Are you broadcasting personal data?
Hundreds of thousands of businesses, large and small, world-wide now use Wi-Fi to connect PCs to their network. Millions of homes have Wi-Fi to connect their PCs to the Internet and, of course, millions more use laptops, with Wi-Fi in public places the length and breadth of virtually every country. From where I'm sitting, writing this right now I have no less than nine wireless networks I could connect to.
So, what's the problem?
Wi-Fi uses an easily interceptible frequency to transmit/receive data to and from a PC - if it didn't it wouldn't work without huge antennae. So anyone could easily intercept whatever you send or receive to or from your PC. Secondly when you connect to a network via Wi-Fi you are then dependent on the security of that network to protect you from anyone trying to access your PC. In your office or at home the chance are you have a Firewall between your PC and the network (a Firewall is a device or software that only allows certain very limited types of data through and in theory prevents someone “hi-jacking” or loading viruses onto your PC or extracting data from it). Here's what the FBI say:
"The FBI views wireless networks as very insecure, software allows you to set up security, but most people leave it open. It only takes a few extra steps to make it secure, but even it you take the extra steps, a skilled hacker can get into the system."
LaRae Quy, FBI, Northern California
Data Protection legislation requires that organizations take “appropriate steps” to prevent unauthorized access to personal data or data loss. Given this requirement to what extend and where might companies be liable? Interestingly there are three areas:
- Company uses Wi-Fi for its internal network
There are two issues here - firstly Wi-Fi is inherently insecure in that the transmissions can easily extend way beyond the confines of your office. While these can be encrypted using WEP (wireless equivalent protocol) to prevent casual interception it is acknowledged that this is nowhere near secure enough to prevent deliberate interception or access. So any organization using Wi-Fi and holding personal data, in order to meet its obligation under data protection legislation will need to ensure that transmissions do not extend beyond the confines of the office building at the very least. And any sensitive data (health, financial etc.) should NOT be accessible or transmissible over the Wi-Fi part of the network. Practically this means holding the data on a separate sub-network with another firewall between it and the Wi-Fi network. Sounds technical but is actually not difficult or expensive in practice - which is another reason why it is important to do it because the authorities will take a very dim view of companies that fail to do the cheap and simple! (and in this category turning on WEP encryption is the simplest and cheapest of all = it's free, takes all of two minutes and requires little technical skill)
- Company provides Wi-Fi for visitors to its premises
Many companies make Wi-Fi available to people visiting their site - for some its simply a courtesy, for others - such as hotels or restaurants it's a device for attracting customers and encouraging them to stay a while and drink more coffee! From McDonalds to Starbucks and Travelodge to the Ritz, Wi-Fi is on offer. In most cases these offerings are completely open with no WEP security enabled. Now this raises two questions - firstly should the company offering the service make the lack of security clear? After all, many users are totally ignorant about security. Do they have a duty of care anyway to take appropriate steps to protect their visitor's data? After all, when I'm on someone's premises they have a duty of care towards my personal safety. If you are going to offer the service we'd recommend turning WEP on.
But secondly companies providing Wi-Fi access to visitors are actively encouraging people to access their corporate network - thus heightening the potential security risk. For not only will someone on site see their public Wi-Fi network, they'll see all the private ones too - thus exposing you to even greater risk.
- Laptop User accessing a Public Wi-Fi service
Most public Wi-Fi services do not offer any form of security - few use WEP. So anything you send or receive can, in theory, be received by anyone nearby. Furthermore they will be able to access the same network and thus potentially access your PC. So, if your organization provides staff with Wi-Fi enabled laptops some basic security may be in order. Firstly, ensure that a software Firewall is installed and enabled. Secondly set password-controlled access onto all the hard drives and, thirdly, consider end to end data encryption - for example by using a Virtual Private Network (VPN) so that anything sent or received is protected. This will be especially important where the data is sensitive data.
Should you Use Wi-Fi at all?
The fundamental question remains whether you should be using Wi-Fi in any event. This is going to depend on the sensitivity of your data and the likelihood of you or your organization being targeted. In most circumstances there are simple steps that can be taken to minimize the risks. And if you are offering Wi-Fi access as a service to visitors to your company then consider implementing Wireless Protected Access (WPA). Finally, you may want to consider the advice from the Wireless Ethernet Compatibility Alliance (WECA) whose security recommendations include the following:
- use the largest WEP encryption key permitted, and change the key regularly;
- use session encryption keys, if available;
- change the SSID (wireless network name) from its manufacturer-supplied default, and disable broadcasting of the SSID;
- restrict access to specified MAC addresses (the unique identifiers assigned to each 802.11 device), by enabling MAC filtering; and
- set passwords for drives and folders on the connected devices.
Organizations with highly sensitive data should consider additional protections, in addition to the above: end-to-end encryption, authentication (by password, token), firewalls, etc.