Wi-Fi Worries

In their quest for ever-higher productivity, organizations have seized on wireless fidelity as the great enabler of mobile workforces. Wireless computer networks based on the ubiquitous 802.11 standard are relatively inexpensive to deploy and are a convenient way to provide salespeople, technicians, nurses and other employees on the go with remote access to corporate networks. In theory, 24/7 wireless connections translate into better customer service, faster time to market and greater flexibility for employees trying to juggle work and family obligations.

    Wi-Fi deployments at U.S. companies have surged over the past two years as the price of 802.11 systems has dropped and public “hotspots”–locations such as airports, cafés, hotels and gas stations where peripatetic workers can tap into the Internet–have proliferated. The market research firm Gartner Inc. predicts that 60 percent of midsize companies in North America will have wireless networks by the end of this year. But freedom from wires carries a price–a heightened risk that somebody will hack into your network or eavesdrop on data flowing through the ether. At their present stage of evolution, Wi-Fi networks simply aren’t as secure as wired, broadband systems such as cable or DSL.

    The trouble begins with Wi-Fi cryptography, a confusing array of standards and protocols that includes Wired Equivalent Privacy, Wi-Fi Protected Access and various proprietary solutions pushed by vendors such as Cisco and Microsoft. WEP can be cracked quickly with hacker tools readily available on the Web, and its successors have yet to prove themselves in the market. In October, Cisco reiterated an earlier warning that its authentication algorithm was vulnerable to “dictionary attacks” aimed at discovering user passwords.

    “There’s a general perception that encryption is unsafe and doesn’t work,” says Andy Maxwell, a senior technology consultant with Watson Wyatt. As a result, employees tend to throw up their hands and ignore encryption altogether, making them easy meat for unscrupulous “wardrivers” equipped with software that sniffs out and captures open Wi-Fi transmissions. Unauthorized access points pose another security hazard. It’s standard corporate practice to install firewalls on the routers that beam radio signals to Wi-Fi–equipped desktops, laptops and handhelds, but access points installed by geeky employees for their own use go unshielded. Hackers intent on planting productivity-sapping viruses, relaying spam or plundering customer files scan for these secret back doors into a company’s network.

    “The ramifications of [security breaches] are profound, of the most devastating kind in terms of risk to your reputation, risk of direct financial loss and in many cases compliance risk,” says Erik Petersen, chief technology officer of Polar Cove, an information security consulting firm based in Providence, Rhode Island. Figures on the financial impact of Wi-Fi security breaches are hard to come by, but in a general computer-crime survey conducted this year by the FBI and Computer Security Institute of San Francisco, 251 organizations reported more than $70 million in losses from theft of proprietary information. On the compliance side, the Health Insurance Portability and Accountability Act, the Sarbanes-Oxley Act, and other federal and state laws mete out steep fines and/or jail time for failing to protect privileged data.

    Some companies, such as Wells Fargo, have put Wi-Fi rollouts on hold until security improves. “Our fiduciary responsibility to protect our customers’ data takes precedence over our desire to leverage new technologies,” says a spokesman for the San Francisco-based financial institution. Other firms contacted for this article declined to discuss their Wi-Fi systems and policies for fear of becoming targets.

In sync with IT
    Security experts say that the risks posed by Wi-Fi can be managed with the latest information technology, coupled with hands-on involvement by departments outside IT, human resources in particular. After all, people, not machines, commit egregious security sins such as installing rogue access points and neglecting to encrypt e-mails at Starbucks. Marcia Wilson, CEO of Wilson Secure, a network security company in Pleasanton, California, urges workforce managers to collaborate with IT in teaching employees the basics of wireless security and adopting policies that spell out the security procedures that Wi-Fi users must observe. “The employees . . . need to understand that they have an individual responsibility,” Wilson says. “HR is the group that trains employees, that gives them the information. That doesn’t mean that HR people have to be very technically savvy, but they need to understand the implications of IT deployment, and work very closely with IT.”

    Petersen adds that Wi-Fi policies must be backed up by severe penalties for violators, including termination. “IT does the policing, but HR is responsible for making sure that the penalties are understood and communicated,” he says. “The HR department has to sign off on how important [the policies] are in terms of keeping your job.”

    Few organizations have adopted comprehensive, collaborative Wi-Fi security policies. Most human resources execs still view Wi-Fi–along with e-mail, instant messaging and other communications technologies–as the exclusive domain of IT. Often, wireless security gets no more than a couple of paragraphs in a generic acceptable-use policy. But awareness of the role that HR has to play in Wi-Fi security is slowly dawning at wireless-savvy companies such as Intel Corp. and Sharp HealthCare of San Diego.

    Intel, the mega computer-chip maker, has embraced 802.11 as a productivity enhancer and integrator of work and home life. “Campus warriors” rely on their wireless notebooks and BlackBerry handhelds to stay connected as they flit from building to building (about half of Intel’s facilities worldwide boast Wi-Fi), and many employees qualify for company-paid home Wi-Fi networks.

    Much of the responsibility for Wi-Fi education–clueing in workers on technology’s risks as well as its rewards–falls to human resources. Through employee intranet sites and the electronic newsletter Circuit News, managers promote Wi-Fi as an employee benefit (subscribers to T-Mobile’s Wi-Fi service get a discount) and hammer home the central message of a new company wireless-security policy: be careful out there. All employees must use an Intel virtual private network to encrypt messages, whether they’re on campus, at home or in a coffee shop. And setting up your personal Wi-Fi transmitter in an office cube or conference room is definitely verboten.

    When employees stray from the Wi-Fi way, human resources helps them get back on course–or steers them out the door. “If someone is not following certain policies, there are going to be consequences,” says Tamar Matzkevich, product manager for small-office hotspot and telecommuting solutions, and IT’s liaison to a group responsible for promoting work/life balance at Intel.

    Human resources also stands behind Wi-Fi security at Sharp HealthCare, where nurses and clerks in seven hospitals and six urgent-care centers access patient records from PCs mounted on rolling carts. A wireless-communication policy being developed bans unauthorized access points and mandates the use of strong encryption and up-to-date virus software. “Like many policies, it requires a lot of marketing,” says Bill Spooner, chief information officer. That’s where human resources comes in, working with a company-wide information-security committee to spread the word in hospital newsletters, various intranet sites and webinars–online seminars on computer security and other topics.

Just deal with it
    Widespread adoption of wireless fidelity in the workplace seems inevitable; analysts say that the technology makes too good a business case in a mobile society for organizations to ignore. So workforce managers will have to deal with security and other issues raised by Wi-Fi, just as they dealt with earlier, now established office technologies such as the telephone, e-mail and Web browsers.

    Beefed-up wireless security on the horizon won’t relieve human resources of its duty to inform employees of Wi-Fi security policies and to enforce them. Even if the 802.11i hardware standard under development stumps hackers, eliminating the need for virtual private networks to shepherd sensitive information over the Net, employees will still have to install company-approved firewalls on their home wireless networks, guard their passwords in public places and remember to turn on encryption software. Wilson of Wilson Secure sees human resources managers as mediators between the techies and rank-and-file employees who simply need to understand what firewalls and data encryption do, and why that’s important. “IT has to set up the infrastructure,” she says, “but HR has to make employees aware of what the dangers could be if they don’t follow policy.”

Workforce Management, December 2003, pp. 69-71 — Subscribe Now!