Skip to content
Naked Security Naked Security

Win against ransomware – with free staff Wi-Fi!

If someone is determined to take online risks while they're at work - how much better if they aren't on the business network?

Wi-Fi image courtesy of Shutterstock

We’ve all heard horror stories of encrypting ransomware chewing through the core digital assets of a business, and holding them at the mercy of the attackers.

(Do you pay or do you not? – that’s a different topic.)

The defences against ransomware are similar to the defences against malware in general, and you will have heard them many times:

  • Filter mail to reduce exposure to phishing scams.
  • Block executable attachments in email. (Yes, inside ZIPs and other archives, too.)
  • Prevent web downloads of programs except by trusted staff. (Yes, inside ZIPs and other archives, too.)
  • Run endpoint protection software and keep it up-to-date.
  • Block outbound network connections that go to malicious sites.
  • Monitor network traffic for indicators of malware C&C (command and control).

These all work together to protect your business assets: not only from ransomware, but also from most other threats that can exfiltrate corporate data, steal passwords and other account information, or turn your work computers into spam-spewing zombies‘.

“But,” I hear you say, “my staff won’t accept that level of control!”

Users want to work in an open environment where they are free to check their webmail; where they can browse the web as they need.

They want to be trusted not to accidentally download a password protected zip file, from an unknown web site, linked to in a mail from an unknown source, enter the password on the way, and run the extracted executable, all to help help them update their computers to Windows 10 (because IT never upgrades early enough).

But why would you want any of this happening near your intellectual assets – you know, the stuff that makes your business work?

As we have repeatedly learned from retail environments, where RAM-scraping malware can be introduced into the point of sale terminals (coughwindowsxpcough) to record the data of any swiped credit card right out of memory, the ability to segment your network can dramatically increase your security.

In some retail outlets, however, the point-of-sale terminal is often just a Windows computer that is used for every other aspect of the outlet. Often it is the only computer! So, by default, it is exposed to everything.

So how do you reconcile a good working environment with the restrictions you need to protect your assets?

Free Wi-Fi for all staff, of course!

Think about it.

How many of your staff have their own mobile devices? I’m going to suggest that most of them do.

And how many of them use a company computer to do things because they want to preserve their mobile data allotment? Again, I’m willing to bet most.

By simply adding a separate network for all staff to use with their own devices, you can much more readily lock down the business assets you need to protect.

You can tighten up your restrictions and add many more layers of filtering into the email and web browsing from your work computers, while still letting staff goof off (OK, watch culturally enlightening videos of international cat celebrities) without putting your business data at risk.

→ “Goofing off” may be a bit unfair. But if staff are going to goof off online, wouldn’t you rather they did so from their own phones on a Wi-Fi network reserved for the purpose, instead of on the same network where your accountants – and auditors! – do their work?

And how cool is an employer who offers free Wi-Fi to all staff?

You can still protect that network against cybercrooks, while keeping threats such as phishing, ransomware, password stealers and bad cat videos away from your core assets.

If you want, you can offer managed access to corporate mail and data – that BYOD thing everyone has been talking about – without giving the sort of access that could lead to ransomware on one device putting other company computers and even your file servers at risk too.

Just getting users to move their riskier behaviours onto a different network can help you a lot.

Better yet, you’ll probably find it easier to talk to your users about those risky behaviours, because you’re offering them something, rather than trying to take it away.

3 Comments

I implemented a separate WiFi network for staff and office guests for this very reason. It’s simple rule selection on Meraki access points to deny local LAN traffic, together with traffic shaping limits so that staff internet use on personal devices does not impact to overall internet speed for the business.

Reply

We do this also. It is a great compromise. We also have guest systems that are frozen – (every reboot, less planned updates, it’s just like new) in the break rooms on the same wireless. Air gapped from the work network.

Reply

I have a client who we set up with private wired/wireless passes through a filter proxy, thereby locking out all devices without the client installed.

And if a staff person tries using their company machine on the guest wifi to bypass the filter, they get a little surprise – it’s on a vlan with a repurposed desktop acting as a DC that has a policy to push out borked network settings to any domain computers.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!