We all know Admiral Ackbar wasn’t referring to public Wi-Fi security when he uttered the famous line, “It’s a trap,” but the sentiments match. While he had bigger things to worry about than unsecured data connections, public Wi-Fi security can be very risky. It’s up to IT teams to warn employees against the risks associated with open mobile connections.
People love anything free, especially Wi-Fi, as a recent study by Melbourne’s RMIT has shown. The study revealed that 56 per cent of its participants (more than 10 million people, when extrapolated to Australia’s population aged 18 and over) had used public Wi-Fi during the three months immediately prior to being surveyed. More than half declared that they’d used unrestricted (i.e. password-free) Wi-Fi, such as at a restaurant, shopping centre, or airport.
Many of these people had been working and shopping online, and were exposing information in major ways. Fourteen per cent of the public Wi-Fi users had logged into work networks without taking any specific security precautions (almost 1.5 million people nationally, when extrapolated). More than 25 per cent had accessed internet banking or purchased items via credit card or Paypal—2 million Australians every day.
The state of public Wi-Fi isn’t great, to say the least. IT pros should prioritise finding ways to enable mobility for their network users without the users exposing data to every hacker in the coffee shop—or on their network.
Honestly, how bad is public Wi-Fi security?
One study by Intel Security revealed that the greatest risk in the public Wi-Fi world may be spoofed hotspots. ComputerWorld‘s John Dunn said that “the real risk isn’t the lack of encryption on public Wi-Fi but the lack of verification that a hot spot is genuine.” Would your users think twice before connecting to an open wireless connection called “Starbucks Wi-Fi?” Probably not. Many of these spoofed connections include a series of login screens that appear legitimate.
Most IT pros are familiar with the ways in which hackers intercept protected data over open connections. On its website, Digital Trends lists the following common methodologies:
- Man-in-the-middle attacks: All data transmitted over a public network is routed through a hacker’s device.
- Malware: Malware is introduced to a device through the theft of cloud login credentials or other methods of entry.
- Wi-Fi sniffing: Network traffic is monitored and analysed to steal data.
David Maimon, criminology professor at the University of Maryland, explains that the tools necessary to launch these attacks aren’t sophisticated. They’re widely available online and require less knowledge than your average computer science student to operate.
One of the most shocking statistics we dug up indicated that your users aren’t completely blind to risks. A study by the US-based Identity Theft Resource Center showed that 76 per cent of people know that public Wi-Fi use can lead to identity theft. So, do they know it’s a trap? If they’re not ignorant to the risks and go ahead anyway, how on Earth do you change their minds?
Provide employees a mobile hot spot
If there was a single, guaranteed way to make sure your employees weren’t dealing with sensitive data on risky networks, it would literally involve handing them a wireless connection on their way out the door. It’s not the cheapest or simplest way to make sure your employees use a secure connection, but it could be the right one for frequent travelers and remote workers.
While it’s hard to say exactly how many organisations have adopted this approach, it’s quite a few. For IT manager Matt Kosht, handing out MiFi has been one way to silence users’ wails about “draconian web-filtering practices and poor internet performance.”
Make it (relatively) easy to VPN
There are benefits to issuing standardised devices. But with the right VPN, you don’t even need to fear the impact of wireless hotspots on a personally owned employee device. This isn’t the only way to improve mobility and security—but it’s one of the most important, bare minimum steps to take.
For Gary Pettigrove, CIO at the Australian National Audit Office, VPN offers more than just protection against risky Wi-Fi. He’s noticed productivity gains in his employees’ abilities. “You download the data you need to your laptop through the VPN and our applications enable you to work offline,” he told OpenGov. “And when you get out of the secure location, you synchronise it back in again.” The right VPN will act as a wall between your employees and the outside world, without disrupting the ways they work.
Make it really hard to Wi-Fi
For the sake of simplicity, you should assume your employees will try to bypass best practice to occasionally work from public wireless. It’s just going to happen. TechTarget mobility consultant Bryan Barringer believes that where your VPN and common sense leave off, you should exert control with mobility policy. He writes, “Most mobile products are only as reliable as the access controls Active Directory provides. IT departments need to keep Active Directory and other controls up to date with evolving mobile best practices.”
Using policy-based administration to tightly control your user permissions and data classifications (along with a great VPN and, possibly, mobile device management (MDM)) presents difficulties for IT departments, but it also greatly diminishes the chance that anyone will email personal identifying information (PII) through a hacker’s interception point.
Put Wi-Fi risks on blast
Even if fantastic mobility prevents your employees from exposing your company’s data, are those same employees going to access their own banking data on personally owned devices connected to the local coffee shop network?
Personal risks are company risks. An employee who’s actively fighting identity theft is likely to experience a high level of stress, which then affects their productivity, engagement, and happiness. While IT pros can’t control what people choose to do in their own time, they can make sure everyone at their organisation knows just how risky public wireless is.
For your employees, public Wi-Fi access points probably don’t look like dangerous information traps—they likely are seen as convenient. But by making it just as easy for your employees to do their work securely away from the office without latching onto the public hotspot, you can significantly reduce your risk exposure.