Those open-access and unsecured wireless networks we and our employees encounter in our travels are convenient -- and may be risky to use. Far more risky is the number of those networks that belong to small and midsize businesses, exposing themselves and their data not just to bandwidth freeloaders, but also to intruders.
Over the course of a recent long weekend's travel -- trains and automobiles this trip, no planes -- and a long weekend's bouncing from wireless network to wireless network, a colleague remarked (gently) on my being "fearless in my wirelessness."
Well, sure! Because I was traveling with a brand-new notebook computer that had absolutely nothing on it except an office suite, a browser, and a mail program (and full anti-malware suite, of course.) I was delighted with the notebook and, indeed, fearless. None of the e-mails I sent or was likely to receive over the weekend contained confidential information (other than "secret" recipe ingredients for the party my wife and I were attending.) I wasn't going to access any financial accounts, and there was plenty of destination shopping where I was going so I wouldn't be buying online.
In other words, I had nothing (on the machine) to lose.
So when I picked up the unsecured wireless network in the hotel we stayed at midway through the first leg of our journey, or lucked into hotspot after hotspot as our train paused to pick up and discharge passengers, or grabbed access from one of several open WLANs in the neighborhood where we stayed for the weekend, I felt no qualms (other than a mild but nagging discomfort over freeloading on somebody else's network.)
Most of those networks were public hotspots -- the train station, a restaurant, or a cyber café -- but more than a few were private wireless nets or small and midsize business wireless connections. I feel confident in that last assertion because most of the networks I encountered were clearly Cisco's Linksys, and a few had owners who went to the trouble of changing the network's names.
I've changed those names here to protect the foolhardy, but one was essentially XYZhealthserve, another presented itself more or less as ABCconsultgroup.
None of them had any security in place.
Don't Miss: Keith Ferrell's Security Blog
Now I don't have any idea what sorts of data "healthserve" or "consultgroup" have on their machines, but judging from the names assigned to their networks I'd be willing to place a wager that at least one of them deals with information subject to compliance regs. And it's a 100% certainty from my point of view that both have information on their networks that they don't want outsiders accessing.
And yet, there was no hint of password protection, not a bit of bandwidth blockage. Makes you wonder how up-to-date their antivirus protection is (or if they've even got any).
And my colleague thought that I was being reckless!
Of course, there's always the chance that some of the networks I encountered were left deliberately unsecured to entice passers-by into a crook's web. Take a look at this review of wireless security, including how to recognize crooknets masquerading as open WLANs to get an idea of what you and your mobile employees are up against out there. But I digress.
The whole experience got me thinking.
On the network side: If you buy off-the-shelf wireless networking products -- for many smaller businesses that's a more than sensible decision -- be sure to configure them at the highest available security level, reset the password immediately (and change it every few weeks), and do what you can to limit the range of wireless access. Period. No exceptions.
See more columns by Keith Ferrell
Next Page: Three Questions To Ask About Using Unsecured Wireless Networks
