"Wireless nearly destroyed my business!" Now that's a difficult thing to hear from a potential or existing customer. The rush to implement wireless solutions for customers has been lucrative and rewarding for vendors, and equally practical and beneficial for organisations. But, like any great technology, the business case and suitability of wireless implementation are sometimes overlooked.
The current state of wireless adoption among small and medium-sized businesses (SMBs) is nothing short of astonishing. Nearly all (96 per cent) of the 2,500 small businesses surveyed in an AT&T poll said they use wireless technologies in their operations, with almost two-thirds (63 per cent) saying that they could not survive – or it would be a major challenge to survive – without wireless technologies. By the end of the year, about 50 per cent of small businesses reported that they expected to have all their employees using wireless technologies to work away from the office.
However, there is a downside. The rapid adoption rate of wireless networks has introduced a new attack vector, which could be used to do significant financial damage to an organisation. Along with the rise and rise of mobile devices, such as smartphones, tablets and phablets, there are now even more devices that can access the wireless network in the workplace that the IT admin has to worry about.
The fact is that wireless devices are as common in the workplace as the desk phone, or the printer – both of which are more than likely wireless these days. Wireless connectivity has become a part of the day-to-day life of any business. It has also become an employee expectation, as they increasingly look to remain connected while roaming around the office.
With traditional wired networks, network security was enhanced by the requirement of a physical connection to the network, but as the price of structured cable increased, businesses have been reluctant to make the necessary investment. A wireless access point for £30 seems like a bargain; however, the unintended consequences are that the network has now been wirelessly extended, perhaps beyond the physical walls of the business.
What are the risks of wireless?
From the security perspective, a device that broadcasts potentially sensitive information to persons unknown is disconcerting: potentially the electronic equivalent of putting a network jack in the car park.
We can think of wireless security much as we think about burglary. Just as we wouldn't let people we don't know walk through our house, businesses don't want uninvited visitors to use their wireless network. It could, after all, be used for malicious activities such as data breaches, or spreading malware through a corporate network.
The cold, hard fact is that the modern cybercriminal doesn't care about the size of the organisation. As long as there are vulnerabilities that can be exploited, they will be exploited, whether the organisation has five employees or five thousand.
Data breaches and nefarious activity from malware continue to be of concern to business, but wireless eavesdropping, or wireless device malware can also lead to severe consequences and may be less obvious. There is a credible threat from the introduction of rogue wireless into a business's network; many of these intrusions come from personal devices running on the businesses wireless network.
Malware on these unsecured, unmanaged platforms can lead to the disclosure of personal or business information to unauthorised parties in such a way as to embarrass the company, harm its reputation and even bring about legal action due to unauthorised disclosure of personal details. Lax wireless security could also facilitate the infiltration of the customer's infrastructure by Trojan software or malware.
A breach of network security could even allow criminals using "ransomware" to encrypt data needed to conduct business operations, and effectively hold business data hostage until a ransom is paid.
Furthermore, and probably a silent threat that often goes ignored, is the risk posed by disgruntled employees or former employees who have a grudge against the company – and will not think twice about using their access credentials to steal data or cause damage to the company.
The vulnerability of a business to this sort of wireless attack varies greatly. Early adopters of wireless technology may have devices which only support the first wireless security standard called Wired Equivalent Privacy (WEP). WEP's intention was to prevent unauthorised users from reading wireless data packets between the client and the Access Point by encrypting the traffic.
Unfortunately, WEP keys are commonly shared among all wireless users accessing the network. Thus, an eavesdropper equipped with AirSnort or WEPCrack can quickly gain access to the wireless network. New standards such as Wi-Fi Protected Access (WPA) and WPA2 make it more of a challenge to electronically eavesdrop on wireless conversations.
According to analyst firm Forrester Research, 86 per cent of employee use of wireless is for email access. Depending on the configuration found in the particular SMB, most if not all email communications is in clear text. So, an SMB employee using wireless with WEP is effectively enabling the ability of a third party to intercept all email communications of that business.
Email communication is the lifeblood of most business, but this allows easy access to email-attached documents and user credentials, which have now been broadcasted beyond the walls of the business. Digital mayhem is taking place in the wireless realm, and it's not just about eavesdropping or stealing corporate secrets.
Due to poorly implemented wireless, there may be systems which the business would like to think are isolated, but are now accessible to an unknown party. Security systems with wireless IP-enabled cameras recently led to a $33 million (£20 million) loss at Australia's Crown Casino as hackers hijacked the wireless IP cameras to examine the cards held by the dealers.
Consider for a moment how devastating the loss of control over building management systems, which control the Heating, Ventilation and Air Conditioning (HVAC), could be for a business. In summer, or a locale where temperatures approach 110 degrees and the air conditioning in a server room is remotely turned off, or a severe thunderstorm is forecasted, and the sump drainage pumps are turned off. These possibilities don't even involve confidential client info, and yet the cost would be massive.
Lastly, the convenience of wireless handheld debit and credit card terminals, which broadcast financial transactions wirelessly, was responsible for the TJX data breach which resulted in millions of pounds in economic loss, not to mention the loss of customer faith and trust.
As better wireless security enters the consumer market, many businesses are gaining confidence in their wireless infrastructure. This confidence is reasonable; WPA2 remains a secure security protocol; however, the wireless attackers are increasing the sophistication of their assaults.
Using specific tools, attackers can unleash a Denial of Service attack (DoS) on a company's legitimate wireless access point, and then force users to attach to a fake wireless access point under the attackers' control. In more brazen attacks, attackers may smuggle a rogue wireless device into a business and attach it to the network, essentially creating a wireless backdoor into the victim's system.
Unintended consequences of BYOD policies
Looking at the devices which inevitably get connected to business wireless access, several opportunities and challenges emerge. Most wireless implementations place business controlled assets side-by-side with an employee owned or bring your own device (BYOD). There are a number of compelling business reasons to consider integration of business controlled assets and BYOD hardware:
- Businesses perceive lower hardware costs for companies that don't have to invest in duplicate functionality.
- Business has observed improved productivity since employees are more comfortable with devices, and the devices work the way employees would like them too.
- Human Resource staff have noted 44 per cent of job hunters find an offer more attractive if the employer supports iPads.
- Legal and other risks of BYOD can be reduced if both employer and employee clearly understand those risks, roles and responsibilities in managing them.
Still, several challenges of wireless and BYOD integration remain. Everything an employee does on their personal devices could be used as evidence in a lawsuit against their employer. Employees should be aware how invasive a device review by an employer or another party in a lawsuit can be. By allowing multiple devices per person it may add a multiplier to legal costs during litigation. All devices may have to be turned over for discovery.
Employees who sell or recycle a BYOD also pose a risk to the business, as does a stolen or lost device. These issues are solvable with administrative controls such as policies and technological controls such as remote wipe and mandatory password security on devices. However, the issue of malware on employee-owned devices, used to access the corporate infrastructure remains a challenge for IT service providers. The key threat mitigations of operating systems updates, application updates, limiting administrative access and authorising, or "white-listing" applications on personal devices remain out-of-scope for IT service providers in the SMB market.
Complicating the risk to business are easily-installed cloud-based file sharing applications such as Dropbox, which allow the movement of large data files in and out of the business and across platforms with ease. This can lead to questions of confidentiality and if the credentials of this service are breached, unauthorised data disclosure.
According to a recent study, carried out by GFI Software, 100 per cent of 1,000 commuting employees surveyed in the UK use their personal devices to connect to open public Wi-Fi networks to access corporate assets, such as email. The trend highlights that wireless networks and personal devices provide further IT management concerns.
Similarly, if an employee connects his or her laptop to an unprotected wireless network, it is entirely possible that the network can be used to distribute malicious content to the device, without the knowledge of the end user.
Strain on supporting infrastructure
Another unintended consequence of the introduction of wireless to the SMB environment has been the increased demands on the supporting infrastructure. As employees enter the business, they now bring multiple devices which all may require wireless access.
Depending on the business policies, it's conceivable that two or more IP addresses from the DHCP scope will be allocated to each employee; this is a 50 per cent increase in demand. One meeting with trusted business partners all clamoring for wireless access, in many cases to avoid roaming data charges from mobile phone network providers, can quickly exhaust a 50 IP DHCP scope allocation.
DNS is another area where a SMB can suffer a performance decrease. As more of these devices move network traffic across the network and through the gateway router, DNS requests and Internet bandwidth can be consumed at an alarming rate by employee and guest wireless devices. Infrastructure which may have been adequate to support the business is now pushed to the limit by multiple wireless devices.
Wireless manufacturers suggest that the N standard of 75 MB/s bandwidth is adequate for most business needs. However, this speed in practical terms is divided among all the devices on the wireless node resulting in performance in some cases of below 10 MB/s. A single wireless device that is working at the B standard of 1.375 MB/s will force the wireless N access point to work at the B standard. This situation dramatically reduces the available wireless bandwidth. When such division of wireless resources occurs, complete bandwidth collapse can be achieved by a particular wireless B device printing large Adobe InDesign, Auto-CAD, or high-resolution PDFs.
When a deadline looms the last thing businesses need are self-inflicted networking constraints as a result of a poor wireless implementation. Further complicating the situation are the density and channel availability in modern office buildings, dozens of wireless networks and broadcasting on the same default channels further overload the local wireless spectrum. In practical terms, it would be the equivalent of having multiple radios at the same volume, tuned to a dozen different radio stations broadcasting at the same time.
Adding to this virtual cacophony are alarm sensors, personal hotspot devices, cordless phones and any other device that broadcasts a wireless signal. As disruptive as this environment can be to wireless stability, now imagine a child using a wireless remote control helicopter, purchased in another country, in a nearby field which accidentally adjusts the temperature of the office due to wireless spectrum overlaps. It can be absolute bedlam.
Value Added Resellers (VAR) or Managed Service Providers (MSP) working with SMBs need to take a good look at the wireless implementations they have executed for SMB customers. Deficiencies in technology, IT architecture, poor device management and a laissez-faire attitude towards wireless security in general, have created the perfect storm for wide scale, wireless mayhem.
From mayhem, opportunity may emerge
GFI Software is moving into the wireless and mobile device management sectors, and it sees a fast-growing need among small and medium businesses for top quality management tools that not only provide enhanced security but provide management with insight into what happens with the company's wireless infrastructure when users connect their devices, for how long and each one's impact on bandwidth availability.
GFI views the management of wireless and access points in an organisation as something they need to consider with urgency. Who, when and for how long users or devices have been connected to a wireless network is critical information that an IT admin can analyse to identify breaches of protocol and to monitor who or which device is eating up precious bandwidth.
Having a clear, single pane view of all users and devices using your wireless network is a must in today's wireless environment, and the jungle of multiple devices in use by employees – there will be an average of five devices or connections for every internet user by 2017, according to Cisco.
When it comes to wireless infrastructure, not every problem has a technological solution. Mobile device management of BYOD is an area that companies, down to your VAR/MSP, need to look at from both a business security perspective and a productivity perspective.
There is an opportunity to be made in managing devices and upgrading infrastructure to support mobile devices now and in the future.
Businesses have evolved to the point where the laptop is not the only device that connects to an organisations' network wirelessly anymore. With the BYOD trend, the number of devices connecting wirelessly to any business has grown exponentially, meaning that the IT admins and IT managers have a critical job in their hands of managing what devices now have access to wireless networks and valuable corporate assets.
Aside from the security implications posed by the BYOD trend, wireless networks are here to stay, whether businesses like it or not. Successful wireless deployments are designed with clear business goals in mind and take into account what needs might be needed six to 12 months down the line. As with any IT deployment, management is key, both pre and post deployment.
A wireless network will mean that employees can connect their own devices into the corporate resources, which can in turn mean that businesses can see some minor productivity drops. Therefore it's important that businesses have all their bases covered from management of the IT assets, to web monitoring, to mobile device management.
The next challenge for IT organisations is to find out the resources for the management of these new environments and whether these environments need to be managed internally by deploying state of the art technology solutions, or if an organisation should take up an MSP who is capable of supporting the organisation.
Wireless networks and BYOD are valuable IT assets to any business as long as IT departments are well-equipped to manage both environments that they remain secure and beneficial to the business and deliver the overriding business objectives.
Sergio Galindo is head of global product management, GFI Software.
Image: Flickr (Sean MacEntee; Idaho National Laboratory; Victor1558)