Why you should care about Wi-Fi security

Sanctioned or not, your company has end users right now sitting in coffee shops or hotel lobbies using a wireless connection to the Internet. And, chances are, they haven’t zipped up the necessary security features.  So free for the picking is data – possibly sensitive corporate data, credit card numbers, or other information. 

Moreover, it doesn’t take a serious hacker to find the data. If computers are not protected, a fellow user in the coffee shop could just stumble onto unprotected files by clicking on network connections.

Not scared? After all, you don’t allow end users to put in Wi-Fi cards, right? Well, guess again. For less than the price of a good steak dinner, a corporate road warrior can march into an office supply or computer store and buy one. And it doesn’t matter if you’ve banned the products or gotten senior management to write letters confirming your stance – you can’t stop progress.

What to do? Learn all about Wi-Fi, embrace it, support it, and most importantly, teach everyone how to use it. The worst part of information security comes when otherwise intelligent users do dumb things with security – from setting passwords to figuring out firewalls. Business people don’t “think security” first, they think about getting their jobs done.

Look at the business side. Business people want to get any information, at anytime, to any device – and ultimately into their brains. That makes them agile and capable of dealing with all types of challenges. Think about the sales person who can quickly respond to competitive pressure, or a service person who can get up-to-the-minute information on repairing a part.

The worst part of information security – for Wi-Fi or any other corporate application – is the frailties of keeping passwords secret.

Consider the teachings of Kevin Mitnick and William Simon in their book “The Art of Deception: Controlling the Human Element of Security”. Mitnick, you may remember, was once considered America’s most wanted computer outlaw. A key point made in the book is that getting people’s passwords can be easy. Some hackers just call the user, make up a story, and ask for the password.  Similarly, asking someone for his or her social security number can unlock lots of doors for a hacker.

For the hacker, there’s no genius to it. For the business person, it seems reasonable. For the company, few (perhaps none) would ever admit security was breached. 

Another potential flawed security comes from the equipment being set up wrong. Here’s where Wi-Fi can be troublesome. Depending on which Wi-Fi component was used and what operating system resides on the computer, Wi-Fi can start out as an open, unlocked door.

And, while I’m not trying to run a commercial for Microsoft, many of the security holes can be solved with Windows XP. Microsoft programmers didn’t add tons of network security features into Windows XP for their good health they did it for yours.  And, they did it just in the nick of time for the stampede of Wi-Fi locations.

 But, without accepting Wi-Fi into the organization, the IT manager may never know about the exposure. End users will smuggle in the equipment and pursue business with or without help from IT.

 My recommendations are easy: first, launch a company wide program about password security.

 Then, create an amnesty program for people who already have Wi-Fi. Offer to help them set it up correctly and securely. Keep a list of the users and provide them with updates. Encourage end users to work with you to keep company secrets just that way.

 Don’t be an ostrich when it comes to progressive technology. With or without you, people will find technology to get their jobs done. Make sure you are a part of the solution, not the problem.

* Follow-up: More on security

A few weeks ago, Linda Musthaler wrote an article about security policies and educating employees about security (see: https://www.nwfusion.com/newsletters/techexec/2003/0120techexec1.html).  If you’d like to learn more about trends in security you could take part in the 2003 Industry Survey on Security Event Management, brought to you by Open Service (http://www.open.com).  Participating in the brief survey will make you eligible to receive the complete results and analysis of the data.  You can complete the survey online at https://open.rsc03.net/servlet/website/ResponseForm?higEVTTW_z.26f_zNkOLR