We have two important dynamics that are having huge negative repercussions to network security in most businesses. These are hitting small businesses harder than large ones, where some of these issues are governed by corporate policy. But policy is not preventing these trends very well.
The first issue is the desire of employees to keep up on their personal email and social network accounts (Facebook, Instagram, Twitter, etc) while in the office. This introduces a stream of email, attachments, links, videos, and downloads that have not been vetted by corporate email systems, and bypass firewalls and other security systems. Since web browsers have to be available for business use, HTTP port 80 is open on every firewall. All this stuff rides in on unblocked, unfiltered, and unprotected port 80. The largely ineffective solution is to ban this behavior through company policy, or block sites like Facebook at the firewall. Most employees will still engage in this activity when possible.
The second issue is the presence of BYOD devices including smartphones, tablets, and personal laptops. In many cases the employees are linking up to corporate wireless access points and joining the corporate network, where any embedded malware on personal devices can spread to corporate computer resources.
You can educate, cajole, harangue, and even terminate the offenders, but you will not stop this behavior, especially among your millennial employees, for whom this is just part of their everyday life. But it is not just millennials, everyone is plugged in these days. So if you can’t beat ’em, accommodate them. The best solution is simply to allow it, with conditions.
Set up a separate guest wireless network for your employees to use with their personal smartphones, tablets, and laptops. You may have one already for actual guests or clients to use, and if so, encourage your employees to use that network, and ask them, as a matter of security, to stay off the corporate WiFi. If you do not have a second wireless network, I urge you to set one up for this purpose now. It’s even better if you set it up on a separate network segment and segregate it from your corporate network. This way they can use their own devices to read their personal email, and any emails bearing “gifts” from cyber-criminals will not migrate into the corporate computer network to cause expensive problem.