Most small and mid-size businesses believe they're not interesting targets for attackers. That assumption is wrong — and expensive. Attackers increasingly focus on smaller organizations precisely because they tend to have weaker defenses, and because they often serve as a stepping stone to larger targets in their supply chain.
The good news: the fundamentals are not complicated. The following five practices won't make you invulnerable, but they will dramatically reduce your attack surface and eliminate the low-hanging fruit that most attackers exploit first.
1. Segment Your Network
A flat network — where every device can talk to every other device — is a liability. Once an attacker (or malware) gains a foothold in a flat network, they have access to everything. Segmentation limits that blast radius.
At minimum, every business should separate:
- Corporate devices (workstations, servers) on their own VLAN
- Guest/visitor Wi-Fi completely isolated from internal resources
- IoT and smart devices — printers, cameras, HVAC controllers — on a separate isolated segment
- Servers and critical systems with tightly controlled access rules
This is one of the highest-value, lowest-cost security improvements most businesses can make. VLANs are a feature on essentially any business-class switch and firewall.
2. Audit and Tighten Your Firewall Rules
Firewall rules accumulate over time. Someone needed temporary access to something years ago, a rule got added, and nobody ever removed it. After a few years, many firewalls have dozens of overly permissive rules that nobody remembers creating.
A firewall rule review should answer these questions for every rule:
- Is this rule still needed?
- Is the source as specific as it could be?
- Is the destination as specific as it could be?
- Is "any" used anywhere it shouldn't be?
- Is there logging on rules that affect sensitive systems?
The default posture should always be deny all, allow what's needed — not the other way around.
3. Enforce Multi-Factor Authentication on Remote Access
Username and password alone is not adequate protection for VPN or any remote access system. Credentials get stolen, leaked in data breaches, and phished. MFA adds a layer that's significantly harder for attackers to bypass remotely.
If your VPN doesn't support MFA, that's a problem worth solving now. Modern remote access solutions — including most enterprise firewall platforms and open-source options like pfSense with FreeRADIUS — support MFA without significant cost or complexity.
Prioritize MFA on: VPN, RDP, cloud management consoles, email, and any application that contains sensitive data.
4. Keep Firmware and Patches Current
The majority of successful network compromises exploit known vulnerabilities — issues that already have patches available. Attackers rely on the gap between when a patch is released and when organizations actually apply it.
This applies to:
- Firewall firmware
- Switch and router firmware
- Wireless access point firmware
- Operating systems on any network-connected device
- Network management software
Build a patching schedule and stick to it. For critical security patches, the window should be short — days, not weeks.
5. Implement Logging and Know What to Look For
You can't detect what you're not logging. At a minimum, your firewall should be logging denied connections, accepted connections to sensitive systems, and any IDS/IPS alerts. Switches should log authentication events. VPN concentrators should log all connection attempts — including failed ones.
Logs are only useful if someone is reviewing them. You don't need a full SIEM to start — even a weekly manual review of firewall alerts can catch things that would otherwise go unnoticed for months.
Look for: repeated failed authentication attempts, connections to unusual external IPs, traffic at unusual hours, and any device you don't recognize appearing on the network.
Where to Start
If you're looking at this list and aren't sure where your organization stands, the right first step is an assessment. Understanding your current posture is the prerequisite to improving it.
Warden Networks offers security assessments that give you a clear, prioritized picture of where you are and what to address first — without the jargon and without trying to sell you products you don't need.