In 2017, Symantec – a global leader in next-generation cyber security – published a comprehensive report on the use, safety and risks of wireless networks (Norton WiFi Risk Report 2017). The report spanned 15 global markets and more than 15,000 mobile device users were interviewed.
Despite cyber security often being a ‘top priority’, the report revealed and confirmed an underlying suspicion: most don’t understand cyber security or WiFi security risks.
According to the Symantec report, 60% of those interviewed felt their personal information was safe when using public WiFi, yet 53% couldn’t tell the difference between a secured or unsecured public WiFi network.
In addition, 87% admitted to taking risks on unsecured public WiFi and used it to access personal email, bank accounts or financial information. Of those that took risks, more than a quarter (26%) logged into their work email account.
Addressing the massive disconnect with regards to WiFi security
Clearly there’s a massive disconnect between business cyber security ‘priorities’ and the out-of-office reality. Not only are a large proportion of WiFi users completely unaware of the differences of secured vs unsecured networks, they are also so dependent on Internet connectivity that they are willing to take dangerous risks!
And Symantec’s research is further validated by our own. We carried out an independent market research report – in which we reviewed 500 senior IT decision makers in UK SMBs – and found that many of those decision makers felt that employees just didn’t care about cyber security.
For many of these employees, cyber security is an IT concern. It’s not that these employees don’t care, it’s more that they are unaware of the risks.
These employees wrongly assume that any network they connect to is safe and as they don’t know the differences between unsecured vs secured WiFi networks, they compromise their own security.
Why is this information important to businesses?
It’s important because it sets precedent. Any business employee could access public WiFi in the exact same manner as those in Symantec’s WiFi Risk Report, and the chances of it occurring are, quite frankly, very high. In truth, a business’ employees are their biggest cyber security threat.
If an employee is willing to take risks on unsecured WiFi with their own personal data (which they will no doubt value more than the business’) what’s to say they won’t do the same with business data? Both reports provide businesses with much-needed context into the current state of cyber security and employee understanding of it.
So what can businesses do to ensure employees can identify secured and unsecured WiFi networks, keep personal and business data safe, and practice good WiFi security?
Educate employees on secured and unsecured WiFi networks
The first step for businesses is to ensure employees know the difference between a secured and unsecured public WiFi network. For businesses that allow employees to work remotely, this kind of education is nothing short of essential.
Below are a few tips for businesses to share with employees to ensure they only ever use secure networks.
Unsecured WiFi networks have no security encryption key (more on that below) to prevent people from accessing them. Anyone can automatically connect to these networks and begin browsing the Internet.
Because of the ease of access, people using these networks don’t even bother to consider whether they are secure. Another thing to keep in mind is that even if the network has a terms and conditions page or requires the user to divulge their email – it doesn’t mean the network is secure.
The security of the network can only be defined by whether it has a security encryption key.
Secured WiFi networks are usually locked with a security encryption key in the form of one of the following: WiFi Protected Access (WPA), WiFi Protected Access II (WPA2) or Wired Equivalent Privacy (WEP). To put it in simpler terms, secure networks require a password (known as an encryption key) and can only be used once that password has been entered correctly.
After keying in the password, authentic networks will present the user with a terms and conditions screen and/or ask them to sign up with their email address.
Most mobile phones have a setting enabled by default that allows them to connect to WiFi networks when they are open, available and in the vicinity – turn it off.
The handshake between the device and the WiFi network can happen instantaneously and often without the device owner even knowing. They could be walking around with their phone in their pocket, for example, and suddenly a cyber criminal can access their device.
It’s an extreme scenario but entirely possible. Businesses should encourage employees that use mobiles to access business email, services and applications to turn off automatic network discovery.
In addition to this, businesses should encourage employees to do everything they can to find out if a network is genuine. This might mean asking a staff member – if working from a train station, café, airport or similar – about the network.
Things employees should be aware of while using public WiFi to ensure security
Honeypot attacks: Cyber criminals will sometimes duplicate legitimate WiFi networks by creating another network with the same Service Set Identifier – i.e. the name of the legitimate network – but with ‘free’ or something similar on the end.
Cyber criminals will then use this network as a trap for unsuspecting users. The moment they connect to the fake network for Internet access, the cyber criminal can see, intercept and modify incoming and outgoing traffic, access the user’s device and even inject malware or other malicious code.
HTTPS: While browsing on public WiFi networks, treat all links with suspicion. If a browsing session isn’t secure – i.e. not using HTTPS but HTTP – there’s a chance that communication between the device and target server (website or otherwise) is being monitored and altered. Using or clicking on links to websites without HTTPS will compromise device encryption and allow third parties (i.e. other users on the network) to view information being sent to and from the device
HTTPS adds a layer of security in that it encrypts communications between the device and the target destination/server. If information is intercepted, it cannot be read.
Of course, even with a secure network – if it’s public and the password is available, there’s nothing stopping a cyber criminal from connecting as well. Granted, it will be easier for those who manage the network to identify malicious activity and block the device in question, but employees should still exercise vigilance and have security solutions installed to their device.
Anti-virus, anti-malware, a firewall and a virtual private network (at the minimum) should be used to help keep data safe, secure and private on public WiFi networks.
To find out more about the security risks associated with unsecured public WiFi networks, click here.
If you want to find out more about the current state of cyber security and how small businesses are affected in particular, download our free Market Research Report by clicking the button below.
Privatise’s business VPN solution is the first internet privacy protection tool developed specifically to meet the practical needs of small and medium businesses.