Beware Unsecured Wireless Networks
Over the course of a recent long weekend's travel -- trains and automobiles this trip, no planes -- and a long weekend's bouncing from wireless network to wireless network, a colleague remarked (gently) on my being "fearless in my wirelessness."
Well, sure! Because I was traveling with a brand-new notebook computer that had absolutely nothing on it except an office suite, a browser, and a mail program (and full anti-malware suite, of course.) I was delighted with the notebook and, indeed, fearless. None of the e-mails I sent or was likely to receive over the weekend contained confidential information (other than "secret" recipe ingredients for the party my wife and I were attending.) I wasn't going to access any financial accounts, and there was plenty of destination shopping where I was going so I wouldn't be buying online.
In other words, I had nothing (on the machine) to lose.
So when I picked up the unsecured wireless network in the hotel we stayed at midway through the first leg of our journey, or lucked into hotspot after hotspot as our train paused to pick up and discharge passengers, or grabbed access from one of several open WLANs in the neighborhood where we stayed for the weekend, I felt no qualms (other than a mild but nagging discomfort over freeloading on somebody else's network.)
Most of those networks were public hotspots -- the train station, a restaurant, or a cyber café -- but more than a few were private wireless nets or small and midsize business wireless connections. I feel confident in that last assertion because most of the networks I encountered were clearly Cisco's Linksys, and a few had owners who went to the trouble of changing the network's names.
I've changed those names here to protect the foolhardy, but one was essentially XYZhealthserve, another presented itself more or less as ABCconsultgroup.
None of them had any security in place.
Now I don't have any idea what sorts of data "healthserve" or "consultgroup" have on their machines, but judging from the names assigned to their networks I'd be willing to place a wager that at least one of them deals with information subject to compliance regs. And it's a 100% certainty from my point of view that both have information on their networks that they don't want outsiders accessing.
And yet, there was no hint of password protection, not a bit of bandwidth blockage. Makes you wonder how up-to-date their antivirus protection is (or if they've even got any).
And my colleague thought that I was being reckless!
Of course, there's always the chance that some of the networks I encountered were left deliberately unsecured to entice passers-by into a crook's web. Take a look at this review of wireless security, including how to recognize crooknets masquerading as open WLANs to get an idea of what you and your mobile employees are up against out there. But I digress.
The whole experience got me thinking.
On the network side: If you buy off-the-shelf wireless networking products -- for many smaller businesses that's a more than sensible decision -- be sure to configure them at the highest available security level, reset the password immediately (and change it every few weeks), and do what you can to limit the range of wireless access. Period. No exceptions.
But if you or your remote employees are going to use open-access or unsecured wireless networks, ask yourself these three questions:
- How much of the material on your business's mobile devices really has to be there?
- Are you sending your road warriors out armed with enough data to actually run your business -- or let somebody else run rampant through your data?
- Do your mobile and remote workers carry only the information necessary to close the deal at hand?
We've all become accustomed -- too accustomed for safety -- to carrying our entire lives (business and otherwise) with us wherever we go. And it's hard not to -- storage has become so available that it's just plain easier to keep and carry it all than to sift, sort, and select only what's needed.
Easier, but riskier, too.
Again and again we hear about security breaches caused by stolen notebooks and other mobile devices packed with confidential data (not to mention data disks and devices such as last year's exposure of personal information for nearly half of the British population).
Now, clearly, it's impractical to strip a business machine down as far as this new notebook. And -- mea culpa in advance -- odds are the next time I travel, maybe in just a few weeks, or even days, there'll be data on my notebook that will impose on me more wariness than I enjoyed on my "weekend off."
Maybe a lot more.
But there's something to be said for taking the time to review exactly what and how much information is on every mobile device your company fields -- and review it with a harsh eye toward deciding what really has to be there, and what doesn't.
Strip the machines' contents to the absolute bare-bones essentials for the job at-hand -- not the masses of data that you might need, and that crooks would definitely love to have on their hands. Tighten up your wireless act at the office as well as on the road, and both sides of your business will benefit.
Keith Ferrell is the author of a dozen books and countless magazine and newspaper articles. The editor of OMNI Magazine from 1990-1996, he also is a frequent speaker to corporate and institutional audiences.