In this weeks post, we’ll pick back up in our Small Business Cyber Security series. This week’s topic is Wireless Networks and Security.
I realized in preparing for today’s topic that I really do take wireless for granted. I’ve come to expect everywhere I go to have it and give it to me for free So much so that when recently traveling for business, I found myself at a national hotel chain that expected me to PAY for wireless. My reaction to this news wasn’t digested easily. Long story short, after calling the complain to the front desk, then almost hitting send on a negative online review, I realized that this is where the world has gone. Incidentally, after I calmed down, I checked available wireless networks and found that 5 of the surrounding businesses had free Wi-Fi available to me, all of which gave me a great signal. My post today is about what happened next.
In my business I test security, not only for pay, but for fun. I mentioned finding 5 local businesses with free Wi-Fi, well I connected to all, then I proceeded to test each one to see what they let me get away with, and more importantly, what they mistakenly allow me to access. This hotel was nestled in the center of a new development with a few other hotels, national restaurant chains and a few businesses.
3 of the 5 networks that were open were the businesses. While they were secure (at least secured from the corporate network), they were completely open to anyone within connection range.
- I found an internet pipe that had no limitations on bandwidth,
- I found no web filtering,
- I found no real security other than the segregation from their LAN.
The last one, which I stuck with – I found I was able to access a few different resources that I assume they didn’t intent me to be able to. I could print to a copier, project to a conference room projector and if I wanted to, download nearly anything I could ever imagine. I was minutes away from printing them a message thanking them for the unlimited, unfiltered bandwidth (and telling them to give me a call if they wanted help) before I decided against it.
So, what I want to do today is help you, my readers, understand what you need to do to protect not only your internal wireless, but wireless you may provide to guests.
Let’s start with your “Internal” or private wireless.
All networks must be secure, even guest networks
Most businesses spend all their time and resources securing their internal network, but I still see businesses with open “Guest” networks. I understand the thought process, and I don’t completely disagree, but every business-class wireless system on the market has a way of protecting your guest network. On the other hand, I see businesses who overprotect their guest networks, then print the code out for guests. I don’t care what you do, but make sure that each network that you support (or much less pay for) is secure. If a guest doesn’t like that, they probably are the kind you want tagging on anyway.
Never have your internal wireless networks on the same subnet as your guest. In laymen’s terms – the two should never be allowed to talk to each other. The simplest reason is because guest devices don’t have the same protection and policies applied as your corporate assets. Allowing traffic between the two is the same as only having one network anyway, so just don’t do it! Personally, I recommend not having a guest network at all, but again, I understand the need so just make sure you do it smartly.
Have as many wireless networks as you can or want. No one says you should only have one internal and one guest. I’ve seen companies who have 2 networks and some with 10. It depends on your business need but think of separate wireless networks as locked doors.
Protect your pipe
There are different schools of thought on the exact percentages of bandwidth to dedicate to different networks but what’s important is your guests should never have full access to all available bandwidth.
I had a Car Dealership a few years ago that made this mistake. They had a guest network for customers who were waiting on repairs – which was fantastic, but they failed to throttle their bandwidth. They called us to find out why their systems suddenly had slowed to a crawl for the last week since they needed better performance until their upgraded 1GB internet was installed. We found out quickly where the issue was, since they had numerous patrons using the guest network streaming music, movies and videos. Yeah, that’s fine, let them do it, but do you really want your business to stop so your customer can watch a favorite team play on his iPad?
Content and Web Filtering for all
First off, you better have Advanced Security on your firewall today – that’s another topic for another day, but it is your duty to make sure your connection is protected for inappropriate, unethical or illegal content. The policy on the guest network should be much more stringent than that on the internal. I’m seeing more companies trend to creating a list of sites guest can access than to block the content, which is even better but just remember, it’s your connection, guest or not, you are responsible for what happens with it and the devices that connect to the internet through it.
This topic is usually where I take heat with the businesses I work with. My belief is your corporate systems are for the company only. Employees have cell phones, tablets, smart devices, etc. that they “want” to connect to the internet. Usually the argument is, well he/she wants to save their data plan. I completely understand that request, but they want to save their data but use yours? Your data is at least 5x more expensive than their cell plan. Do you want to save data? On the flip side, businesses who provide mobile devices to their employees want to protect all their data plans, so sure, let those on the wireless, but separate them. Make sure that you aren’t giving your employees are device with unlimited access to anything at any time, just so they can listen to Spotify while they work.
Pick the right equipment
I briefly mentioned this above, but do NOT buy off the shelf for wireless security and connectivity. Yes, there are acceptable devices out there, but VERY few of those are as concerned about security as they should be. For a little more money (usually due to warranty) you can get an enterprise-level Wireless infrastructure, scaled to your businesses need that will ensure you are secure, yet accessible. Do me a favor, don’t google “Best Wireless for Business” or anything close to that – you’ll get a laundry list of big-box options for security. They will work, sure – they’ll provide you with a way for your devices to connect to your network and internet, but if you make that decision, make sure you have our number in your cell phone. When you have a breach, give us a call, because you will.
Do NOT use your internet providers wireless systems.
I know, why pay for it when you get it for free. Say what you want about Spectrum, AT&T, etc., but their business is not security, it’s connection. They give you the pipe, you had to dictate what gets access to that. Do you really want a contractor whose job it is to run a cable being the same person who make sure your assets (physical and data) are protected? Please don’t answer yes – if you do, call me and I’ll tell you countless real-life stores of why that’s a bad idea.
To summarize, take a little time to plan your wireless infrastructure and you won’t have to worry about it as a vulnerability to your Cyber health. Better yet, give us a call or email and we’ll help you do so as part of our Cyber Roadmap.