MHA Corporate Security Awareness Series
In recent years a great deal of attention has been focused on the threat that hostile outsiders and disgruntled employees pose to companies’ data and computer networks. However, there is another threat that can do just as much damage as hackers and spies but which is often overlooked: uninformed employees.
The vast majority of employees are dedicated and well-meaning. However, many are also woefully undertrained in how to protect the company’s data and computing resources in the current environment. These employees’ lack of knowledge creates a serious vulnerability for their companies’ data security that can be taken advantage of by unscrupulous parties. And with the dramatic rise in the practice of employees using their personal devices and home networks for work, this vulnerability is expanding rapidly.
The good news is, the weakness of employees’ lack of security awareness can be reduced relatively easily through training initiatives to raise their data-security game. Classroom-style training sessions, security-awareness websites, helpful hints via email, and posters displayed in the office can all help to teach your employees about information-security dangers and the steps they should take to minimize them.
As MHA Consulting’s contribution to helping businesses deal with this growing chink in their information-security armor, we are launching a series of blog posts on the vital topic of Corporate Security Awareness to help you stay resilient.
This series will provide you with resources to help you instill in your employees a solid understanding of company security policy and train them in the proper procedures and best practices for protecting your organization’s data, both in the office and at home.
Future posts in the series will address such topics as Personal Devices, Email, and Web Browsing.
Today we will look at the critical but often overlooked area of Wi-Fi security.
The widespread existence of Wi-Fi connections that provide wireless connectivity to the Internet at home and in places like coffee shops, airports, and hotels is one of the great conveniences of modern computing life. Unfortunately, it is also one its biggest vulnerabilities. When not properly secured, such connections offer open doorways through which hackers can stroll to steal users’ data and secretly take control of their computer resources.
The good news is, there are steps that can be taken—and which you can train your employees to take—that will greatly increase the security of your data and resources.
Of course in talking about Wi-Fi security, it’s important to understand that we’re really talking about two distinct situations: that of the home Wi-Fi network that the employee owns and controls, and the case of the employee using third-party-provided Wi-Fi connections when out and about at places like coffee shops and airports.
Below we’ll bullet out some important steps that employees should be taking in each environment to keep their resources—and your company’s data—secure.
Before doing that, however, we’d like to call your attention to a good free guide published by the Federal Trade Commission that you might want to have a look at. It’s called “Securing Your Wireless Network” and it goes through the steps people can take to protect their home Wi-Fi setups. It includes sections on understanding how a wireless network works, using encryption on your Wi-Fi network, and protecting your network during mobile access.
Home Wi-Fi Security
There are several steps a person can take to keep their home Wi-Fi secure from hackers. All can be done by opening an Internet browser and going to a special web address known as a default browser gateway. From there you can enter your credentials and make changes to the settings for your router.
You should be able to find specific instructions for making the changes described below in the manual provided with your router.
For simplicity, we’ll give the instructions as if we’re addressing the employee, though obviously in this context it’s you in your role as BCM manager who will address your company’s employees to encourage them to strengthen their home Wi-Fi security.
Here are the steps you should take to protect your home wireless network:
- Use encryption. This is a must. Make sure your router is encrypted with WPA2 (Wi-Fi Protected Access 2). The older standards WPA (Wi-Fi Protected Access) and WEP (Wireless Encrypted Password) are better than nothing but pose little problem to a determined hacker.
Note: In October, a vulnerability called Krack was identified in WPA2. Not all routers have the vulnerability. To see whether yours does and to get a patch, if necessary, check the your router vendor’s website.
- Change your default router password. The default passwords of most routers include words and other strings that make them relatively easy to remember and type in but also easy for password-cracking software to break. Use strong passwords with a random mix of upper- and lowercase letters, numbers, and symbols.
- Change the default name of the router. The default name of most routers is the manufacturer and model of the router. Hackers can use this information to help them break in. Change the name of the router to conceal its make and model.
- Hide the router. Have you noticed that when you open your laptop or turn on your phone at Starbucks or the airport you see a list of Wi-Fi connections which are in range that you might potentially join? You can make a change to your router so that it does not appear in such broadcasts. Then the only way to find it will be to type in its name. For instructions on how to hide your router, see the manual.
- Turn off remote management. You’ll most likely never have any need for this, and it’s a potential opening to hackers. It’s best to shut it off.
- Change the default administrator password. There are only a few of these in standard use and the hackers know what they are. Change yours. See your router’s manual for instructions.
- Stay logged OFF as an administrator. You don’t need this functionality and the hackers can exploit it. Turn it off and keep it off.
- Change the settings to allow access only by MAC address. MAC means Media Access Control address, and every device that can connect to the Internet has a unique one. If you change your router to allow access only by MAC address, then the only devices which can connect to it are the MAC addresses you’ve told it to accept.
Protecting Yourself When Using Third-Party Wi-Fi Connections
Using third-party Internet connections is immensely convenient and can be a real boon for productivity. It’s also somewhat risky, because bad actors sometimes linger in those locations looking for opportunities to scoop up people’s data, put things on their computers, or leach off their resources. Generally speaking, regular Internet surfing is okay and other activities should be done using certain precautions or not at all.
Here is a list of do’s and don’ts for using public Wi-Fi connections:
- Don’t do any sort of financial transaction over an open public Wi-Fi connection. Don’t enter a credit card number or log onto your back account. Hackers might be lurking and can grab your information, giving them the run of your bank account.
- Don’t check your email. Unless it’s on a VPN or you use two-factor authentication. See below for details.
- Do use a VPN, or Virtual Private Network. Logging into your company’s VPN can be inconvenient, but it is the safest way to use a public Wi-Fi connection.
- Do use multi-factor authentication. An example of multi-factor authentication is where you can’t log in to your Gmail account on your laptop, say, until you first enter a code you receive as a text message on your cell phone.
For tailored assistance in securing your company’s data, or any other matter relating to business continuity, consider speaking with one of MHA’s experienced business-continuity consultants. Reach out to us directly.
Now that we’ve covered Wi-Fi security, next week we’ll cover how to help your employees keep their personal devices secure.
Make sure you receive all the posts in MHA Consulting’s Corporate Security Awareness series. Subscribe to the blog!