Wireless security risks and defenses
In this interview, Kent Lawson, CEO of Private WiFi, talks about the key threats exposed by wireless access, offers protection advice and illustrates the trends that will shape wireless security in the future.
What are the key threats exposed by wireless access? What should users be worried about?
Millions are victims of identity theft every year. One culprit is free public WiFi, which was designed for convenience, not security, and makes users vulnerable to identity theft. In fact, it was after I read a series of articles in The Wall Street Journal, Forbes and The New York Times about the security vulnerabilities of WiFi hotspots that I was inspired to come out of retirement and work to resolve the problem.
WiFi signals are merely radio waves. If unencrypted, anyone within range can “listen in” on all of the data people send and receive. Antivirus or firewall software can’t stop this from happening. Public WiFi in places such as coffee shops, hotels, and airports, is frequently unencrypted and exposes on-the-go users’ sensitive information—regardless of whether they realize it or not.
No one should ever assume a WiFi hotspot is secure. Yet not everyone realizes this or is taking steps to protect their data. A recent Nielsen survey found that nearly 40% of people who have used public WiFi in the U.S. have accessed or transmitted sensitive information including bank account details, paying bills, and confidential emails. It also found that a large number of people won’t spend money on a security technology solution such as a VPN until after they’ve been hacked, which in my opinion is just too late.
I’ve seen reports that in 2013 there was an average of one identity fraud victim every two seconds. With numbers this high, it’s my belief that people have to take protecting themselves into their own hands.
What practical advice would you give to a CISO working in an organization with a mobile workforce?
A CISO is already going to know how to protect their mobile workforce, so large organizations smartly use VPNs. But even these companies struggle with the fact that employees often use their own personal devices to access corporate data. That’s because the work and personal boundaries have blurred in today’s connected mobile world, which increases the risk that people will get hacked when traveling.
There are a number of recent surveys that illustrate that enterprise employees access sensitive corporate data on their personal devices when using an unsecured public WiFi network, often while commuting via train, bus, or subway. However unintentionally, the workforce is undoubtedly placing corporate data at risk, so stringent BYOD and security policies are in order.
SMBs that don’t have a CISO may be even more at risk, given that they don’t typically have dedicated IT resources. Plus, telecommuting arrangements for SMBs often mean workers are more mobile—and more likely to access free public WiFi as they work in coffee shops or co-working spaces and when they travel to and from meetings.
For this reason, business owners should ensure their workers use a personal VPN, which is a proven technology that consumers and major organizations, such as banks and government agencies, trust. It is easy to install and extremely cost effective to protect users from hackers.
Do you think it is time to think of an alternative to WPA encryption?
Yes, it’s long past time. Unfortunately, many people and businesses are still using WPA and sometimes even WEP encryption. With WPA, you’re vulnerable to sharing your network with strangers, using common passwords that are easy to hack, or switching your WiFi to public.
The alternative is to use the stronger WPA2 that features the latest security—U.S. government approved data encryption. If people use long, robust passphrases (PSK), they are partaking in a trusted solution for home wireless networks that should protect them.
However, no matter what type of WiFi encryption people use, unsecured connections can still pose threats. For instance, there are frequent reports in the media about home and business WiFi users who’ve been hacked, because they don’t properly configure their networks, leave their networks wide open to share with others, have faulty routers, or engaged in risky online behavior.
Individual WiFi users must take control of their security. The best way to do so is with technology such as a VPN, which sends users’ data through a secure tunnel, rendering it invisible to hackers.
What fundamental trends will shape wireless security in the near future?
WiFi hotspots are driving the mobile Internet explosion and are almost impossible to ignore. Even those users who are not on public WiFi much today will probably utilize it in the near future. This is because as people travel, they’ll want to stay connected and avoid hefty roaming charges, and public WiFi offers them a convenient way to do so. Plus, many municipals are making notable efforts to expand public WiFi in metropolitan areas such as New York and San Francisco. This trend is expected to continue in smaller cities and towns, too. But it doesn’t mean that municipals are offering secure connections.
For this reason, I hope that, along with the proliferation of pubic WiFi, we can inform people about their responsibility to protect their identity and data online. The FBI, Federal Trade Commission, Department of Justice, and Department of Homeland Security all recommend that consumers use VPNs for securing mobile devices on WiFi hotspots. And I agree.
As people and business owners adopt this mindset, I believe that consumers will demand more from businesses that offer free WiFi as an incentive to use their services—and for good reason. For instance, Amtrak currently only supports VPNs on board select trains like the Acela Express. Preventing consumers from protecting themselves is unconscionable and consumers should demand better.
In many ways, the Internet has brought the rise of the informed, empowered consumer. But there’s still a lot of work to be done when it comes to wireless security.