If you don’t have a wireless network in your business, you might as well be in the dark ages – or that’s what your employees, customers and guests will tell you.
You’d be hard-pressed to find a cafe, hotel, or auto dealership without Wi-Fi – it becomes a cost of doing business because retail customers expect it.
Wi-Fi is essential for other types of businesses – picture your typical office setting – because in order for your workers to be productive, they need internet connectivity even when they move around the office, on their laptops and mobile devices.
This is the world we live in, and IT had better be on board.
For small businesses, even those without an IT department (or those with an IT department of one), Wi-Fi networks are deceptively simple to set up.
But if you’re comfortable using a consumer-grade Wi-Fi access point in your business with the out-the-box defaults, I’ve got bad news for you – you’re putting all your employees and customers, and your business, at risk.
We know there are vast numbers of businesses that use unsecure Wi-Fi because we’ve checked, in many cities around the world.
In experiments in London, New York City, San Francisco and several other big cities, Sophos “warbikers” James Lyne and Chester Wisniewski used a simple set of tools to detect thousands of wireless networks while touring busy neighbourhoods on a bicycle.
What we found in every city we’ve visited is that a very high proportion of Wi-Fi hotspots are using outdated or no security – in London, for example, just 17% of hotspots we scanned had the recommended WPA2 setting for encrypting wireless traffic, and about a quarter of hotspots were Open networks, with no encryption at all.
Many of the small businesses running these networks also revealed a lack of security awareness by using default network names with no random element, making it likely they were using default passwords as well (both are bad practices).
Getting Wi-Fi security right is essential for everyone, but small businesses especially could use some good security advice. Here are 3 key things small businesses should know about securing Wi-Fi.
1. Mind your settings – Use WPA2 with EAP-TLS security
Open Wi-Fi networks are inherently unsecure. There is nothing to prevent snoops from spying on your network traffic, or cybercriminals tricking your users into visiting a website under their control (what is known as a “man-in-the-middle” attack), which they could use to steal crucial data like passwords.
Although visiting websites with TLS/SSL (the security feature that gives the website an https:// in the web address) means the contents of a connection to a website is encrypted and unreadable, a hacker could still find out what websites users are visiting. That kind of information could be used in profiling users or your business for future attacks.
The security setting known as WEP can be cracked in minutes, so you need to make sure when you set up your network to use WPA2.
WPA2 encryption is strong enough to prevent snoopers sniffing your data over the air. To make sure only legitimate users can access the network, combine it with EAP-TLS authentication.
EAP-TLS is preferable in a business environment because it uses certificates rather than a just password to validate users. PSK (pre-shared key) is the most common authentication method. It’s popular because all you need to is share a password. Unfortunately, shared passwords have a strong tendency to end up in the wrong hands!
Additionally, make sure you turn off WPS, a feature that is designed to make connecting to your wireless network really easy with a short PIN, or a click of a button – but it’s horrendously insecure. Even if you are using WPA2, if you have WPS enabled, which many devices have on by default, it can be easily cracked.
2. Wi-Fi networks should be firewalled from the rest of your network
When someone accesses your Wi-Fi, they get access to the whole network – including all your servers and confidential data. Even if you have strong encryption, Wi-Fi networks should be firewalled from your servers and the rest of your network.
Business networks often need to support visitors and contractors as well as employees – all of whom need varying levels of access. Make sure you have a second guest network that’s completely isolated.
Without proper access controls anybody and everybody can connect to the network, putting sensitive data at risk.
3. Watch out for rogue hotspots and tune your signal strength
You need to be conscious of rogue hotspots and devices. Are you sure someone isn’t just plugging in their own access point, bypassing all your hard-earned effort to secure the network?
Rogue Wi-Fi at the least is stealing spectrum and slowing your network down. At worst, someone could tempt you or your employees to connect to a rogue hotspot that’s the same name as your corporate network, which could be used to attack you just like on an unsecure open network.
While out sniffing for rogue access points, it’s also worth looking at the strength of your own APs.
It might not always seem like Wi-Fi has a strong signal, and you probably hear complaints from users about “dead zones” or a weak signal. Don’t be fooled. Wi-Fi signals can leak out through your windows and your walls.
Just because you can’t get a signal, it doesn’t mean that a bad guy couldn’t if he had a high-powered (“high-gain”) antenna. I’ve heard of people using this method to pick up Wi-Fi signals over a mile away!
So tune the power on your access points to cover the space required. As a bonus, if you’ve got multiple access points, you’ll likely find that reducing power actually improves service as there will be less interference between your cells.
7 Deadly IT Sins
Unsecure Wi-Fi is one of Sophos’s 7 Deadly IT Sins. You can read more about that and the 6 other sins on our website here.
Ever wondered about some of the “wireless security” shortcuts you’ve heard of, like MAC filtering and network hiding? Beware! Those tricks give you little more than a false sense of security, and here’s why:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
MikeP_UK
Any user of BT HomeHubs also has an insecure WiFi service externasl to their own WiFi service. They may well use WPA2 for their internal service but they have no control over the external service, apart from turning it off completely. You find these BT services almost everywhere in the UK, usually shown as ‘OpenWiFi’ or ‘BTWiFi with FON’.
So how many of the WiFi sevices detected for this article were actually the public services advertised by BT? They claim to have millions of such hotspots around the UK. But the FON servi ces are not really that open as you need to have a BT password and email address, and you have to be a BT Internet (ADSL or Infinity) customer to get those.
Anonymous
54321