This paper examines the current state of network security in organizations, identifying key problems that compromise data protection despite available technology. The author discusses mismanagement of security policies, the risks of bring-your-own-device (BYOD) initiatives, insufficient employee training, budget constraints, and inadequate IT staffing. The paper then presents actionable solutions including proper network design with firewalls and intrusion detection systems, enforcement of least-privilege access policies, strategic equipment purchasing, and development of comprehensive security frameworks. The analysis draws on real-world case studies, including the Target breach of 2013, to illustrate the consequences of poor security practices and underscore the importance of organizational commitment to network protection.
Network security has evolved significantly from an era when network attacks were not a primary concern to today's reality: it is not a question of if a network will be attacked, but when. The SANS Institute defines network security as the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure. This creates a secure platform for computers, users, and programs to perform their permitted critical functions within a secure environment (SANS, 2014).
Before addressing problems with network security, we must first evaluate the current state of organizational networks. Most organizations have resources to implement fairly robust security measures, yet many fail to do so due to competing business priorities. Information technology departments often cannot enforce maximum security because employees need to charge mobile devices, access social media, and use personal equipment on company networks. The functionality of most organizational network security is geared toward making customers and employees happy, with little regard for protecting proprietary information that hackers actively seek.
Most IT professionals recognize that perfect network protection is impossible. However, security can be designed so that sensitive information is not an easy target for attackers. While network security is defined in many different ways, the core meaning remains consistent: ensuring that protocols are in place to protect an organization and its assets.
Most organizational networks are not fundamentally broken; they are mismanaged and poorly enforced. Often, this is not the fault of IT employees but rather the result of senior management making decisions without consulting subject matter experts. Many companies are completely unaware of what their networks are configured to block or allow.
The Target breach of 2013 exemplifies this problem. Target lacked a proper chain of command in its IT department and had no chief information security officer or dedicated security leader. The breach succeeded in large part because IT professionals ignored alerts indicating suspicious system activity (McCracken, 2014). This case demonstrates that organizations of any size can be compromised if security is not treated as a priority. The lesson is clear: regardless of size or management quality, any company can be attacked if insufficient focus is placed on network security.
One of the largest ongoing threats to organizational networks is the bring-your-own-device (BYOD) policy. Many companies adopt BYOD for cost savings, allowing employees to use personal information technology equipment on the company network. However, most organizations lack established mobile device managers to push correct policies and security patches to keep phones and laptops clean from malware and other threats (Chadda, 2014).
Employees using personal devices on the company network often take those same devices home and download content without restriction. If that device becomes infected with malware, the infection can easily be transmitted to the company network (Chadda, 2014). Companies frequently adopt new exciting technologies without understanding the security risks they are accepting. Organizations must stay informed about current trends in security threats and take deliberate action to mitigate them.
With technology constantly evolving, employees must be educated and trained to keep pace with hackers and those who wish to harm organizational networks. However, most companies do not communicate information about current threats from US CERT or other cyber threat organizations. Many companies operate under the assumption that employees understand the difference between safe and unsafe behavior, which is a flawed approach.
Most non-security-focused employees believe they are safe on the company network because IT professionals have security covered. According to security experts, there are five effective ways to educate employees about network security: (1) engage all employees in ongoing security training that explains current threats and mitigation strategies; (2) personalize security by showing how it helps protect their own information at home; (3) be available to answer questions and receive ideas for improving network security; (4) instruct users on how to respond to incidents; and (5) make security easy by providing clear policies and guidelines (Sanchez, 2011). As technology and education continually evolve, organizations must prepare to train employees on new technologies as they emerge.
Budget limitations significantly affect organizational security. Many companies postpone necessary network security upgrades to cut costs. When IT departments request funding—sometimes for substantial amounts like a quarter-million dollars—finance departments are often reluctant to approve such expenditures.
Organizations should allocate resources annually for network upgrades. With new technology emerging daily, networks must be upgraded regularly or they become vulnerable to numerous threats. While technology evolves too rapidly for networks to be completely attack-proof, most threats can be mitigated through simple patching and upgrades. Budget concerns affect all companies, from startups to well-established Fortune 500 corporations, yet deferring security investments creates serious long-term risks.
Addressing network security problems requires a comprehensive, thoughtful approach. The first step is designing a network with security as the primary focus. A well-designed network should include multiple access restrictions, including firewalls that limit access to authorized users only. Intrusion detection systems—both host-based and network-based—should be deployed strategically throughout the network to alert administrators to unusual activity not previously registered in the system.
A frequently overlooked aspect of network design is physical facility access. No employee should have access to server rooms or offices beyond those necessary for their role. After implementing a well-designed network, organizations must establish policies that restrict access. Group policies should be used to lock down the network from the inside, and the principle of least privilege should be rigorously enforced so that users receive only the minimum permissions necessary to perform their jobs.
The Edward Snowden case illustrates the importance of proper access control. Snowden was granted access to classified materials he did not need to access for his job. While he required access to some decrypted files for his work, he should have had access to many fewer resources, and most sensitive information should have been encrypted. The Snowden case demonstrates that designing a network and enforcing proper policies are critical keys to achieving a secure network.
When selecting security equipment, the most expensive option is not always the best, nor should organizations expect miracles from the cheapest alternative. Purchasing network security equipment should be a high priority. The United States Air Force contracting model provides a useful example: the contracting department solicits quotes from multiple vendors and selects the supplier that offers the best value and results.
Organizations should purchase equipment with future needs in mind. Will the company implement cloud technologies? Will access controls or VPN be needed? Planning ahead during major purchases prevents premature obsolescence. Companies should avoid the pattern of upgrading only when devices fail. Microsoft has noted that some organizations still use Windows 2000 systems and have no plans to upgrade, a mindset that inevitably leads to technology failures. When possible, test and review all large network purchases before committing to them; this provides insight into whether a better product should be pursued.
Microsoft research indicates that most companies have inadequate IT security, with IT staffing shortages at the heart of the problem (Microsoft, 2011). Many organizations outsource IT security to local consulting companies, but it is nearly essential to have at least two to three employees dedicated to network management and a dedicated security officer overseeing them. When hiring, organizations should seek employees with substantial experience who can contribute in multiple ways. If hiring causes financial strain, training existing staff through boot camps and certifications can be cost-effective in the long run.
"Access control, threat prevention, incident response, and continuous monitoring"
Securing a network is not the responsibility of a single person; all individuals within an organization have the ability to stop attacks. Network security will remain a crucial part of organizational operations for years to come. Since attackers will not stop attempting to gain access to proprietary information, organizations must continuously enforce policies and fix existing vulnerabilities. A comprehensive approach to network security—combining proper design, adequate staffing, continuous training, and sustained investment—is essential for organizational protection.
You’re 88% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.