Don’t allow your Wi-Fi to become a security risk
By Mike van Bunnens, Managing Director, Comms365
Guest Wi-Fi is a standard offering for growing numbers of organisations from hotels, cafes and sports centres offering free Wi-Fi to customers, to businesses providing Wi-Fi for partners, suppliers and customers visiting the office. But how many organisations have any idea about the way in which that Wi-Fi network is being used? Not only does the company have a clear liability if a customer is viewing inappropriate – or illegal – images or content, but an inadequately secured Wi-Fi network can be an open door to the rest of the business infrastructure. In an era of heightened security awareness, too many organisations appear to be overlooking Wi-Fi. As Mike van Bunnens, Managing Director, Comms365 explains, an effective Wi-Fi strategy demands more than easy guest access – a fully managed service is key to delivering the content management and security policies required to improve customer service whilst safeguarding the business.
The vulnerability of information has been reinforced in recent weeks. From the recent hacks at TalkTalk and British Gas to the technical issue experienced by Marks & Spencer and their website, all of which compromised customer information, individuals have become far more aware of the risk to personal data – and companies have become ever more alert to the risk to reputation associated with an information breach or network misuse.
And yet while most organisations have raised their game when it comes to hardening the IT infrastructure, how many are paying any attention to the Wi-Fi connection? In an era where guest Wi-Fi access has become an essential aspect of most business models, far too few companies are putting any good controls in place to safeguard the way in which this network is used. The draft Investigatory Powers Bill currently being discussed in parliament adds further weight to the discussion as it suggests that the Internet ‘activity’ of every person should be stored by ISPs for a minimum of 12 months. That activity will be generated through many of these free Wi-Fi connections.
The reality is that should a guest misuse the Wi-Fi network – to view inappropriate content for example – the business could potentially be held liable. Furthermore, without the right controls in place, the Wi-Fi connection can become a simple back door into the overall corporate network, undermining all the other aspects of network security being introduced. Poorly managed, uncontrolled Wi-Fi is essentially an open connection that can lead to serious business problems.
It is important to step back and consider the way in which Wi-Fi is used – by both staff and guests – and assess the risks. Under the current legislation an organisation needs to be able to demonstrate a robust intent to prevent people – both employees and guests – from breaking the law. For most organisations, there is also a requirement to comply with CSR policies regarding the type of content accessed; policies that can include, for example, limiting personal social media usage.
Furthermore, in the era of the Internet of Things, with connected devices that now require 100% uptime, as well as a growing reliance on cloud based data and applications, the implications of any network glitch are potentially devastating. No organisation, therefore, can afford to leave the open door of unsecured Wi-Fi that could enable the introduction of malicious code.
However, far too many SMEs are using nothing more than a single router with a Wi-Fi access point and feel secure because the access is password limited. Yet when that password is handed out to any guest on demand – how can that be secure? In many cases access is not even time limited – gain access once and an individual can automatically log into that network, and hence every aspect of the Internet, again at any time. Attitudes to Wi-Fi are adding significant corporate risk.
Controlled and Secure
There are two essential aspects of Wi-Fi control and risk mitigation – content management and improved security. The introduction of even the most basic controls can radically reduce the risk without compromising the user experience. For example, guests can be provided with Wi-Fi access for a set time period – such as 30 minutes or one day – ensuring there is no chance of an ‘access once, stay online indefinitely’ Wi-Fi service. Staff access can also be tracked via an audit trail – providing management with inherent control over the way in which the Internet connections are being used and insight into how much time is being spent on non-work activity.
Guest and staff access can be securely segregated to protect the core infrastructure. It is also possible to control the amount of bandwidth available to different user groups – for example, ensuring staff always have more bandwidth than guests to avoid any productivity dips, or simply checking that priority traffic is never compromised by those heavy users that exist in most organisations. Indeed, specific bandwidth can be locked to individual users if required.
On the content management side, the emphasis is clearly on prevention rather than simply highlighting activity in real time. Realistically, no one wants to knock on a hotel door or quiz a supplier to find out what they’re using the Wi-Fi for. It is far more effective to simply lock down and prevent access to any illegal and/or unacceptable content. With strong content management and filtering tools, companies can pick and choose what should be censored – effectively both locking down the network and demonstrating that robust procedures are in place.
The problem facing many SMEs is that despite the ubiquity of Wi-Fi provision, most companies find the whole process of managing the wireless network rather arduous. Far too much time is already spent dealing with user access problems and chasing providers about the quality of service – few companies will have the resources to introduce better security or content management.
As a result, there is a growing trend towards Wi-Fi Managed Services that can not only lock down the network but also deliver the continuous maintenance and upgrades required to improve overall uptime and minimise user issues. The service should also include a choice of security policies and procedures, such as timed access, as well as the ability to make content filtering decisions that reflect industry/company specific policies.
Security is a high priority but, as ever, there are battles between operational requirements and the need to lock down the business. Companies feel obliged to provide Wi-Fi for customers, partners and suppliers; it is a standard component of many business models. But that does not justify providing open access to all and sundry. The ability to offer different access points with different controls, time constrained and with strict content management, enables organisations to meet corporate requirements while also safeguarding corporate integrity. The key is that the managed services model allows organisations to take a far more controlled and sophisticated approach to Wi-Fi provision without compromise.