Six Steps to Securing WiFi in a Small Business

In my job at SonicWall, I talk to a lot of people about IT security. One thing I hear a lot of the time from small business owners is something along the lines of “Why would anybody target me? I am just a small company. They would much rather go after big companies.” While this is very true for highly targeted attacks, where a highly motivated and funded attacker is going after a well-known entity, it is simply not true for the majority of attacks which are much more opportunistic in nature.

Let me give you an example. Let’s say you own a local insurance agency in a retail complex. You rely heavily on your computer system to connect to the insurance company and share information about the policies that you need to write. In the business, we call that “private customer information” and it is what you need to protect. Now, let’s assume you have a broadband connection and a consultant who has helped install and maintain your network including the security component. So far, so good.

Next, you decide you would like to add WiFi to your network so you and clients can connect more easily. You decide to go down to the local box store and purchase an off the shelf consumer class wireless access point and connect it to an open port in your office. You skip quickly through the startup menu choosing “quick start” and are up and running in a few minutes. Great, right? Not so fast. Most likely some of the steps you skipped over had to do with securing the wireless traffic, but that is difficult and requires some thought so you decided to do it later, which never happened.

At this point, you have a very secure wired network and an unsecured wireless network. Now, next door is a fast food restaurant with a lot of teenage kids who rotate in and out based on the season. One of them happens to be a wanna-be hacker, who notices a wide open wireless network and decides to investigate. She finds that she can connect to the wireless network and not only get wireless access, but also see the files on your computer, because you allow file sharing! And worse, she can see the private customer information that is so important to not only your local agency but also the nationwide company. And in a fit of teenage rebellion or altruism, she decides to download the customer data and then sends it to the nationwide agency to show them that one of their agents is not being responsible with their customer’s data. That is known as white hat hacking, and she is actually doing your insurance company a favor. Imagine if a neighbor with less noble intentions had been able to extract the data.

This is just an example, illustrating why wireless security is so important. Here are some tips to help you keep this fictional scenario from becoming a reality.

  1. Utilize a firewall with integrated wireless security that simplifies the implementation of wireless network security.
  2. Leverage deep packet inspection on the firewall to scan all traffic to and from the wireless users’ computers for viruses, malware and intrusions that may have been brought in from the outside.
  3. Since many websites are now leveraging SSL encryption to protect user data, make sure that your wireless network security solution can decrypt and scan encrypted traffic.
  4. Look for wireless network security solutions with wireless intrusion detection and prevention to block rogue access points and minimize the disruption from denial of service attacks.
  5. Apply application control to block unauthorized applications from being used on the wireless network.
  6. Set up a secure wireless guest network with encryption for your guests if you want to allow your customers to use WiFi in the lobby or conference rooms.

This is just one hypothetical example of what can happen if you don’t take security seriously. To learn more about wireless security, here is a quick and easy infographic with more information on this important topic.

Follow me on Twitter: @johngord

Is Your IT Security Strategy Aligned with Your Business Requirements

Triple-A ratings are normally associated with chief financial officers keeping a tab on John Moody’s bond credit rating. In the world of IT however, how can a chief information officer or information technology decision maker (ITDM) rate the efficiency of an IT security implementation?

IT security is one of the main concerns for ITDMs with attacks such as Venom, Shellshock or Heartbleed and others affecting organizations globally. Therefore ITDMs are taking steps to protect the corporate network from threats of all sizes. However, as it stands security is still at risk from internal and external stand point.

How can ITDMs know when they have reached a level of security that will protect from cyber-attacks while still empowering employees to do their job better? A comprehensive security approach should encompass three factors, it should be adaptive to threats, business requirements and also the ever evolving use of the internet within the corporate network, have adapted to meet the specific requirements of an organization and have been adopted fully by end users.

These factors can be summarized as a Triple A security approach, that could help you with your overall security posture and grant your organization a Triple A security rating.

Adaptive:

IT infrastructures are constantly changing. In the past we had static IT infrastructures, however, we are moving towards a world of convergence. Therefore, security infrastructures need to adapt in order to be effective. An adaptive security architecture should be preventative, detective, retrospective and predictive. In addition, a rounded security approach should be context-aware.

Gartner has outlined the top six trends driving the need for adaptive, context-aware security infrastructures: mobilization, externalization and collaboration, virtualization, cloud computing, consumerization and the industrialization of hackers.

The premise of the argument for adaptive, context-aware security is that all security decisions should be based on information from multiple sources.

Adapted:

No two organizations are the same, so why should security implementations be? Security solutions need flexibility to meet the specific business requirements of an organization. Yet despite spending more than ever to protect our systems and comply with internal and regulatory requirements, something is always falling through the cracks. There are dozens of “best-of-breed” solutions addressing narrow aspects of security. Each solution requires a single specialist to manage and leaves gaping holes between them. Patchwork solutions that combine products from multiple vendors inevitably lead to the blame game.

There are monolithic security frameworks that attempt to address every aspect of security in one single solution, but they are inflexible and extremely expensive to administer and organizations often find that they become too costly to run. They are also completely divorced from the business objectives of the organizations they’re designed to support.

Instead organizations should approach security based on simplicity, efficiency, and connectivity as these principals tie together the splintered aspects of IT security into one, integrated solution, capable of sharing insights across the organization.

This type of security solution ensures that the security approach has adapted to meet the specific requirements and business objectives of an organization, rather than taking a one size fits all approach.

Adopted:

Another essential aspect to any security approach is ensuring that employees understand and adopt security policies. IT and security infrastructure are there to support business growth, a great example of this is how IT enables employees to be mobile, therefore increasing productivity. However, at the same time it is vital that employees adhere to security policies and access data and business applications in the correct manner or else mobility and other policies designed to support business growth, in fact become a security risk and could actually damage the business.

All too often people think security tools hamper employee productivity and impact business processes. In the real world, if users don’t like the way a system works and they perceive it as getting in the way of productivity, they will not use it and hence the business value of having the system is gone, not to mention the security protection. We have solutions that allow for productivity and security.

“We have tight control over the network nowadays and can manage bandwidth per application using the firewall. The beauty of our SonicWall solution is that we can use it to create better store environments for our customers.” Joan Taribó, Operations and IT Manager, Benetton Spain.

By providing employees with training and guides around cyber security, this should lead to them being fully adopted and the IT department should notice a drop in the number of security risks from employee activity.

Triple A

If your overall security policy is able to tick all of the three A’s, then you have a very high level of security, however, the checks are not something that you can do just once. To protect against threats, it is advisable to run through this quick checklist on a regular basis to ensure that a maximum security level is achieved and maintained at all times. It is also important to ensure that any security solutions implemented allows your organization to grow on demand; as SonicWall says: Better Security, Better Business.