Networking

Why you need a wireless policy

Experts predict that wireless deployments will be a hot project for IT shops, and a key factor in successful implementations is having wireless policies in place to protect the company from security headaches. Here's what your policies should cover.

A new wireless LAN (WLAN) in sales is the talk of your company. But your IS department didn’t install it. Upon investigation, you learn that a well-intentioned sales team leader simply plugged into the network with a $180 D-link wireless access point. Surprised? You shouldn’t be.

Because the equipment is easy to access and install, "pirate" 802.11b rollouts are a growing problem for technology departments, according to Carl Klunch, vice president of Gartner Research. Anyone with a little money and a basic understanding of network cables can hook one up.

Security risks and the increasing demand for PDAs and other wireless devices make supporting wireless networks a critical issue for CIOs this year—one that calls for CIOs to get in front of potential problems by creating a strong wireless policy, experts advise.

In this article, we’ll explain why today’s enterprises literally can’t afford not to create a wireless policy that covers both corporate and personal use needs.

Potential security threats
According to "IT/IS Industry Forecast 2002: U.S. and Europe," a report from CyberAtlas Research, a division of INT Media, 33 percent of U.S. Fortune 1000 companies have already installed wireless communication systems. Another 25 percent plan to deploy wireless systems in 2002, although these initiatives will only account for 5.8 percent of technology budgets in 2002, according to Gartner.

Along with the potential breach issues of an unsecured WLAN, wireless devices can also expose companies to a potential security nightmare. The devices are easily stolen from employees in airports and restaurants, potentially placing proprietary information in the hands of competitors.

Whether it’s to head off pirate projects or to provide guidance for a new deployment or enhancements to an existing system, a wireless policy is a necessity and should dictate everything from the devices and platforms supported to security measures, access privileges, and what constitutes appropriate use.

“When it comes to policy making,” said Patricia Fusco, managing editor of the CyberAtlas Research report, “the first decision CIOs must make is which wireless platform their networks will support—802.11x, Bluetooth, HomeRF, and the like. From there, the remaining major issues are security, security, and security.”

At present, there’s no clear leader among wireless platforms, according to Larry Kinder, global CIO and executive vice president of Cendant Corporation. Cendant’s 31 companies and 21 CIOs, who Kinder directs, have deployed several wireless platforms.

“But we haven’t figured out what’s the best application,” said Kinder, who noted that Bluetooth looks promising because centralized management of the devices is handled at the server level, and appropriate security measures are somewhat dictated by the devices themselves.

Cendant’s employees use wireless devices for everything from low-end Web-clipping services on Palm VIIs and e-mail via BlackBerry devices to helping customers checking in and out of Avis Rent-a-Car.

“With limited deployments, we’ve piloted a lot of the technologies to see if they would catch on,” explained Kinder. What works and doesn’t is then shared between CIOs from the 31 subcorporations to identify best practices. Those best practices then guide decisions for future technological solutions.

One policy doesn’t do it all
In addition to its corporate wireless policy, Cendant has also put personal-use policies in place, something that all companies should do, said Nancy Flynn, executive director at the ePolicy Institute.

“Anytime you allow your employees to access the e-mail, intranet, or Internet system, you’re putting your organization at risk of a broad range of potential and costly liabilities,” said Flynn.

Personal-use policies can protect companies against many liability problems, including those arising from the following:
  • Discrimination suits
  • Lost productivity
  • Electronic sabotage
  • Wasted resources

To protect themselves against such losses, companies have to explain the appropriate use of company hardware inside and outside the office. The goal is to cover every possible contingency, said Flynn. She recommends that companies include the following points in personal-use policies:
  • Hardware, wireless devices, and the password used to access them belong to the company. Companies, including Cendant, often purchase devices in bulk to obtain better pricing and then issue the devices to employees. Companies should explain that although the wireless devices may be taken physically out of the office, the devices and the passwords are both to remain company property at all times. Companies also need to keep comprehensive lists of all employee passwords, advised Flynn, so that in the event the employee resigns or is terminated, he or she will not be able to keep using the device or lock the company out of any systems.
  • Company wireless devices should not be used for personal correspondence. In the event of a workplace lawsuit, the device and the correspondence can be subpoenaed. Information contained within the devices could include some personal information that would be potentially embarrassing to the employee or the family.
  • The company has the right to monitor all electronic correspondence. The policy should spell out that the company has the right to monitor all e-mail and Internet activity. This point helps control e-mail content, noted Flynn, who also suggested that companies should specifically spell out what kind of language is and is not acceptable in company correspondence as well.
  • Outline the disciplinary action taken if the policy is broken. If an employee violates policy, one course of action is to revoke his or her computer privileges, said Flynn, which would render an employee virtually useless in the modern office. In addition to spelling out disciplinary action in the wireless policy, Flynn recommends that companies conduct annual formal training once a year that further explains what will happen if the policy is violated. She also advises companies to issue frequent reminders of the importance of complying with the policies.

Not too late to act
Even if your enterprise already has a "pirate" rollout in place or you’ve widely deployed wireless devices, it’s never too late to implement a policy, according to the experts. And while such policies ultimately can’t stop a sales team, or any other business unit, from deploying unauthorized wireless stations, the policy will serve as a guide for what’s appropriate and why, and it may stop further violations from occurring.

As Jeremy Grigg, Gartner’s research director for business management of IT, noted, “Wireless is not going away, and it has to be considered very carefully. If you don’t consider it [through policy making], the decisions will be made for you.”

Do you have a wireless policy?
If so, send it to us and we’ll share it with members as a download resource. If you hit snags in setting policy, send us an e-mail on how you solved it or start a discussion below.

 
0 comments

Editor's Picks