Are you using a pre-shared passkey to allow access to the organization’s WiFi network?
Securing WiFi access in businesses has been historically weak. Oftentimes, companies protect their WiFi access with a pre-shared password, sometimes posting it on whiteboards within the company or placing it for all to use at the reception desk to enable easy access. This is primarily for modern convenience purposes, as businesses would like to enable productivity and collaboration with contractors and guests, as well as allow for staff mobility within the premises of the enterprise.
What’s the problem? And why should I care?
The problem with this practice is that this is a “home style” level of security that places the company’s data and assets (whether intellectual or physical) at risk of being damaged or stolen. If an outsider successfully connects to the company’s WiFi, they could bypass the Firewall and all traditional cyber security mechanisms applied by most companies today. Once inside, they could damage the organization’s reputation by accessing illegal web sites, or company data, whether it resides on premises or in the cloud. Accessing these items is easy, and there are many automated network tools that can enable “non-techies” to do the work. Additionally, this type of hack could easily be achieved via simple social engineering. Another reason to be worried about the use of passkeys is that WiFi hacks and damages do not require being physically present at the organization. These simple actions could be taken from a nearby public space such as the parking lot and would leave no trace. Trying to track who accessed the enterprise WiFi by using a shared password is almost impossible.
Internal players: disgruntled and former employees.
One of the scariest scenarios are the hacks performed by disgruntled employees that can use their remaining access to perform nefarious activities, including damaging, sabotaging or stealing company data, resources and assets. Roughly one out of five organizations has experienced a data breach by a former employee. The Gartner analysis of criminal insiders found that 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.
Attacks by disgruntled employees who commit deliberate sabotage or intellectual property theft are considered to be among the costliest risks to an organization. For example, one of our customers, a food manufacturer in the United States, fired an employee. The disgruntled employee decided to get even. Using the organization’s Wi-Fi password, he connected to the network from the parking lot and changed the temperature setting for the refrigerators. The result was the destruction of food inventory to the tune of hundreds of thousands of dollars.
Bottom line? Former employees should no longer have access to any part of the WiFi network.
Removing employees’ access to all accounts immediately after leaving the company is the best practice to use; however, typically it is not possible to revoke all access due to shared passwords for certain systems and services. In some cases, these systems do not require a password at all, such as printers and Point of Sale devices. For certain organizations, such as law firms and medical facilities, these represent the crown jewels in terms of company data and therefore should be highly secured.
Do I have important assets on your WiFi network that I should be protecting?
With the growing numbers of WiFi connected IoT devices (IP cameras, printers, etc.) in the enterprise, each WiFi network has a lot of devices that could be compromised and thereby causing data leaks, denial of service attacks or severe damage to the organization. Therefore, ensuring that IoT endpoints are segmented into separate sections of the network and cannot be accessed by outsiders is crucial.
What is the alternative to PSK?
Using enterprise-grade authentication & access services is a good idea. The best security practice would be to have digital certificates, but at the very least, it is recommended to establish a personal identity-based authentication solution. It would enforce network access via unique user credentials, thereby dramatically reducing the chances of unauthorized access to the organization’s WiFi network, and it would ensure a much better security standard over the shared password practice. Traditionally, this was difficult, as setting up such services required high levels of technological knowledge, as well as extensive maintenance and long and complicated deployments.
Try Portnox CLEAR for Free Today
Gain access to all of Portnox CLEAR’s powerful NAC capabilities for 30 days!