To illustrate how this happens and show just how quickly your business can be put at risk, the Republican National Convention (RNC) recently teamed with their IT services provider Avast and conducted an experiment. They set up a number of fake Wi-Fi networks around the convention center and Cleveland Hopkins International Airport. Some of the networks had politically-themed names like “I vote Trump! free Internet” or “I vote Hillary! free Internet.” The networks were purposely named to appear as if they were created for the convenience of convention attendees. They also set up networks using legitimate-sounding names (e.g., Google Starbucks and AttWiFi).
The results: more than one thousand RNC attendees were lured onto one of the fake networks during the convention. In fact, during the course of a day, more than 1,200 users connected to the fake Wi-Fi and transferred 1.6Gbs of data. This allowed Avast to learn a great deal about convention attendees, including:
- 3 percent had exposed their personal identities; in fact, nearly 40 percent had Facebook or Facebook messenger on, which provided access to their personal information.
- 9 percent used an Apple device.
- 4 percent used an Android device.
- 2 percent used a banking application or website for online banking.
If Avast could learn this information as part of an experiment, think of how easily hackers can gather data to use against your business.
Using the bait of free Wi-Fi is a common tactic used by hackers to gain access to sensitive data —personal data as well as company data. Once an employee logs onto one of these networks, hackers can perform a man-in-the-middle (MitM) attack to eavesdrop or spy on them. A MitM attack also allows a hacker to copy 100 percent of the traffic on the employee’s device — to and from the internet.
According to Gary Davis, chief consumer security evangelist for Intel Security, once in, the hackers can do just about anything. “They can also use the connection to tunnel into your device to access files, drop malware and other bad things,” said Davis.
For organizations who allow employees to access company data on personal devices, this is sobering news. In order to protect themselves, organizations must have network security in place. In addition, and most importantly, they also must educate employees about the dangers of their Wi-Fi habits.
Once employees are educated about the dangers, you’ll want to share some standard security practices with them. Here are a few practices you might consider requiring employees to practice:
- Using a personal hotspot. Frequent travelers and others who find themselves using public networks frequently, oftentimes find it worthwhile to use their own hotspot. It’s much more secure than public Wi-Fi.
- Avoiding certain activities when on uncertain networks. Activities such as accessing sensitive data and online banking are best done on known and trusted networks.
- Using a VPN (Virtual Private Network) when remotely accessing the corporate network. This effectively encrypts data while using a public network.
- Not allowing computers or mobile devices to automatically connect to open public networks. If an untrusted network was accessed once, you don’t want to be automatically logged in again.
- Asking for verification. Ask employees at the coffee shop for the name of their network to avoid fakes.
- Always use the encrypted version of a website that starts with “https” in the URL bar. Encourage your employees to install a browser plugin like “HTTPS Everywhere,” which seeks out HTTPS connections and tries to enforce their usage at all times.
- Keep software up to date. Software patches are critical to protecting devices against the known vulnerabilities that hackers prey upon.
Unfortunately, there’s no bulletproof defense against threats to data security. While website owners and software providers do their part to stay ahead of security issues, like using Wi-Fi Protected Access
(WPA) encryption, individuals must also do their part to protect against threats. By inculcating good habits into your employees, you will lower your company’s risk of exposure.
Not sure where to start? OneNeck can help. Contact us to meet with one of our security experts. They’ll help you understand your security risks and protect your organization before it’s too late.