Wireless computing and networking is becoming commonplace within many organisations. It provides the flexibility for staff to work and collaborate within the office and, as the trend to Bring Your Own Device (BYOD) grows, it allows staff to connect to the corporate networks using their preferred device such as laptop, PDA or smartphone. For organisations, wireless networks are simple and cost-effective to implement and extend, and are usually less complex to manage than wired connections.
What are the risks?
There are two key risks associated with wireless networking:
Security of data
With wireless networks, information doesn’t just go to the target wireless node, but is potentially available to anyone within the broadcast range. It is not just the information being broadcast that is vulnerable, the data held on the wireless device is potentially also at risk. This could lead to theft of confidential, personal and corporate information and breaching for data protection regulation.
Unauthorised network usage
Unlikely as it seems, there are many wireless networks that are unsecured. Anyone within broadcast range can connect to the network and access all unprotected information and applications. In its simplest form, people may ‘piggy back’ on the wireless network for Internet connections. More seriously, it is much easier for unwanted and malicious users to gain access to a wireless network compared to a wired network. Even if an organisation’s data is not being hacked itself it is important to be aware that if an organisation’s wireless connection is used for illegal activity, then the organisation could be held responsible.
What should an organisation do?
The organisation needs to ensure that it creates and enforces strict security policies for wireless usage. These should be aligned to information management policies similar to those that govern the use of mobile computing within the organisation. Important elements governing the use of wireless networks include:
- Ensure the wireless network is based on WPA security as a minimum
- Enforce strong passwords that are regularly changed
- Use RADIUS facilities to effectively manage authorised
- Use encrypted VPN connections to share confidential information
- Operate wireless network at lower power level to only deliver coverage within a defined area
- Set policies on what type of information can be accessed over a wireless network, how it is accessed and how it is secured.
- Consider deploying wireless equipment based on a Layer 3 IP architecture to significantly reduce the network footprint available for malicious attack
Checklist
- Establish a wireless network security policy
- Align wireless policies to those governing the use of mobile equipment
- Ensure WPA security as a minimum
- Use VPN for access to confidential and personal information
- Use RADIUS to ensure access to only authorised users
- Limit broadcast range to defined and manageable areas