Wireless security risks and defenses
by Mirko Zorz - Tuesday, 1 July 2014.
In this interview, Kent Lawson, CEO of Private WiFi, talks about the key threats exposed by wireless access, offers protection advice and illustrates the trends that will shape wireless security in the future.

What are the key threats exposed by wireless access? What should users be worried about?

Millions are victims of identity theft every year. One culprit is free public WiFi, which was designed for convenience, not security, and makes users vulnerable to identity theft. In fact, it was after I read a series of articles in The Wall Street Journal, Forbes and The New York Times about the security vulnerabilities of WiFi hotspots that I was inspired to come out of retirement and work to resolve the problem.

WiFi signals are merely radio waves. If unencrypted, anyone within range can “listen in” on all of the data people send and receive. Antivirus or firewall software can’t stop this from happening. Public WiFi in places such as coffee shops, hotels, and airports, is frequently unencrypted and exposes on-the-go users’ sensitive information—regardless of whether they realize it or not.

No one should ever assume a WiFi hotspot is secure. Yet not everyone realizes this or is taking steps to protect their data. A recent Nielsen survey found that nearly 40% of people who have used public WiFi in the U.S. have accessed or transmitted sensitive information including bank account details, paying bills, and confidential emails. It also found that a large number of people won't spend money on a security technology solution such as a VPN until after they’ve been hacked, which in my opinion is just too late.

I’ve seen reports that in 2013 there was an average of one identity fraud victim every two seconds. With numbers this high, it’s my belief that people have to take protecting themselves into their own hands.

What practical advice would you give to a CISO working in an organization with a mobile workforce?

A CISO is already going to know how to protect their mobile workforce, so large organizations smartly use VPNs. But even these companies struggle with the fact that employees often use their own personal devices to access corporate data. That’s because the work and personal boundaries have blurred in today’s connected mobile world, which increases the risk that people will get hacked when traveling.

There are a number of recent surveys that illustrate that enterprise employees access sensitive corporate data on their personal devices when using an unsecured public WiFi network, often while commuting via train, bus, or subway. However unintentionally, the workforce is undoubtedly placing corporate data at risk, so stringent BYOD and security policies are in order.

SMBs that don’t have a CISO may be even more at risk, given that they don’t typically have dedicated IT resources. Plus, telecommuting arrangements for SMBs often mean workers are more mobile—and more likely to access free public WiFi as they work in coffee shops or co-working spaces and when they travel to and from meetings.

For this reason, business owners should ensure their workers use a personal VPN, which is a proven technology that consumers and major organizations, such as banks and government agencies, trust. It is easy to install and extremely cost effective to protect users from hackers.

Do you think it is time to think of an alternative to WPA encryption?

Yes, it's long past time. Unfortunately, many people and businesses are still using WPA and sometimes even WEP encryption. With WPA, you’re vulnerable to sharing your network with strangers, using common passwords that are easy to hack, or switching your WiFi to public.


Banks and IT security: The elements of success

Nathan Horn-Mitchem, VP, Information Security Officer at Provident Bank, talks about delivering and maintaining IT security for 80 branches of the bank.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Mar 27th