Some businesses do a good job of securing their data network (local area network or LAN) but forget to secure their wireless network. Despite all the pains they took to secure their LANs, their network is as vulnerable to entry as a locked car with the windows rolled down. Wi-Fi network security is a common blind spot, especially for small businesses. Here we look at some basic steps companies can take to lock down their Wi-Fi networks.
- Physical security: It is very easy to disrupt a wireless network simply by shifting the direction of the antennas on a wireless access point (WAP), or otherwise interfering with the radio frequency signals. This type of disruption is impossible to identify remotely and can even be difficult to detect with a visual inspection. Keep the wireless access points out of reach and appropriately hidden or in a locked enclosure. Also, if your company has Ethernet ports embedded into the walls, make sure they are inaccessible to visitors or unauthorized persons, or are disconnected from the enterprise network.
- WPA2 encryption: WPA2 encryption is the latest generation of Wi-Fi encryption and also the most secure today. Devices with a “Wi-Fi” logo manufactured after 2006 must support this encryption. If there are any older, incompatible devices on the network, connect them directly to the LAN via an Ethernet port. WEP and WSA may also be offered as security options by your WAP, but these are notoriously vulnerable to intrusion, so steer clear of them.
- Secure passwords: As simple as this is, many companies are still using easily guessed passwords for their routers and access points. Secure password guidelines are just an Internet search away. In any case, use long passphrases with mixed-case letters and numbers, and don’t use any words that are included in a dictionary from any language. Remember, too, that the entire network can be accessed from any connected device, so be sure to train employees on how to create safe passwords for their own endpoints.
- Guest Wi-Fi network: Only allow authorized users to connect to your enterprise network. Set up a separate network for visitors and guests. Some enterprise WAPs allow you to offer two separate network names (SSIDs) on the same Internet connection. Otherwise, you will need to add an additional router or access point. For more solid security, you could enable separate encryption for the guest network.
- VPN: When remote or traveling users access your network, a VPN (virtual private network) will make sure your LAN is not exposed to the Internet, keeping employees’ online activity behind your firewall. It will also keep outsiders from spying on your employees’ Internet browsing activity. Without going through a VPN, company information and files on employees’ computers or smart phones can easily be accessed if they connect to an unsecured Wi-Fi network. Malware installed on these devices could then infect the enterprise network once they are reconnected to the LAN.
If users do find themselves in need of connecting devices to an unsecured (open or unencrypted) network because no secure networks are available in their current location, here are some basic precautions they can take to help mitigate the risk of a data breach:
- Avoid performing sensitive tasks, especially ones that require inputting a company password, while connected to the unsecured network
- Use strong passwords
- Make sure the connected device is equipped with antivirus software
- Only enter passwords or personal information on websites that provide an encrypted connection (i.e., those whose URL starts with https://)
- Keep devices updated and only update them using a secure Internet connection
- “Forget” the network in the device Wi-Fi settings once disconnected
While no network is 100% safe, taking some basic precautions and putting appropriate policies in place to secure your company’s wireless network can mitigate the most prevalent risks and go a long way towards protecting your valuable data.
You may also like: