Network security is only as good as its weakest link--often users' home Wi-Fi networks. IT managers must examine their exposure to unsecured Wi-Fi networks and take steps to mitigate any risks, such as helping users protect their networks, implementing a good remote access policy, and addressing any compliance issues.-------------------------------------------------------------------------------------------------------------------
In his Time.com article, "Confessions of a Wi-Fi Thief," Lev Grossman describes a Wi-Fi filching scenario IT pros are all too familiar with. Grossman wrote:
When I moved into my apartment three years ago, the first thing I did after I tipped the movers was sit down on a box, crack open my laptop and sniff the air for wi-fi signals. And I found them: my apartment was chock-full of delicious, invisible data, ripe for the plucking. ... For the next three years, I didn't pay for Internet access. Instead, I got online via the unsecured wireless networks of my neighbors.
I'll leave the ethical and philosophical argument for and against Wi-Fi theft for another post, but Grossman's article reminds us that the chains we put around our networks are only as strong as their weakest links--often our end-user's home offices.
Using a VPN and strong access control and authentication procedures are a must, but IT departments must also stress the importance of end-users securing their own wireless networks. And, we should provide assistance, even if it's just informational, if possible. Now don't get all up in arms about supporting end-users home equipment. I'm not suggesting you taken on the often impossible task of manually configuring each user's home networking equipment. Instead, I suggest an information campaign that helps users understand the importance of and common methods for securing their home networks.
Establish, distribute and enforce a good remote access policy
Your information should start with a good remote access policy, which every remote user should received and sign (manually or electronically). The following TechRepublic policies are a great place to start when creating a policy for your organization:
- TechRepublic's Remote Access Policy
- TechRepublic's VPN Policy
- TechRepublic's Wireless Communications Policy
Provide information on general W-Fi security techniques
Whether you include them as part of your remote access policy, post them on your IT department's Intranet site or send them out in an e-mail, the following Wi-Fi security tips are a good place for your users to start:
- Use WPA or WPA2 wireless encryption--not WEP.
- Don't broadcast your SSID.
- Use a firewall.
- Use a strong passphrase.
- Regularly monitor network access.
Check out the following resources for complete descriptions of these and other security measures:
- 10 Wi-Fi security tips
- Why VPN can't replace Wi-Fi security
- Ultimate guide to enterprise Wireless LAN security released!
- Wi-Fi security for road warriors: On-line banking
- Wi-Fi Security is always one step behind
- Protect your laptop from ad hoc wireless networks
- "How secure is your Wi-Fi?,"
Consider special requirements for data protect by regulation (healthcare, educational, etc.)
If your organization handles data protected by specific government regulations (HIPPA, FERPA, GLBA), you may need to take extra precautions. The following resources can help you decide what security practices are necessary in your environment:
- Providing remote access to private healthcare data
- Take steps to safeguard sensitive data
- Compliance Regulatory Overview: HIPAA
- Compliance Regulatory Overview: Gramm-Leach-Bliley
- 10 things you should know about Gramm-Leach-Bliley
- Compliance Regulatory Overview: FERPA
- 10 things you should know about the Family Educational Rights and Privacy Act (FERPA)
Bill Detwiler has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop support specialist in the social research and energy industries. He has bachelor's and master's degrees from the University of Louisville, where he has also lectured on computer crime and crime prevention.