Popularity of public Wi-Fi complicates mobile security
- 11 June, 2014 10:26
Research released earlier this year by analyst firm Telsyte revealed that despite the growth of smartphones and tablets in Australia, the mobile data market had seemingly plateaued.
The research revealed that more Australians were choosing either to tether their devices or opting for public Wi-Fi as an inexpensive alternative to 3G or 4G connectivity.
Telsyte's analysis seems implicitly confirmed by Australia's largest telco, Telstra, which last month revealed that it would construct a national wireless network comprised of some 2 million Wi-Fi hotspots. Telstra customers who agree to their home routers being part of the project will be able to access the network, while others will be able to access it for a fee.
However, although Wi-Fi hotspots can provide an inexpensive and sometimes free connection, their popularity as an alternative to cellular data connections can complicate even further the mobile security landscape for enterprise IT.
Some networks are more secure than others and if employees’ devices are not adequately secured, businesses could risk leaking sensitive data, according to security experts.
While enterprises have largely focussed mobile security worries on employees physically losing their device or installing malicious apps, “there have always been wireless risks” that could lead to data leakage, Gartner analyst Dionisio Zumerle told Computerworld Australia
“Wi-Fi is probably easier to hack and has more risks than a mobile network,” Zumerle says. “It’s easier to set up a rogue access point than set up a false [mobile] base station.”
With Wi-Fi, “the security you get really depends on the network, and you never know what you will find,” he says. “You can find a very well secured network or a very poorly secured network.”
Inadequate security and lack of encryption on some public Wi-Fi networks can put corporate data at risk, warns Zumerle, because corporate apps will exchange potentially sensitive data no matter the level of network security.
Ovum analyst Rik Turner agreed there are risks for a business when an employee connects to a public Wi-Fi network.
“The device itself may be compromised, or it may be a conduit through which the corporate network itself is penetrated,” he says.
“One situation of particular concern is the scenario in which, say, a laptop has its Wi-Fi connectivity left on, even though it is connected to the corporate network via a wired connection. In that scenario it can be used as a bridge to get on the network from outside.”
Preventing data loss
Businesses that take the right steps to lock down mobile devices can reduce the risk of data leaks when an employee connects to a public Wi-Fi hotspot, says Malcolm Crompton, managing director of Information Integrity Solutions.
“It’s a problem, but it’s a solvable problem,” he says. “It’s a combination of settings, the right applications and of course the right training.”
Turner says that there are many tools to protect organisations.
“There are technologies available for isolating business and personal usage profiles on the same device, so if the employee is using their phone or tablet for non-work stuff, that profile can be invoked instead of the business one.”
When connecting to a hotspot, users should be able to designate the network as public to activate added security measures, Turner says. The business should enforce that this happens every time the user tries to connect to a network, he says.
Turner also recommends that organisations monitor device activity to detect any inappropriate behaviour, such as requests for data from an unusual database.
Using a VPN to connect with the enterprise can be an effective way of preventing data loss on a public Wi-Fi network, advises Zumerle. A VPN can be set up with certificate pinning to prevent man-in-the-middle attacks, he says.
The Gartner analyst notes that having a VPN always active on a mobile device can result in a a hit on battery life. To counter this, many mobile device management (MDM) services include an on-demand VPN service where the VPN only activates when needed, he says.
The enterprise can also limit what data can be accessed via a mobile device — for example, providing email access but not the corporate intranet, he says.
Besides technical solutions, education can go a long way to preventing data leaks, according to the security experts.
Teaching employees to verify the security of a public hotspot before they connect can help to minimise risk, says Zumerle.
“Of course when people are on the move and they’re in a hurry, they don’t really look at those things,” he adds.
Checking the supplier of a hotspot can be a quick way to assess security, he says. A telecom operator-provided network, for example, is likely to be secure.
Of course, the easiest way to keep employees off public Wi-Fi networks may be to provide an alternative in the form of mobile broadband connectivity, he says.
“If you can bear the cost — if you don’t have huge roaming charges — [3G or 4G] is usually a better choice.”
What about BYOD?
It might seem a reasonable assumption that the public Wi-Fi security problem is complicated further by the trend toward bring-your-own-device (BYOD) schemes, in which employees are allowed their personal smartphone or tablet in the workplace.
“There’s some great advantages in BYOD,” including reduced device and management costs, says Crompton. “On the other hand it does introduce new vulnerabilities, and you have to plan very carefully for managing those vulnerabilities.”
Allowing BYOD requires the enterprise to have a higher risk appetite, says Zumerle. “Inevitably you have less control of things on the device.”
However, Turner says that companies with BYOD polices should be no more at risk than companies with corporate-owned devices, so long as the company does its research and manages the devices properly.