Disclaimer
My background is diverse, but does not include cybersecurity. Information on this page is from first principles and common sense. Use this information at your own risk. By continuing here, you agree to hold any and all parties harmless in consequences of your own decisions and actions. If you want certification, you must hire a qualified, bonded cybersecurity engineer.
Conventional Procedures
Everyone agrees that you train your users to comply with simple rules:
- Use strong passwords; define this clearly and set the rules.
- Don't click on links in emails unless you KNOW who sent them and why.
- Don't insert media (thumb drives, disks, CD-ROM, etc.) from outside your organization or site into your computer unless they have been cleared by Security, IT, or whomever you appoint to scan incoming media.
These steps are essential because they reduce successful attacks on your network to a trickle. But, for protection, this alone is inadequate. If you have 1,000 users, a one-in-a-thousand event will occur an average of once a day.
First Line of Defense
Use two networks. A very simple way to do this for an office of a few people and very limited budget is to put users on the main router, with direct access through the built-in firewall to the Internet modem. For Company confidential files and cleared users of the secure network, feed a second router by cable from the first router.
To make this work for you, the obvious guidelines are
- Use a high-end router with a strong firewall and third-party security.
- If you allow WiFi on the main network,
- Use WPA3 security,
- Enforce strong passwords,
- Don't broadcast the SSID,
- Use MAC address filtering, and
- Monitor the router logs at least daily.
- Disable WiFi on the secure network.
- Use first-line threat detection and real-time neutralization on all computers on both networks and keep it up-to-date.
On the secure network:
- Don't allow direct Internet access on your secure network. If you must access some web sites, restrict access to only those web sites.
- Do NOT have email, even local, on the secure network.
Consider using multiple real-time software security, such as MBAM with an anti-virus program, or specific protection from ransomware such as that offered as part of the backup package Acronis.
Hardwired Security
The best security is achieved by configuring your secure network without Internet connection or connection to another network, even your own user network. All exchange of files and data is through media, preferably optical media (CD-ROM, data DVD, data Blu_Ray) that is scanned by specially-configured computers and approved before allowed in or out of the secured area.
Keeping anti-virus and antimalware up-to-date on an isolated network is simple. You download anti-virus and antimalware updates on the outside user network, write to thumb drive or optical media, scan and clear for the secure network, and make available on a file server on your secure network.
Extreme Cybersecurity
An isolated network is made most secure by these simple but expensive measures.
- Keep all computers and all their wiring inside an electromagnetically shielded enclosed area.
- Use controlled access such as a shielded "airlock" with cyberlock and/or manned guards. An alarmed emergency exit to meet fire regulations is OK, if it does not exit directly outdoors.
- Provide power though a system that prevents piggyback communications signals, such as a battery-inverter system with filtering, or, for best security, a motor-generator with filtering expressly designed to prevent passage of communication signals.