loss.
Educate Users and Raise Security Awareness
Human error is a leading cause of security breaches, so training users on network security best practices is essential.
Phishing Awareness
Teach users how to recognize phishing attempts, avoid clicking on suspicious links, and report any suspected phishing emails.
Safe Browsing Habits
Encourage users to avoid visiting risky websites and to use secure, encrypted communication channels.
Regular Security Training
Conduct ongoing training to keep users up-to-date on the latest security threats and proper device usage in secure network environments.
Backup and Recovery Plans
Even the most secure networks can fall victim to sophisticated cyberattacks. Having a backup and recovery plan ensures that you can recover from a breach or attack with minimal downtime and data loss.
Regular Backups
Implement regular, automated backups of critical data and systems. Store these backups off-site or in a secure cloud environment to protect against ransomware attacks and physical damage.
Test Recovery Procedures
Regularly test your recovery procedures to ensure they work as intended in the event of an emergency.
Conclusion
Securing devices that connect to a network is an ongoing process requiring a combination of technological solutions, user education, and constant vigilance. By adopting a multi-layered approach that includes strong authentication, regular updates, network segmentation, and active monitoring, you can significantly reduce the risk of cyberattacks. With cyber threats evolving rapidly, staying informed and adapting your security measures to new challenges is critical to keeping your network and connected devices safe.i
