How secure is my office Wi-Fi?
A vulnerable route straight into the system.
Earlier this year I sat in a restaurant (remember doing that?) awaiting the arrival of a customer, ready to discuss the final details of a project. Habitually, I was very early; having allowed for traffic, natural disasters, et al, none of which occurred and I, therefore, had plenty of time to catch up on emails. I asked the restaurant manager if Wi-Fi was available and without hesitation, and a proud little flourish, I was presented a code on the back of a card designed just for the purpose. All very efficient and organised I thought.
As I searched my desktop for a document, I noticed some devices I didn’t recognise and upon investigation, it took precisely 2 mouse clicks to realise I was looking at their till PCs, their back office system and their server. With the tools on my laptop it wouldn’t have taken any time at all to be looking through their finance folder or accounts package. Of course, I didn’t, but instead, I pointed this out to the manager who simply gave a nonchalant shrug of the shoulders. I failed to establish if he didn’t understand or didn’t care.
Is your wireless network a threat to your company data?
Most modern routers come with basic security. Let’s assume that your Wi-Fi has a code. If it doesn’t; I suggest you put down this article and turn off the Wi-Fi now! Having made that assumption, however; you need to ask yourself the following questions.
Are you using the latest encryption?
Most routers offer several encryption levels. The easiest to setup (WEP) has long been considered inadequate and offers only rudimentary protection. If this is you, then consider changing the level to WPA2 which offers you much better protection at the click of an option. It is easy to check and simple to implement if needed.
When did you last change the main code and how free are you with it?
This is often overlooked. No matter how secure your code may be, if it is widely known and never changed then it somewhat defeats the object. Staff come and go, and not always in circumstances that we would wish; what if they know the wireless code and feel aggrieved? They don’t even need access to the building as of course; Wi-Fi often doesn’t respect walls and door locks. Ensure that distribution of the wireless key giving access to company data is as limited as possible and changed as often as is practical to do so.
Do you have a separate Wi-Fi for guests?
My example at the start of this article is far from unique. If you haven’t got a separate Wi-Fi network and code that only gives access to the internet and no corporate resources then you should never give out your company Wi-Fi code under any circumstances. During security audits, I always casually ask for the main Wi-Fi code for my laptop as part of the exercise, and I would say that 90% of the time it is not queried and simply offered. Even if I do not have malicious intent, there is no way for you to know if I have sufficient security on my device or unwittingly host a virus just waiting to attack a network. There are very few reasons for a visitor to need access to your corporate network; so don’t give it to them.
NB: The guest network can also be offered to staff for mobiles, etc. This further reduces the risk of the main code becoming widely known
What’s in a name? That which we give a code
Most Wi-Fi networks advertise themselves for our convenience; you see this every time you browse for a wireless network in a coffee shop or at home. It is tempting as the proud owners or managers of companies to use this as an extension of our branding and if you have ever sat with your mobile or laptop in a retail or industrial park you will see a list of networks proudly bearing their company names. You might want to consider however making your Wi-Fi name a little less obvious and obscure; certainly for your corporate network. Some even hide the public advertising of the Wi-Fi entirely and while a little difficult to manage is effective against all but the most determined.
How secure is my office Wi-Fi? was written by Lindsey Hall.
NCSC.gov.uk advice on network security (external site)